Accenture MDR Quick Start Guide for Microsoft® Defender Advanced Threat Hunting- MSAzureStorage
- KS
- KM (Unlicensed)
This collector is available only for Advanced Endpoint Response service customers only.
Â
This quick start guide will help Accenture MDR customers configure Microsoft® Defender Advanced Threat Hunting to allow log collection from the Log Collection Platform (LCP).
The document includes the following topics:
Supported Versions
A list of supported versions is available in the Accenture MDR Supported Products List document (Accenture_MDR_Supported_Products_List.xlsx) which can be found in Accenture MDR Portal.
Port Requirements
Table 1-1: Port requirements for LCP communication.
Source | Destination | Port | Description |
LCP | Azure Blob storage/Event Hub | 443(https) | Default port |
Configuring Microsoft Defender Advanced Threat Hunting
Prerequisites
An Azure subscription that you can sign in to.
A user who's a Global Administrator or Microsoft Defender Advanced Threat Hunting AdministratorÂ
Azure Storage Account to store the logs or an Event Hub to stream the logs.Â
Log in to your Azure tenant, go to Subscriptions > Your subscription > Resource Providers > Register to Microsoft.insights
Reference URLs
How to create storage account?
https://docs.microsoft.com/en-us/azure/storage/common/storage-account-create?tabs=azure-portal
How to configure Event Hub?
https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-create
Â
Device Configuration Steps:
Log in to Microsoft Defender for Endpoint portal as a Global Administrator or Security Administrator.
2. Go to Data export settings page on Microsoft Defender Security Center.
3. Click on Add data export settings.
4. Choose a name for your new settings.
5. As per customer requirement, either you can store logs in Storage Account or stream the logs to Event Hub. MxDR supports log collection from both the options
Â
a) Archive to a storage account
Choose Forward events to Azure Storage.
Type your Storage Account Resource ID. In order to get your Storage Account Resource ID, go to your Storage account page on Azure portal > properties tab > copy the text under Storage account resource ID:
Choose the events you want to stream and click Save.
The schema of the events in the Storage account
A blob container will be created for each event type:
The schema of each row in a blob is the following JSON:
{
"time": "<The time WDATP received the event>"
"tenantId": "<Your tenant ID>"
"category": "<The Advanced Hunting table name with 'AdvancedHunting-' prefix>"
"properties": { <WDATP Advanced Hunting event as Json> }
}Each blob contains multiple rows.
Each row contains the event name, the time Defender for Endpoint received the event, the tenant it belongs (you will only get events from your tenant), and the event in JSON format in a property called "properties".
For more information about the schema of Microsoft Defender for Endpoint events, see Advanced Hunting overview.
In Advanced Hunting, the DeviceInfo table has a column named MachineGroup which contains the group of the device. Here every event will be decorated with this column as well. See Device Groups for more information.
Â
b) Stream logs to an event hub
Choose Forward events to Azure Event Hubs.
Type your Event Hubs name and your Event Hubs resource ID.
In order to get your Event Hubs resource ID, go to your Azure Event Hubs namespace page on Azure > properties tab > copy the text under Resource ID:
Choose the events you want to stream and click Save.
The schema of the events in Azure Event Hubs
{
"records": [
{
"time": "<The time WDATP received the event>"
"tenantId": "<The Id of the tenant that the event belongs to>"
"category": "<The Advanced Hunting table name with 'AdvancedHunting-' prefix>"
"properties": { <WDATP Advanced Hunting event as Json> }
}
...
]
}Each event hub message in Azure Event Hubs contains list of records.
Each record contains the event name, the time Microsoft Defender for Endpoint received the event, the tenant it belongs (you will only get events from your tenant), and the event in JSON format in a property called "properties".
For more information about the schema of Microsoft Defender for Endpoint events, see Advanced Hunting overview.
In Advanced Hunting, the DeviceInfo table has a column named MachineGroup which contains the group of the device. Here every event will be decorated with this column as well. See Device Groups for more information.
LCP Configuration Parameters
Table 1-2: The Microsoft Defender Advanced Threat Hunting event collector (API – 3947) properties to be configured by MDR are shown in the table.
Property | Value If Using EventHub | Value If Using Storage |
|---|---|---|
Logging Source | Select EventHub | Select Storage |
eventHubConnectionString | Event hub connection string | N/A (keep blank) |
consumerGroupName | Optional and used if consumer Group is other than default | N/A (keep blank) |
Account Key | Access Key to access storage account | Access Key to access storage account |
Blob Container | Storage blob Container name | Storage blob Container name |
Storage Account Name | Azure storage account name | Azure storage account name |
Subscription | Set Eventhub name | Subscription ID that customer wants to be monitored |
initialReadPolicy | N/A (keep default selection) | Select Beginning to start reading from beginning and End to start reading logs from the end |
Note: In case of EventHub logging source, storage Account Key/SAS Token, Blob Container, and Storage Account Name are required because the marker for the event hub gets stored in the storage account.
Note:Â In case of Storage logging source, for each blob container created under storage account there should be separate sensor configuration created in the Log collection platform.
Legal Notice
Copyright © 2021 Accenture. All rights reserved.
Accenture, the Accenture Logo, and DeepSight Intelligence are trademarks or registered trademarks of Accenture in the U.S. and other countries. Other names may be trademarks of their respective owners.
The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Accenture and its licensors, if any.
THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. ACCENTURE SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.
The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, et seq. "Commercial Computer Software and Commercial Computer Software Documentation," as applicable, and any successor regulations, whether delivered by Accenture as on premises or hosted services. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.