Hi All,
Thank you for reading one of my blogs. In the previous blogs we covered how to setup the basics of Defender for Cloud and how to connect with different resources.
In this blog we are going to take a look at what we can do with the alerts and recommendations from defender for cloud, besides looking at it in the portal.
We can define 4 options to get notification or exports to other services:
1. Email alerts from Defender for cloud
2. Event Hub Continues Export
3. Log Analytics workspace Continues Export
4. Azure Sentinel Integration (this will be my next blog)
So, let's start with the first one, who to setup email alerts from Defender for Cloud.
This can be very helpful for smaller organizations where IT departments consist of just a few persons responsabele for the complete IT environment.
To setup this up we have to be in the environmental settings on subscription level, that's the first thing to keep in mind. Because email alerts will leverage the accounts that have elevated access on the subscription settings are on this level. If you use admin accounts without mailboxes, you can enter separate mail addresses also.
Here we can select who will get notifications and when they can get notified, in the first box we can select the following roles on subscription level:
* Owner
* AccountAdmin
* ServiceAdmin
* Contributer
In the second box we can at any mail adres you would like, so for example your support mail adres that inserts into your ticket system.
Last thing we have to select is when mails are sent, we can here select from High, Medium (and higher) or Low (and higher) alerts. Keep in mind that there is a maximum in mails send.
Now let's say you have a bigger environment, where you wish to have more fine-grained solution for who is getting recommendations, and who is getting security alerts, want to analyze the data or insert it into a 3rd party service.
Here is where an Event Hub comes in to play, general information for Azure Event Hub can be found here: What is Azure Event Hubs? - a Big Data ingestion service - Azure Event Hubs | Microsoft Docs
Let's start creating an Event Hubs namespace, this is the collection of where the Event Hubs wil be created. You can have multiple Event Hubs in 1 namespace, but that's more for the big data specialist of this world.
For this demo we are going for the basic plan, for production workloads you want to look at the standard plan with increased retention, Schema Registry and for us security girls/guys, private access. The Basis plan only supports public access.
Now the Event Hubs namespace is created we can create the Event Hub itself.
With some basic config we have to do
Last step we have to do here is create a SAS Policy so our Defender for Cloud environment can connect safely with the manage claim
Now let's go back to the DfC environment settings where we select the continues export blade.
Here we can so how fine grain we go to work, here we select what types of data is send, on what level and what is to be included.
In this example I excluded all alerts and recommendation with the status low and informational and the secure score to only overall.
We have selected what to export, now we have to setup where to export.
For export frequency we need the streaming updates, new is the weekly snapshots of the data (preview).
So, let's go back and take a look at our event hub if the import is successful.
But oh ohh, we have not 1 but 40 subscriptions. so, this is not something we want to do by hand every time.
Here is the quick link how to put in the same settings into an Azure Policy to deploy this at scale: Continuous export can send Microsoft Defender for Cloud's alerts and recommendations to Log Analytics or Azure Event Hubs | Microsoft Docs
Looking at the continuous export functions for the Log Analytics workspace, those are the same detailing we can do as above with the export to Event Hub.
Only change is now we have to select a workspace to save the data to.
The strength of this option is that will enable several workbooks you can select in defender for cloud, making you have access to very nice reports very fast.
Although you have to wait (several days) for all data to be exported to your workspace to have a nicely filled workbook.
If you want to be creative, you can build you own workbooks also.
So that's it for now, hope to see you back when we are going to dive in to setting up Sentinel and connect it with Defender for Cloud!
