|
| 1 | +--- |
| 2 | +title: Stream Microsoft Defender for IoT cloud alerts to a partner SIEM - Microsoft Defender for IoT |
| 3 | +description: Learn how to send Microsoft Defender for IoT data on the cloud to a partner SIEM via Microsoft Sentinel, using Splunk as an example. |
| 4 | +ms.date: 12/26/2022 |
| 5 | +ms.topic: how-to |
| 6 | +--- |
| 7 | + |
| 8 | +# Stream Defender for IoT cloud alerts to a partner SIEM |
| 9 | + |
| 10 | +As more businesses convert OT systems to digital IT infrastructures, security operations center (SOC) teams and chief information security officers (CISOs) are increasingly responsible for handling threats from OT networks. |
| 11 | + |
| 12 | +We recommend using Microsoft Defender for IoT's out-of-the-box [data connector](../iot-solution.md) and [solution](../iot-advanced-threat-monitoring.md) to integrate with Microsoft Sentinel and bridge the gap between the IT and OT security challenge. |
| 13 | + |
| 14 | +However, if you have other security information and event management (SIEM) systems, you can also use Microsoft Sentinel to forward Defender for IoT alerts on to that partner SIEM, via an Event Hub. |
| 15 | + |
| 16 | +This article describes how to use Microsoft Sentinel to forward Defender for IoT alert data on to partner SIEMs. While this article uses Splunk as an example, you can use this process with any SIEM that supports Event Hub ingestion, such as IBM QRadar. |
| 17 | + |
| 18 | +> [!IMPORTANT] |
| 19 | +> Using Event Hub and a Log Analytics export rule may incur additional charges. For more information, see Event Hubs pricing and Log Data Export pricing |
| 20 | +
|
| 21 | +> [!TIP] |
| 22 | +> This process described in this article supports alerts generated by cloud-connected sensors only. If you're working on-premises, such as in air-gapped environments, you may be able to create a forwarding alert rule to forward alert data directly from an OT sensor or on-premises management console. For more information, see [Integrations with Microsoft and partner services](../integrate-overview.md). |
| 23 | +
|
| 24 | +## Prerequisites |
| 25 | + |
| 26 | +Before you start, you'll need the **Microsoft Defender for IoT** data connector installed in your Microsoft Sentinel instance. |
| 27 | + |
| 28 | +For more information, see [Tutorial: Connect Microsoft Defender for IoT with Microsoft Sentinel](../iot-solution.md). |
| 29 | + |
| 30 | +<!--permissions?--> |
| 31 | + |
| 32 | +## Register an application in Azure Active Directory |
| 33 | + |
| 34 | +You'll need Azure Active Directory (Azure AD) to defined as a service principal for the [Splunk Add-on for Microsoft Cloud Services](https://splunkbase.splunk.com/app/3110/). To do this, you'll need an Azure AD application with specific permissions. |
| 35 | + |
| 36 | +**To register an Azure AD application and define permissions**: |
| 37 | + |
| 38 | +1. In [Azure AD](/azure/active-directory/), register a new application and add a new client secret for the service principal. |
| 39 | + |
| 40 | + For more information, see [Register an application with the Microsoft identity platform](/azure/active-directory/develop/quickstart-register-app) |
| 41 | + |
| 42 | +1. In your app's **API permissions** page, grant API permissions to read data from your app. |
| 43 | + |
| 44 | + 1. Select to add a permission and then select **Microsoft Graph** > **Application permissions** > **SecurityEvents.ReadWrite.All**. |
| 45 | + |
| 46 | + 1. Make sure that admin consent is required for your permissions. |
| 47 | + |
| 48 | + For more information, see [Configure a client application to access a web API](/azure/active-directory/develop/quickstart-configure-app-access-web-apis#add-permissions-to-access-your-web-api) |
| 49 | + |
| 50 | +1. From your app's **Overview** and **Certificates & secrets** pages, note the following values for your app: |
| 51 | + |
| 52 | + - Display name |
| 53 | + - Application (Client) ID |
| 54 | + - Application (Client) secret |
| 55 | + - Directory (tenant) ID |
| 56 | + |
| 57 | + |
| 58 | +## Create an Azure Event Hub |
| 59 | + |
| 60 | +Create an Azure Event Hub to use as a bridge between Microsoft Sentinel and your partner SIEM. Start this step by creating an Azure Event Hub namespace, and then adding an Azure Event Hub. |
| 61 | + |
| 62 | +**To create your Event Hub namespace and Event Hub**: |
| 63 | + |
| 64 | + |
| 65 | +1. In Azure Event Hubs, create a new Event Hubs namespace and then create an Azure event hub within the namespace. |
| 66 | + |
| 67 | + Make sure to define the **Partition Count** and **Message Retention** settings. |
| 68 | + |
| 69 | + For more information, see [Create an event hub using the Azure portal](/azure/event-hubs/event-hubs-create). |
| 70 | + |
| 71 | +1. In your Event Hubs namespace, select the **Access control (IAM)** page and add a new role assignment. Add the Azure AD service principle that you'd created earlier, and define the delegate as **Azure Event Hubs Data Receiver**. |
| 72 | + |
| 73 | + For more information, see: |
| 74 | + |
| 75 | +1. In your Event Hubs namespace, make a note of the following values: |
| 76 | + |
| 77 | + - Host name |
| 78 | + - Azure Event Hub name |
| 79 | + |
| 80 | +## Forward Microsoft Sentinel incidents to your Event Hub |
| 81 | + |
| 82 | +To forward Microsoft Sentinel incidents or alerts to Azure Event Hub, you’ll need to define your Microsoft Sentinel workspace with a data export rule. |
| 83 | + |
| 84 | + |
| 85 | +In the Azure Portal, navigate to Log Analytics > select the workspace name related to Microsoft Sentinel > Data Export > New export rule. |
| 86 | +thumbnail image 8 of blog post titled |
| 87 | + |
| 88 | +Name the rule, configure the Source as SecurityIncident and the Destination as Event Type utilizing the Event Hub Namespace and Event Hub Name configured previously. Click on Create. |
| 89 | +thumbnail image 9 of blog post titled |
| 90 | + |
| 91 | +## Configure Splunk to consume Microsoft Sentinel incidents |
| 92 | + |
| 93 | + |
| 94 | +5. Configure Splunk to consume Microsoft Sentinel Incidents from Azure Event Hub |
| 95 | +For Microsoft Defender for IoT alerts to be ingested into Azure Event Hub, install the Splunk Add-on for Microsoft Cloud Services app. |
| 96 | + |
| 97 | + |
| 98 | +For the installation, open the Splunk portal and navigate to Apps > Find More Apps. For the dashboard find the Splunk Add-on for Microsoft Cloud Services app and Install. |
| 99 | +thumbnail image 10 of blog post titled |
| 100 | + |
| 101 | +To add the Azure AD Service Principal, open the Splunk app and navigate to Azure App Account > Add. Use the details you’d noted earlier: |
| 102 | +Define a Name for the Azure App Account |
| 103 | + |
| 104 | +Add the Client ID, Client Secret, Tenant ID |
| 105 | + |
| 106 | +Choose Azure Public Cloud as Account Class Type |
| 107 | + |
| 108 | +Click Update to save and close the configuration. |
| 109 | +thumbnail image 11 of blog post titled |
| 110 | + |
| 111 | +Now navigate to Inputs within the Splunk Add-on for Microsoft Cloud Services app and select Azure Event Hub in Create New Input selection. |
| 112 | + |
| 113 | +Define a Name for the Azure Event Hub as Input, select the Azure App Account created before, define the Event Hub Namespace (FQDN), Event Hub Name, let the other settings as default and click Update to save and close the configuration. |
| 114 | +thumbnail image 12 of blog post titled |
| 115 | + |
| 116 | +Once the ingestion is processed, you can query the data by using sourcetype="mscs:azure:eventhub" in search field. |
| 117 | +thumbnail image 13 of blog post titled |
| 118 | + |
| 119 | + |
0 commit comments