Merge pull request #262884 from ElazarK/WI196311-export-to-SIEM

PMEds28 · web-flow · commit 1cb4befa78d2 · 2024-01-15T11:43:08.000Z
WI196311 export to siem
diff --git a/articles/defender-for-cloud/TOC.yml b/articles/defender-for-cloud/TOC.yml
@@ -400,7 +400,7 @@
           href: alerts-suppression-rules.md
         - name: Export alerts and recommendations
           items:
-            - name: Export to a SIEM, SOAR, or ITSM
+            - name: Stream alerts to monitoring solutions
               displayName: continuous, SIEM, SOAR, Splunk, QRadar, ServiceNow, ArcSight,
                 Monitor, Graph, Sentinel,
               href: export-to-siem.md
diff --git a/articles/defender-for-cloud/export-to-siem.md b/articles/defender-for-cloud/export-to-siem.md
@@ -1,49 +1,50 @@
 ---
-title: Stream your alerts from Microsoft Defender for Cloud to Security Information and Event Management (SIEM) systems and other monitoring solutions
-description: Learn how to stream your security alerts to Microsoft Sentinel, third-party SIEMs, SOAR, or ITSM solutions
+title: Stream alerts to monitoring solutions
+description: Learn how to stream your security alerts to Microsoft Sentinel, SIEMs, SOAR, or ITSM solutions.
 ms.topic: how-to
 ms.author: dacurwin
 author: dcurwin
-ms.date: 04/04/2022
+ms.date: 01/15/2024
 ---
 
-# Stream alerts to a SIEM, SOAR, or IT Service Management solution
+# Stream alerts to monitoring solutions
 
-Microsoft Defender for Cloud can stream your security alerts into the most popular Security Information and Event Management (SIEM),
-Security Orchestration Automated Response (SOAR), and IT Service Management (ITSM) solutions.
-Security alerts are notifications that Defender for Cloud generates when it detects threats on your resources.
-Defender for Cloud prioritizes and lists the alerts, along with the information needed for you to quickly investigate the problem.
-Defender for Cloud also provides detailed steps to help you remediate attacks.
-Alerts data is retained for 90 days.
+Microsoft Defender for Cloud has the ability to stream security alerts into various Security Information and Event Management (SIEM), Security Orchestration Automated Response (SOAR), and IT Service Management (ITSM) solutions. Security alerts are generated when threats are detected on your resources. Defender for Cloud prioritizes and lists the alerts on the Alerts page, along with additional information needed to quickly investigate the problem. Detailed steps are provided to assist you to remediate the detected threat. All alerts data is retained for 90 days.
 
-There are built-in Azure tools for ensuring you can view your alert data in all of the most popular solutions in use today, including:
+There are built-in Azure tools that are available that ensure you can view your alert data in the following solutions:
 
 - **Microsoft Sentinel**
 - **Splunk Enterprise and Splunk Cloud**
-- **IBM's QRadar**
-- **ServiceNow**
-- **ArcSight**
 - **Power BI**
+- **ServiceNow**
+- **IBM's QRadar**
 - **Palo Alto Networks**
+- **ArcSight**
 
-## Stream alerts to Microsoft Sentinel
+## Stream alerts to Defender XDR with the Defender XDR API
 
-Defender for Cloud natively integrates with Microsoft Sentinel, Azure's cloud-native SIEM and SOAR solution.
+Defender for Cloud natively integrates with [Microsoft Defender XDR](/microsoft-365/security/defender/microsoft-365-defender?view=o365-worldwide) allows you to use Defender XDR's incidents and alerts API to stream alerts and incidents into non-Microsoft solutions. Defender for Cloud customers can access one API for all Microsoft security products and can use this integration as an easier way to export alerts and incidents.
 
-[Learn more about Microsoft Sentinel](../sentinel/overview.md).
+Learn how to [integrate SIEM tools with Defender XDR](/microsoft-365/security/defender/configure-siem-defender?view=o365-worldwide).
+
+## Stream alerts to Microsoft Sentinel
+
+Defender for Cloud natively integrates with [Microsoft Sentinel](../sentinel/overview.md) Azure's cloud-native SIEM and SOAR solution.
 
 ### Microsoft Sentinel's connectors for Defender for Cloud
 
-Microsoft Sentinel includes built-in connectors for Microsoft Defender for Cloud at the subscription and tenant levels:
+Microsoft Sentinel includes built-in connectors for Microsoft Defender for Cloud at the subscription and tenant levels. 
 
-- [Stream alerts to Microsoft Sentinel at the subscription level](../sentinel/connect-azure-security-center.md)
-- [Connect all subscriptions in your tenant to Microsoft Sentinel](https://techcommunity.microsoft.com/t5/azure-sentinel/azure-security-center-auto-connect-to-sentinel/ba-p/1387539)
+You can:
 
-When you connect Defender for Cloud to Microsoft Sentinel, the status of Defender for Cloud alerts that get ingested into Microsoft Sentinel is synchronized between the two services. So, for example, when an alert is closed in Defender for Cloud, that alert is also shown as closed in Microsoft Sentinel. If you change the status of an alert in Defender for Cloud, the status of the alert in Microsoft Sentinel is also updated, but the statuses of any Microsoft Sentinel **incidents** that contain the synchronized Microsoft Sentinel alert aren't updated.
+- [Stream alerts to Microsoft Sentinel at the subscription level](../sentinel/connect-azure-security-center.md).
+- [Connect all subscriptions in your tenant to Microsoft Sentinel](https://techcommunity.microsoft.com/t5/azure-sentinel/azure-security-center-auto-connect-to-sentinel/ba-p/1387539).
 
-You can enable the **bi-directional alert synchronization** feature to automatically sync the status of the original Defender for Cloud alerts with Microsoft Sentinel incidents that contain the copies of those Defender for Cloud alerts. So, for example, when a Microsoft Sentinel incident that contains a Defender for Cloud alert is closed, Defender for Cloud automatically closes the corresponding original alert.
+When you connect Defender for Cloud to Microsoft Sentinel, the status of Defender for Cloud alerts that get ingested into Microsoft Sentinel is synchronized between the two services. For example, when an alert is closed in Defender for Cloud, that alert is also shown as closed in Microsoft Sentinel. When you change the status of an alert in Defender for Cloud, the status of the alert in Microsoft Sentinel is also updated. However,the statuses of any Microsoft Sentinel **incidents** that contain the synchronized Microsoft Sentinel alert aren't updated.
 
-Learn more in [Connect alerts from Microsoft Defender for Cloud](../sentinel/connect-azure-security-center.md).
+You can enable the **bi-directional alert synchronization** feature to automatically sync the status of the original Defender for Cloud alerts with Microsoft Sentinel incidents that contain the copies of the Defender for Cloud alerts. For example, when a Microsoft Sentinel incident that contains a Defender for Cloud alert is closed, Defender for Cloud automatically closes the corresponding original alert.
+
+Learn how to [connect alerts from Microsoft Defender for Cloud](../sentinel/connect-azure-security-center.md).
 
 > [!NOTE]
 > The bi-directional alert synchronization feature isn't available in the Azure Government cloud.
@@ -61,9 +62,7 @@ Another alternative for investigating Defender for Cloud alerts in Microsoft Sen
 
 ## Stream alerts to QRadar and Splunk
 
-The export of security alerts to Splunk and QRadar uses Event Hubs and a built-in connector.
-You can either use a PowerShell script or the Azure portal to set up the requirements for exporting security alerts for your subscription or tenant.
-Then you’ll need to use the procedure specific to each SIEM to install the solution in the SIEM platform.
+To export security alerts to Splunk and QRadar, you need to use Event Hubs and a built-in connector. You can either use a PowerShell script or the Azure portal to set up the requirements for exporting security alerts for your subscription or tenant. Once the requirements are in place, you need to use the procedure specific to each SIEM to install the solution in the SIEM platform.
 
 ### Prerequisites
 
@@ -72,41 +71,66 @@ Before you set up the Azure services for exporting alerts, make sure you have:
 - Azure subscription ([Create a free account](https://azure.microsoft.com/free/))
 - Azure resource group ([Create a resource group](../azure-resource-manager/management/manage-resource-groups-portal.md))
 - **Owner** role on the alerts scope (subscription, management group or tenant), or these specific permissions:
-  - Write permissions for event hubs and the Event Hub Policy
+  - Write permissions for event hubs and the Event Hubs Policy
   - Create permissions for [Microsoft Entra applications](../active-directory/develop/howto-create-service-principal-portal.md#permissions-required-for-registering-an-app), if you aren't using an existing Microsoft Entra application
   - Assign permissions for policies, if you're using the Azure Policy 'DeployIfNotExist'
   <!-- - To export to a Log Analytics workspace:
     - if it **has the SecurityCenterFree solution**, you'll need a minimum of read permissions for the workspace solution: `Microsoft.OperationsManagement/solutions/read`
     - if it **doesn't have the SecurityCenterFree solution**, you'll need write permissions for the workspace solution: `Microsoft.OperationsManagement/solutions/action` -->
 
-### Step 1: Set up the Azure services
+### Set up the Azure services 
 
 You can set up your Azure environment to support continuous export using either:
 
-- A PowerShell script (Recommended)
+#### PowerShell script (Recommended)
+
+1. Download and run [the PowerShell script](https://github.com/Azure/Microsoft-Defender-for-Cloud/tree/main/Powershell%20scripts/3rd%20party%20SIEM%20integration).
+
+1. Enter the required parameters. 
+ 
+1. Execute the script.
+
+The script performs all of the steps for you. When the script finishes, use the output to install the solution in the SIEM platform.
+
+#### Azure portal
 
-    Download and run [the PowerShell script](https://github.com/Azure/Microsoft-Defender-for-Cloud/tree/main/Powershell%20scripts/3rd%20party%20SIEM%20integration).
-    Enter the required parameters and the script performs all of the steps for you.
-    When the script finishes, it outputs the information you’ll use to install the solution in the SIEM platform.
+1. Sign in to the [Azure portal](https://portal.azure.com).
 
-- The Azure portal
+1. Search for and select `Event Hubs`.
 
-    Here's an overview of the steps you'll do in the Azure portal:
+1. [Create an Event Hubs namespace and event hub](../event-hubs/event-hubs-create.md).
 
-    1. Create an Event Hubs namespace and event hub.
-    2. Define a policy for the event hub with “Send” permissions.
-    3. **If you're streaming alerts to QRadar** - Create an event hub "Listen" policy, then copy and save the connection string of the policy that you’ll use in QRadar.
-    4. Create a consumer group, then copy and save the name that you’ll use in the SIEM platform.
-    5. Enable continuous export of security alerts to the defined event hub.
-    6. **If you're streaming alerts to QRadar** - Create a storage account, then copy and save the connection string to the account that you’ll use in QRadar.
-    7. **If you're streaming alerts to Splunk**:
-        1. Create a Microsoft Entra application.
-        2. Save the Tenant, App ID, and App password.
-        3. Give permissions to the Microsoft Entra Application to read from the event hub you created before.
+1. Define a policy for the event hub with `Send` permissions.
 
-    For more detailed instructions, see [Prepare Azure resources for exporting to Splunk and QRadar](export-to-splunk-or-qradar.md).
+**If you're streaming alerts to QRadar** 
 
-### Step 2: Connect the event hub to your preferred solution using the built-in connectors
+1. Create an event hub `Listen` policy.
+
+1. Copy and save the connection string of the policy to use in QRadar.
+
+1. Create a consumer group. 
+
+1. Copy and save the name to use in the SIEM platform.
+
+1. Enable continuous export of security alerts to the defined event hub.
+
+1. Create a storage account.
+
+1. Copy and save the connection string to the account to use in QRadar.
+
+For more detailed instructions, see [Prepare Azure resources for exporting to Splunk and QRadar](export-to-splunk-or-qradar.md).
+
+**If you're streaming alerts to Splunk**:
+
+1. Create a Microsoft Entra application.
+
+1. Save the Tenant, App ID, and App password.
+
+1. Give permissions to the Microsoft Entra Application to read from the event hub you created before.
+
+For more detailed instructions, see [Prepare Azure resources for exporting to Splunk and QRadar](export-to-splunk-or-qradar.md).
+
+### Connect the event hub to your preferred solution using the built-in connectors
 
 Each SIEM platform has a tool to enable it to receive alerts from Azure Event Hubs. Install the tool for your platform to start receiving alerts.
 
@@ -117,14 +141,18 @@ Each SIEM platform has a tool to enable it to receive alerts from Azure Event Hu
 
 ## Stream alerts with continuous export
 
-To stream alerts into **ArcSight**, **SumoLogic**, **Syslog servers**, **LogRhythm**, **Logz.io Cloud Observability Platform**, and other monitoring solutions, connect Defender for Cloud using continuous export and Azure Event Hubs:
+To stream alerts into **ArcSight**, **SumoLogic**, **Syslog servers**, **LogRhythm**, **Logz.io Cloud Observability Platform**, and other monitoring solutions, connect Defender for Cloud using continuous export and Azure Event Hubs.
 
 > [!NOTE]
 > To stream alerts at the tenant level, use this Azure policy and set the scope at the root management group. You'll need permissions for the root management group as explained in [Defender for Cloud permissions](permissions.md): [Deploy export to an event hub for Microsoft Defender for Cloud alerts and recommendations](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2fproviders%2fMicrosoft.Authorization%2fpolicyDefinitions%2fcdfcce10-4578-4ecd-9703-530938e4abcb).
 
-1. Enable [continuous export](continuous-export.md) to stream Defender for Cloud alerts into a dedicated event hub at the subscription level. To do this at the Management Group level using Azure Policy, see [Create continuous export automation configurations at scale](continuous-export.md?tabs=azure-policy#configure-continuous-export-at-scale-using-the-supplied-policies).
+**To stream alerts with continuous export**:
+
+1. Enable continuous export:
+    - At the [subscription level](continuous-export.md).
+    - At the [Management Group level using Azure Policy](continuous-export.md?tabs=azure-policy#configure-continuous-export-at-scale-using-the-supplied-policies).
 
-2. Connect the event hub to your preferred solution using the built-in connectors:
+1. Connect the event hub to your preferred solution using the built-in connectors:
 
     | Tool | Hosted in Azure | Description |
     |:---|:---| :---|
@@ -134,15 +162,15 @@ To stream alerts into **ArcSight**, **SumoLogic**, **Syslog servers**, **LogRhyt
     | LogRhythm | No| Instructions to set up LogRhythm to collect logs from an event hub are available [here](https://logrhythm.com/six-tips-for-securing-your-azure-cloud-environment/).
     |Logz.io | Yes | For more information, see [Getting started with monitoring and logging using Logz.io for Java apps running on Azure](/azure/developer/java/fundamentals/java-get-started-with-logzio)
 
-3. Optionally, stream the raw logs to the event hub and connect to your preferred solution. Learn more in [Monitoring data available](../azure-monitor/essentials/stream-monitoring-data-event-hubs.md#monitoring-data-available).
+1. (Optional) Stream the raw logs to the event hub and connect to your preferred solution. Learn more in [Monitoring data available](../azure-monitor/essentials/stream-monitoring-data-event-hubs.md#monitoring-data-available).
 
 To view the event schemas of the exported data types, visit the [Event Hubs event schemas](https://aka.ms/ASCAutomationSchemas).
 
-## Use the Microsoft Graph Security API to stream alerts to third-party applications
+## Use the Microsoft Graph Security API to stream alerts to non-Microsoft applications
 
-As an alternative to Microsoft Sentinel and Azure Monitor, you can use Defender for Cloud's built-in integration with [Microsoft Graph Security API](/graph/security-concept-overview/). No configuration is required.
+Defender for Cloud's built-in integration with [Microsoft Graph Security API](/graph/security-concept-overview/) without the need of any further configuration requirements.
 
-You can use this API to stream alerts from your **entire tenant** (and data from many Microsoft Security products) into third-party SIEMs and other popular platforms:
+You can use this API to stream alerts from your **entire tenant** (and data from many Microsoft Security products) into non-Microsoft SIEMs and other popular platforms:
 
 - **Splunk Enterprise and Splunk Cloud** - [Use the Microsoft Graph Security API Add-On for Splunk](https://splunkbase.splunk.com/app/4564/)
 - **Power BI** - [Connect to the Microsoft Graph Security API in Power BI Desktop](/power-bi/connect-data/desktop-connect-graph-security).
diff --git a/articles/defender-for-cloud/export-to-splunk-or-qradar.md b/articles/defender-for-cloud/export-to-splunk-or-qradar.md
@@ -4,7 +4,7 @@ description: Learn how to configure the required Azure resources in the Azure po
 author: dcurwin
 ms.author: dacurwin
 ms.topic: how-to
-ms.date: 04/04/2022
+ms.date: 01/14/2024
 ---
 
 # Prepare Azure resources for exporting to Splunk and QRadar
@@ -132,4 +132,4 @@ To configure the Azure resources for QRadar and Splunk in the Azure portal:
 1. Search for the Microsoft Entra application you created before and select it.
 1. Select **Close**.
 
-To continue setting up export of alerts, [install the built-in connectors](export-to-siem.md#step-2-connect-the-event-hub-to-your-preferred-solution-using-the-built-in-connectors) for the SIEM you're using.
+To continue setting up export of alerts, [install the built-in connectors](export-to-siem.md#connect-the-event-hub-to-your-preferred-solution-using-the-built-in-connectors) for the SIEM you're using.
