Microsoft Defender offers protection, detection, investigation, and response to threats. Defender comes in multiple editions, Defender for Office 365, Defender for Endpoint, Defender for IoT, Defender for Identity, and Defender for Cloud. All Defender products can stream events in real time to Tenzir using Azure Event Hubs.
Requirements and Setup
Azure Event Hub & Kafka
To stream security events from Defender in realtime, you can use Azure Event Hub, which provides a Kafka endpoint starting at the Standard tier. Make sure to enable Kafka Surface after the Event Hub setup.
Microsoft Security Center
In Microsoft Security Center, configure Streaming under System -> Settings -> Microsoft Defender XDR -> General -> Streaming API
. Add a new Streaming API for
the target Event Hub and enable all event types that you want to collect.
Process Defender events with a pipeline
Tenzir’s Kafka integration allows for seamless consumption of
Defender events. In the following pipeline, replace all strings starting with
with the configuration values in Azure under Event Hub Namespace -> Settings -> Shared access policies -> (Your policy)
from "kafka://YOUR_EVENT_HUB_NAME", options = { "bootstrap.servers": "", "security.protocol": "SASL_SSL", "sasl.mechanism": "PLAIN", "sasl.username": "$ConnectionString", "sasl.password": "YOUR_CONNECTION_STRING" // Connection string-primary key} { read_json}
After replacing the configuration values, your pipeline may look like this:
from "kafka://tenzir-defender-event-hub", options = { "bootstrap.servers": "", "security.protocol": "SASL_SSL", "sasl.mechanism": "PLAIN", "sasl.username": "$ConnectionString", "sasl.password": "Endpoint=sb://;SharedAccessKeyName=RootManageSharedAccessKey;SharedAccessKey=SECRET123456"} { read_json}
{ records: [ { time: "2024-12-04T13:38:20.360851", tenantId: "40431729-d276-4582-abb4-01e21c8b58fe", operationName: "Publish", category: "AdvancedHunting-IdentityLogonEvents", _TimeReceivedBySvc: "2024-12-04T13:36:26.632556", properties: { ActionType: "LogonFailed", LogonType: "Failed logon", Protocol: "Ntlm", AccountDisplayName: null, AccountUpn: null, AccountName: "elias", AccountDomain: "", AccountSid: null, AccountObjectId: null, IPAddress: null, Location: null, DeviceName: "WIN-P3MCS4024KP", OSPlatform: null, DeviceType: null, ISP: null, DestinationDeviceName: "", TargetDeviceName: null, FailureReason: "UnknownUser", Port: null, DestinationPort: null, DestinationIPAddress: null, TargetAccountDisplayName: null, AdditionalFields: { Count: "1", Category: "Initial Access", AttackTechniques: "Valid Accounts (T1078), Domain Accounts (T1078.002)", SourceAccountName: "\\elias", SourceComputerOperatingSystemType: "unknown", DestinationComputerObjectGuid: "793e9b90-9eef-4620-aaa2-442a22f81321", DestinationComputerOperatingSystem: "windows server 2022 datacenter", DestinationComputerOperatingSystemVersion: "10.0 (20348)", DestinationComputerOperatingSystemType: "windows", SourceComputerId: "computer win-p3mcs4024kp", FROM.DEVICE: "WIN-P3MCS4024KP", TO.DEVICE: "ad-test", ACTOR.DEVICE: "", }, ReportId: "3d359b95-f8d5-4dbd-a64b-7327c92d32f1", Timestamp: "2024-12-04T13:33:19.801823", Application: "Active Directory", }, Tenant: "DefaultTenant", }, ]}