Onboard a Single Subscription with Microsoft Defender for Cloud

Microsoft Defender for Cloud - A defender pictured as a knight with a shield defending against technology threats and badguys!
Andrew Posted on 7:15 am

Onboard a Single Subscription with Microsoft Defender for Cloud

In today’s post we will look at a targeted way to harness the full potential of your Azure security by integrating Microsoft Defender for Cloud with Microsoft Sentinel. This powerful combination allows for advanced threat detection, seamless monitoring, and a unified view of your security posture. We want to select our Sentinel data connectors while being thoughtful. The Microsoft Defender XDR data connector is the modern connector version that we should all use in most cases; but the legacy connector is useful when we have only specific subscriptions that we want to bring into Sentinel. The older, legacy connector, requires the manual selection of the subscriptions to include in the data ingestion; it is the perfect solution if you have a tenant that you only want 2 of the many subscriptions provisioned.

In this post, we’ll walk through onboarding a single subscription using the Legacy Microsoft Defender for Cloud data connector in Microsoft Sentinel. We’ll take a look at setup, tuning instructions, and steps to add analytics rules that trigger on that new data.

Prerequisites

Before we dive in, ensure you have the following:

  • An active Azure subscription with appropriate permissions (Security Admin or higher).
  • Microsoft Defender for Cloud enabled on the subscription you wish to onboard.
  • A Log Analytics workspace connected to Microsoft Sentinel.
  • Access to the Azure Portal.

Step 1: Onboard Your Subscription to Microsoft Defender for Cloud

The foundation of your security setup begins with Microsoft Defender for Cloud. By properly onboarding your subscription, you activate a suite of security services designed to protect your Azure resources. This step ensures that Defender for Cloud is primed to work seamlessly with Microsoft Sentinel. Ensure you enable the correct plans for your needs: Storage, Kubernetes, etc.

1. Access Microsoft Defender for Cloud

  • Log in to the Azure Portal.
  • In the search bar at the top, type Microsoft Defender for Cloud and select it from the results.

2. Enable Defender Plans

  • In the Get started or Environment settings section, locate your subscription.
  • Select your subscription to configure the Defender plans.
  • Ensure that the necessary protection plans are enabled (e.g., Servers, App Service, SQL servers).
  • Click Save to apply the changes.

3. Verify Security Policies

  • Navigate to Security policy in the Defender for Cloud menu.
  • Confirm that the security policies are assigned and compliant with your organizational standards.

By completing this step, you’ve activated critical security services that will feed valuable data into Microsoft Sentinel. This forms the bedrock of your threat detection and response capabilities.

Step 2: Configure the Legacy Microsoft Defender for Cloud Data Connector in Microsoft Sentinel

Now that Defender for Cloud is set up, it’s time to integrate it with Microsoft Sentinel!

Using the legacy data connector bridges the two services, allowing you to harness Sentinel’s powerful analytics and incident management features. This integration is key to gaining centralized visibility over your security posture.

Why The Legacy Connector?

We want to select our Sentinel data connectors while being thoughtful. The Microsoft Defender XDR data connector is the modern version that we should all use in most cases. The legacy connector is useful when we have only specific subscriptions that we want to bring into Sentinel. The older, legacy connector, requires the manual selection of the subscriptions to include in the data ingestion; so it is not efficient for a large-scale tenant. It is the perfect solution if you have a tenant that you only want 2 of the many subscriptions provisioned.

1. Open Microsoft Sentinel

  • In the Azure Portal, search for Microsoft Sentinel and select it.
  • Choose the Log Analytics workspace you wish to use.

2. Navigate to Data Connectors

  • In the Microsoft Sentinel workspace, select Data connectors from the left-hand menu.
  • Search for Microsoft Defender for Cloud Legacy in the list.
  • Fun Fact: The legacy name MDC’s predecessor was Azure Security Center.

3. Set Up the Data Connector

  • Click on the Legacy data connector.
  • On the connector page, under Configuration, you’ll see Connect options.
  • Ensure that your subscription is listed and select it to enable the connection.
  • Only select the required subscription(s) in this case. If you want to add all your MDC subscriptions and data use the Microsoft Defender XDR data connector!

4. Enable Continuous Export (If Not Already Configured)

  • In the connector configuration, check if Continuous export is enabled.
  • If not, go back to Microsoft Defender for Cloud:
    • Navigate to Environment settings and select your subscription.
    • Under Continuous export, click + Add export rule.
    • Configure the export settings to send data to your Sentinel enabled Log Analytics workspace.

Integrating the data connector ensures that all relevant security data flows into Microsoft Sentinel, enabling real-time analysis and alerting.

Step 3: Detailed Setup and Tuning Instructions

Fine-tuning your setup is important for effective threat detection and efficient resource utilization. By carefully selecting what data to collect and how to manage it, you reduce noise and focus on what’s most important. This step will help you optimize your configuration for peak performance. It also helps to optimize your storage costs and Sentinel compute / analysis costs as your environment grows.

1. Fine-Tune Data Collection

  • Select Data Types: Decide which data types you need:
    • Security Alerts: Critical for threat detection.
    • Recommendations: Helpful for identifying potential vulnerabilities.
  • Filter Unnecessary Data: Exclude irrelevant data to reduce clutter and storage costs.
  • Set Export Frequency: Choose between:
    • Streaming: Real-time data export for immediate analysis.
    • Snapshot: Periodic data export at defined intervals.

2. Configure Log Analytics Workspace Settings

  • In your Log Analytics workspace, navigate to Advanced settings.
  • Under Data, confirm that the tables for SecurityAlert and SecurityRecommendation are enabled.
  • Adjust data collection settings to align with your compliance and retention policies.

3. Validate the Data Flow

  • Go back to Microsoft Sentinel and open Logs.
  • Run a simple query to verify data ingestion: SecurityAlert | where TimeGenerated >= ago(1h)
  • Confirm that data appears, indicating successful ingestion of alerts.

4. Optimize Data Retention and Storage

  • Adjust the Retention settings in your Log Analytics workspace to balance cost with compliance requirements.
  • Consider enabling Archive tiers or using Azure Data Explorer for long-term storage solutions.

By tuning these settings, you’re ensuring that your security operations center (SOC) can focus on actionable insights without being overwhelmed by unnecessary data.

Step 4: Add Analytics Rules to Trigger on This Data

Creating tailored analytics rules is where Microsoft Sentinel truly shines. These rules enable you to detect threats specific to your environment and respond proactively. In this step, we’ll craft rules that leverage the data from Defender for Cloud to enhance your security monitoring.

1. Create a New Analytics Rule

  • In Microsoft Sentinel, click on Analytics.
  • Click + Create and select Scheduled query rule.

2. Rule Configuration

Rule 1: High-Severity Alerts Notification

High-severity alerts demand immediate attention. This rule ensures that when a critical threat is detected, your team is promptly notified to take action.

  • Name: High-Severity Defender for Cloud Alerts
  • Description: Notifies when a high-severity alert is generated.
  • Tactics: Select relevant MITRE ATT&CK tactics (e.g., Execution, Privilege Escalation).
  • Severity: High
Rule Logic
  • Query:
  • SecurityAlert | where ProductName == "Azure Security Center" | where Severity == "High"
  • Schedule:
    • Run query every: 5 minutes
    • Lookup data from the last: 10 minutes
    • Choose the schedule and lookup times that match your own requirements and needs.
Actions
  • Alert threshold: Generate an alert for each matching event.
  • Incident settings: Configure incident creation and alert grouping as per your incident management process.

Rule 2: Multiple Medium-Severity Alerts Detection

Sometimes, the frequency of medium-severity alerts can indicate a larger issue. This rule helps identify patterns that might signify a coordinated attack or widespread vulnerability exploitation.

  • Name: Multiple Medium-Severity Alerts in 1 Hour
  • Description: Detects when multiple medium-severity alerts occur within an hour on the same resource.
  • Tactics: Select relevant MITRE ATT&CK tactics.
  • Severity: Medium
Rule Logic
  • Query:
  • SecurityAlert | where ProductName == "Azure Security Center" | where Severity == "Medium" | where TimeGenerated >= ago(1h) | summarize AlertCount = count() by ResourceId | where AlertCount >= 5
  • Schedule:
    • Run query every: 15 minutes
    • Lookup data from the last: 60 minutes
    • Again, ensure you select the right settings for your own environment. Some SOC teams may run queries at different intervals such as every 4 hours instead of this more frequent setting.
Actions
  • Alert threshold: Generate an alert when the count exceeds 5 within the specified timeframe.
  • Incident settings: Decide how these alerts are grouped to streamline incident response.

3. Review and Create

Thoroughly reviewing your rule configurations ensures they operate as intended and align with your security policies.

  • Rule Query Results: Use the Query results preview to validate the output.
  • Review Settings: Double-check all configurations, including scheduling and actions.
  • Click Create to activate the rules.

With these analytics rules in place, Microsoft Sentinel will proactively monitor for defined threat patterns and alert your team accordingly.

Additional Tips and Best Practices

Optimizing your security operations involves continuous improvement and staying informed about best practices. Here are some additional recommendations to enhance your setup and stay ahead of potential threats.

Monitor and Adjust

  • Regular Reviews: Schedule periodic assessments of your analytics rules’ effectiveness.
  • Threshold Tuning: Adjust thresholds based on alert volume and relevance to minimize false positives.
  • Feedback Loop: Incorporate feedback from your SOC team to refine detection logic.

Leverage Workbooks

  • Visual Insights: Utilize Workbooks for interactive dashboards and reports.
    • This functionality is really under-utilized in production SOCs. I encourage every reader of this article to go and experiment with Workbooks if you are not familiar with them!
  • Customization: Tailor existing templates or build custom views to highlight key metrics.
  • Collaboration: Share workbooks with team members to promote a unified understanding of security posture.

Automate Responses

  • Playbooks: Create automated Playbooks using Azure Logic Apps to respond to alerts.
  • Examples:
    • Send email or SMS notifications to relevant personnel.
    • Create tickets in an IT service management system.
    • Trigger remediation scripts to address known issues.

Stay Informed

  • Azure Updates: Subscribe to Azure updates for the latest features and improvements.
  • Community Engagement: Participate in forums and user groups to share knowledge and learn from peers.
  • Continuous Learning: Invest in training and certifications to deepen your understanding of Azure security services.

Conclusion

Integrating Microsoft Defender for Cloud with Microsoft Sentinel using the Legacy data connector significantly enhances your organization’s security capabilities. This powerful combination provides comprehensive visibility, advanced threat detection, and streamlined incident response.

By following this guide, you’ve set up a robust system tailored to your environment’s needs. Remember, the cybersecurity landscape is ever-evolving. Continuously monitoring, adjusting, and optimizing your configurations will ensure that you remain resilient against emerging threats.

Take your journey with Sentinel and Defender for Cloud further:

  • Advanced Hunting: Dive deeper with Kusto Query Language (KQL) for custom threat hunting scenarios.
  • Integration with Other Services: Expand your security footprint by integrating with services like Microsoft 365 Defender or Azure Defender for IoT.
  • Training Resources: Consider official Microsoft training courses to enhance your team’s skills. I love the resources at https://learn.microsoft.com.

Empower your security operations with the full capabilities of Microsoft’s security tools. Stay vigilant, stay secure!