I was recently asked by a customer can we use the Defender 365 Streaming API and send the Defender 365 logs and alerts to a different Azure Subscription in a different Azure AD tenant. This was asked out of a mergers and acquisitions and helping improve organization A’s security operations visibility into organization B’s security telemetry and alerts.
To start with the 365 Defender API can stream the following logs and alerts from the core Defender products:
Defender for Endpoint
Defender for Office 365
Defender for Cloud Applications
Defender for Identity
Within streaming all or a collection of alerts and alerts + logs you can send these to your 3rd party SIEM of choice via Event Hubs. You can also send these logs into a data lake using Azure Blob Storage.
You do this by entering in the full azure resource id that can be found in the JSON View link here in a Azure Subscription:
With the Azure Resource ID you can register and send the selected alerts and logs to the Azure Resource.
In testing this can also be done From Org B’s 365 Defender Streaming API to Org A’s Azure Subscription and Blob Storage by using a single AAD User Account to setup.
To start with currently without lighthouse in play you must use the Org B’s Admin account in this process since B2B Guest accounts work with portal.azure.com but do not work with security.microsoft.com. Because of this and the 365 Defender Streaming API being setup in security.microsoft.com com we will use a native Org B’s Admin account to set this up.
Grant Contributor Access on Org B’s Admin to Azure Subscription A in Org A, this will create a B2B invite and once accepted Org B’s Admin will be a Guest Account in Org A and can use the Azure Portal. Once logged in portal.azure.com as Org B Admin switch the directory to Org A’s AAD Tenant.
Obtain the Azure Resource ID for where Org B’s logs and alerts will be sent to
With Admin B go to security.microsoft.com and under settings blade Microsoft Defender 365 and Streaming API blade + Add a new stream, provide a name and check forward events to Azure Storage and put in the Azure Resource ID from Org A \ Sub A - Blob Storage Account. Check the alerts and logs you wish to send and press submit.
This may take up to 45 minutes to an hour but alerts and logs from Org B’s 365 Defender will be exported to org A’s Subscription and storage account.
Architecturally you could send to Event Hub for 3rd party SIEM especially if Org B does not have a Azure Subscription to do so.
Also you could stream to blob or event hub in Org A where Azure Data Explorer is collecting Org B’s security alerts and logs for forensics .
Finally you could leverage Azure Lighthouse as well for Org B’s Admin account rather than B2B Guest account in Org A.
Hope this helps provide some different options for moving security alerts and logs between different organizations and tooling based on security needs.