To send Microsoft Defender logs ("for Endpoint" or any other logs from Defender), you will need to go through the following steps:

  • Create an Event Hub in Azure

  • Enable Microsoft Insights

  • Enable export of Defender data to Azure Event Hub

  • Run the LimaCharlie Adapter

This step by step is based on the official Microsoft documentation and the LimaCharlie Adapter documentation.

As a result of this process, you should see two sets of sensors:

  • A singular "msdefender" type sensor containing all the Defender data that is not Device specific (like email attachment security etc).

  • Multiple "msdefender" type sensors, one for each Device (from Defender for Endpoint) that is managed in Defender (if any).

Creating an Azure Event Hub

Sign in to your Azure Portal.

Click on the "Event Hubs" service at the top of the page.

Click the "Create" button at the top left of the page.

Select a Subscription and Resource group (or create it if needed).

Enter a Namespace, select a location and pricing.

Click "Review + create".

Click on the newly created Namespace to expand it, then click on the "Event Hubs" item under the "Entities" part of the menu.

Click on the "+ Event hub" button.

Give the new Hub a name and click the "Create" button.

In the "Event Hubs" view, click on the "Properties" element under the "Settings" section.

Copy the "Resource ID" field displayed, you will need it in the next step.

Click on the "Shared access policies" element under the "Settings" section.

Click on the "RootManageSharedAccessKey" policy.

Copy the "Conection string-primary key" value, you will need it as a "connection_string" when configuring your Adapter.

Enable Microsoft Insights

In your Azure Portal, navigate to Subscriptions > Your subscription > Resource Providers > Register to Microsoft.insights

Enable Defender Export

In the Microsoft 365 Defender portal, navigate to Settings > Microsoft 365 Defender > Streaming API.

Click on the "+ Add" button, name your export and select the "Forward events to Event Hub" option.

Paste the Resource ID you copied in the previous step to the "Event Hub Resource ID" field.

Enter the name of the hub you previous created in the "Event-Hub name" field.

Finally, select all the event types you would like to send to LimaCharlie.

Click "Submit".

Run the LimaCharlie Adapter

In the LimaCharlie web interface, click the "+ Add Sensor" button.

Select the Microsoft Defender option.

Select an Installation Key, or create one:

Select the platform on which you want to run the Adapter.

Download the adapter to your workstation, or to a server where you want to collect the logs from.

Select the collection method for Defender logs.

Enter a "sensor_name" for this sensor. This will be the sensor hostname for data from Defender that is not Device specific.

Enter the "connection_string" you got when you created the Event Hub. At the end of the string you just pasted, add the following value: ";EntityPath=your-hub-name" (without the quotes, but with the semi-colon at the beginning).

Copy the command line given to you and execute the Adapter with it.

Your Defender sensor should pop in within a few seconds.

Did this answer your question?