For awhile, my team had been going about Microsoft Defender for Cloud(MDFC), the wrong way. It had been a challenge to keep clear visibility of security centric user stories, exemptions, vulnerabilities, and regulatory compliance for my team.
After doing a bit of research, I came across a method to continuously export the data within MDFC to a Log Analytics workspace, so that anyone that wanted a dashboard overview of security posture across multiple teams could easily access a pre-configured workbook with that information.
To get all of this setup, I’ll walk you through step-by-step the pre-requisites needed to see a dashboard like this
Step 1: Create a Log Analytics Workspace
The Resource Group may be negligible to you, but if you logically group all your log analytics workspaces together, I would select that resource group.
Because my team is one of several teams, and because each of my teams is segregated into multiple subscriptions, I was very very intentional about the way I named the instance. However, as long as you remember what workspace you’re porting the data to when it comes time in the setup instructions, then the name may be arbitrary. It really comes down to how large your team is, and what your organizational structure may look like.
Create the workspace!
Step 2: Check Subscriptions in Default Subscription Filter
The Importance here is knowing what subscriptions you have that need security recommendation traceability, so that when you apply continuous export settings, you understand exactly what to select
Step 3: Change Continuous Export Settings
Go to MDFC
Go to ENV Settings on the left hand side
Utilize Arrows in tenant group section and view all applicable subscriptions
Step 4: Select Continuous Export Settings for Each Applicable Subscription
This part is important! You’ll want to have an understanding of what is needed from a security perspective.
It could be that you only need to see Regulatory Compliance over Time, or perhaps want to only see security recommendations that have changed, or resources that have become unhealthy. No matter the case, this is where you’ll select these preferences on a subscription-by-subscription basis
These preferences also depend on the management of security alerts. It could be your organization has an SIEM or third-party SOC that manages security alerts. Unless you’re certain that thresholds for alerting have been configured properly, I’d recommend staying away. Now that being said, it may be negligible anyways because you’ll have control of what you want to see on a workbook by workbook basis. So even if all these settings are enabled and streamed to the analytics workspace, you can choose what to view in Defender for Cloud.
Later In this tutorial, we’ll explore two of the most popular workbooks/templates.
Step 5: Configure Streaming Settings (These Appear by Scrolling Down)
This next part is straightforward — just simply choose the Log Analytics Workspace that you want to send data to !
Step 6: SAVE Configuration !
Step 7: Viewing Workbooks!
Within workbooks, select the template you’re interested in, and select the Log Analytics Workspace that data is being sent to, as well as the time frame
Note: If you’ve just configured this, you may not see data right away, as it is streaming, not previous historical data
Thanks for Reading!
Thanks for reading! If you liked this article, please follow me on medium, and let’s connect on Linkedin: https://www.linkedin.com/in/samuel-armentrout/
Top comments (0)