You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
- Bi-directional syncing is GA since November 2021 - my mistake not updating this page.
- "You are" to "you're" a few times
- Corrected name of Azure AD
- Removed a few instances of "SIEM"
- Corrected one instance of "Sentinel" --> "Microsoft Sentinel"
-------
cc: @bmansheim
Copy file name to clipboardExpand all lines: articles/defender-for-cloud/export-to-siem.md
+8-8Lines changed: 8 additions & 8 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -43,7 +43,7 @@ Microsoft Sentinel includes built-in connectors for Microsoft Defender for Cloud
43
43
44
44
When you connect Defender for Cloud to Microsoft Sentinel, the status of Defender for Cloud alerts that get ingested into Microsoft Sentinel is synchronized between the two services. So, for example, when an alert is closed in Defender for Cloud, that alert is also shown as closed in Microsoft Sentinel. If you change the status of an alert in Defender for Cloud, the status of the alert in Microsoft Sentinel is also updated, but the statuses of any Microsoft Sentinel **incidents** that contain the synchronized Microsoft Sentinel alert aren't updated.
45
45
46
-
You can enable the preview feature **bi-directional alert synchronization** to automatically sync the status of the original Defender for Cloud alerts with Microsoft Sentinel incidents that contain the copies of those Defender for Cloud alerts. So, for example, when a Microsoft Sentinel incident that contains a Defender for Cloud alert is closed, Defender for Cloud automatically closes the corresponding original alert.
46
+
You can enable the **bi-directional alert synchronization** feature to automatically sync the status of the original Defender for Cloud alerts with Microsoft Sentinel incidents that contain the copies of those Defender for Cloud alerts. So, for example, when a Microsoft Sentinel incident that contains a Defender for Cloud alert is closed, Defender for Cloud automatically closes the corresponding original alert.
47
47
48
48
Learn more in [Connect alerts from Microsoft Defender for Cloud](../sentinel/connect-azure-security-center.md).
49
49
@@ -91,18 +91,18 @@ You can set up your Azure environment to support continuous export using either:
91
91
Enter the required parameters and the script performs all of the steps for you.
92
92
When the script finishes, it outputs the information you’ll use to install the solution in the SIEM platform.
93
93
94
-
-In the Azure portal
94
+
-The Azure portal
95
95
96
96
Here's an overview of the steps you'll do in the Azure portal:
97
97
98
98
1. Create an Event Hubs namespace and event hub.
99
99
2. Define a policy for the event hub with “Send” permissions.
100
-
3.**If you are streaming your alerts to QRadar SIEM** - Create an event hub "Listen" policy, then copy and save the connection string of the policy that you’ll use in QRadar.
100
+
3.**If you're streaming alerts to QRadar** - Create an event hub "Listen" policy, then copy and save the connection string of the policy that you’ll use in QRadar.
101
101
4. Create a consumer group, then copy and save the name that you’ll use in the SIEM platform.
102
-
5. Enable continuous export of your security alerts to the defined event hub.
103
-
6.**If you are streaming your alerts to QRadar SIEM** - Create a storage account, then copy and save the connection string to the account that you’ll use in QRadar.
104
-
7.**If you are streaming your alerts to Splunk SIEM**:
105
-
1. Create a Microsoft Azure Active Directory application.
102
+
5. Enable continuous export of security alerts to the defined event hub.
103
+
6.**If you're streaming alerts to QRadar** - Create a storage account, then copy and save the connection string to the account that you’ll use in QRadar.
104
+
7.**If you're streaming alerts to Splunk**:
105
+
1. Create an Azure Active Directory (AD) application.
106
106
2. Save the Tenant, App ID, and App password.
107
107
3. Give permissions to the Azure AD Application to read from the event hub you created before.
108
108
@@ -142,7 +142,7 @@ To view the event schemas of the exported data types, visit the [Event Hubs even
142
142
143
143
## Use the Microsoft Graph Security API to stream alerts to third-party applications
144
144
145
-
As an alternative to Sentinel and Azure Monitor, you can use Defender for Cloud's built-in integration with [Microsoft Graph Security API](https://www.microsoft.com/security/business/graph-security-api). No configuration is required and there are no additional costs.
145
+
As an alternative to Microsoft Sentinel and Azure Monitor, you can use Defender for Cloud's built-in integration with [Microsoft Graph Security API](https://www.microsoft.com/security/business/graph-security-api). No configuration is required and there are no additional costs.
146
146
147
147
You can use this API to stream alerts from your **entire tenant** (and data from many Microsoft Security products) into third-party SIEMs and other popular platforms:
0 commit comments