|
| 1 | +--- |
| 2 | +title: Stream Microsoft Defender for IoT cloud alerts to a partner SIEM - Microsoft Defender for IoT |
| 3 | +description: Learn how to send Microsoft Defender for IoT data on the cloud to a partner SIEM via Microsoft Sentinel and Azure Event Hubs, using Splunk as an example. |
| 4 | +ms.date: 12/26/2022 |
| 5 | +ms.topic: how-to |
| 6 | +--- |
| 7 | + |
| 8 | +# Stream Defender for IoT cloud alerts to a partner SIEM |
| 9 | + |
| 10 | +As more businesses convert OT systems to digital IT infrastructures, security operations center (SOC) teams and chief information security officers (CISOs) are increasingly responsible for handling threats from OT networks. |
| 11 | + |
| 12 | +We recommend using Microsoft Defender for IoT's out-of-the-box [data connector](../iot-solution.md) and [solution](../iot-advanced-threat-monitoring.md) to integrate with Microsoft Sentinel and bridge the gap between the IT and OT security challenge. |
| 13 | + |
| 14 | +However, if you have other security information and event management (SIEM) systems, you can also use Microsoft Sentinel to forward Defender for IoT cloud alerts on to that partner SIEM, via [Microsoft Sentinel](/azure/sentinel/) and [Azure Event Hubs](/azure/event-hubs/). |
| 15 | + |
| 16 | +While this article uses Splunk as an example, you can use the process described below with any SIEM that supports Event Hub ingestion, such as IBM QRadar. |
| 17 | + |
| 18 | +> [!IMPORTANT] |
| 19 | +> Using Event Hubs and a Log Analytics export rule may incur additional charges. For more information, see [Event Hubs pricing](https://azure.microsoft.com/pricing/details/event-hubs/) and [Log Data Export pricing](https://azure.microsoft.com/pricing/details/monitor/). |
| 20 | +
|
| 21 | +## Prerequisites |
| 22 | + |
| 23 | +Before you start, you'll need the **Microsoft Defender for IoT** data connector installed in your Microsoft Sentinel instance. For more information, see [Tutorial: Connect Microsoft Defender for IoT with Microsoft Sentinel](../iot-solution.md). |
| 24 | + |
| 25 | +Also check any prerequisites for each of the procedures linked in the steps below. |
| 26 | + |
| 27 | +## Register an application in Azure Active Directory |
| 28 | + |
| 29 | +You'll need Azure Active Directory (Azure AD) defined as a service principal for the [Splunk Add-on for Microsoft Cloud Services](https://splunkbase.splunk.com/app/3110/). To do this, you'll need to create an Azure AD application with specific permissions. |
| 30 | + |
| 31 | +**To register an Azure AD application and define permissions**: |
| 32 | + |
| 33 | +1. In [Azure AD](/azure/active-directory/), register a new application. On the **Certificates & secrets** page, add a new client secret for the service principal. |
| 34 | + |
| 35 | + For more information, see [Register an application with the Microsoft identity platform](/azure/active-directory/develop/quickstart-register-app) |
| 36 | + |
| 37 | +1. In your app's **API permissions** page, grant API permissions to read data from your app. |
| 38 | + |
| 39 | + 1. Select to add a permission and then select **Microsoft Graph** > **Application permissions** > **SecurityEvents.ReadWrite.All** > **Add permissions**. |
| 40 | + |
| 41 | + 1. Make sure that admin consent is required for your permission. |
| 42 | + |
| 43 | + For more information, see [Configure a client application to access a web API](/azure/active-directory/develop/quickstart-configure-app-access-web-apis#add-permissions-to-access-your-web-api) |
| 44 | + |
| 45 | +1. From your app's **Overview** page, note the following values for your app: |
| 46 | + |
| 47 | + - **Display name** |
| 48 | + - **Application (client) ID** |
| 49 | + - **Directory (tenant) ID** |
| 50 | + |
| 51 | + |
| 52 | +1. From the **Certificates & secrets** page, note the values of your client secret **Value** and **Secret ID**. |
| 53 | + |
| 54 | +## Create an Azure event hub |
| 55 | + |
| 56 | +Create an Azure event hub to use as a bridge between Microsoft Sentinel and your partner SIEM. Start this step by creating an Azure event hub namespace, and then adding an Azure event hub. |
| 57 | + |
| 58 | +**To create your event hub namespace and event hub**: |
| 59 | + |
| 60 | +1. In Azure Event Hubs, create a new event hub namespace. In your new namespace, create a new Azure event hub. |
| 61 | + |
| 62 | + In your event hub, make sure to define the **Partition Count** and **Message Retention** settings. |
| 63 | + |
| 64 | + For more information, see [Create an event hub using the Azure portal](/azure/event-hubs/event-hubs-create). |
| 65 | + |
| 66 | +1. In your event hub namespace, select the **Access control (IAM)** page and add a new role assignment. |
| 67 | + |
| 68 | + Select to use the **Azure Event Hubs Data Receiver** role, and add the Azure AD service principle app that you'd created [earlier](#register-an-application-in-azure-active-directory) as a member. |
| 69 | + |
| 70 | + For more information, see: [Assign Azure roles using the Azure portal](/azure/role-based-access-control/role-assignments-portal). |
| 71 | + |
| 72 | +1. In your event hub namespace's **Overview** page, make a note of the namespace's **Host name** value. |
| 73 | + |
| 74 | +1. In your event hub namespace's **Event Hubs** page, make a note of your event hub's name. |
| 75 | + |
| 76 | +## Forward Microsoft Sentinel incidents to your event hub |
| 77 | + |
| 78 | +To forward Microsoft Sentinel incidents or alerts to your event hub, create a data export rule from Azure Log Analytics. |
| 79 | + |
| 80 | +In your rule, make sure to define the following settings: |
| 81 | + |
| 82 | +- Configure the **Source** as **SecurityIncident** |
| 83 | +- Configure the **Destination** as **Event Type**, using the event hub namespace and event hub name you'd recorded earlier. |
| 84 | + |
| 85 | +For more information, see [Log Analytics workspace data export in Azure Monitor](/azure/azure-monitor/logs/logs-data-export?tabs=portal#create-or-update-a-data-export-rule). |
| 86 | + |
| 87 | +## Configure Splunk to consume Microsoft Sentinel incidents |
| 88 | + |
| 89 | +Once you have your event hub and export rule configured, configure Splunk to consume Microsoft Sentinel incidents from the event hub. |
| 90 | + |
| 91 | +1. Install the [Splunk Add-on for Microsoft Cloud Services](https://splunkbase.splunk.com/app/3110/) app. |
| 92 | + |
| 93 | +1. In the Splunk Add-on for Microsoft Cloud Services app, add an Azure App account. |
| 94 | + |
| 95 | + 1. Enter a meaningful name for the account. |
| 96 | + 1. Enter the client ID, client secret, and tenant ID details that you'd recorded earlier. |
| 97 | + 1. Define the account class type as **Azure Public Cloud**. |
| 98 | + |
| 99 | +1. Go to the Splunk Add-on for Microsoft Cloud Services inputs, and create a new input for your Azure event hub. |
| 100 | + |
| 101 | + 1. Enter a meaningful name for your input. |
| 102 | + 1. Select the Azure App Account that you'd just created in the Splunk Add-on for Microsoft Services app. |
| 103 | + 1. Enter your event hub namespace FQDN and event hub name. |
| 104 | + |
| 105 | + Leave other settings as their defaults. |
| 106 | + |
| 107 | +Once data starts getting ingested into Splunk from your event hub, query the data by using the following value in your search field: `sourcetype="mscs:azure:eventhub"` |
| 108 | + |
| 109 | +## Next steps |
| 110 | + |
| 111 | +This article describes how to forward alerts generated by cloud-connected sensors only. If you're working on-premises, such as in air-gapped environments, you may be able to create a forwarding alert rule to forward alert data directly from an OT sensor or on-premises management console. |
| 112 | + |
| 113 | +For more information, see [Integrations with Microsoft and partner services](../integrate-overview.md). |
0 commit comments