Defender XDR – Cross-tenant Data Connector

Listen to this Post

After 7 hours of troubleshooting, a working cross-tenant data connector for the Defender XDR platform was successfully built. The API request couldn’t accommodate a lookback period due to issues with OData query parameters. A workaround was implemented by performing timestamp validation within the Data Collection Rule as a filter.

Workflow:

  1. The custom data connector runs every 1 minute.
  2. It collects all security alerts and incidents from Defender XDR.
  3. Results are passed to the data collection endpoint and rule.
  4. The ‘createdDateTime’ field is validated to ensure it was created within the last 1 minute.
  5. Transformations are performed to match Sentinel’s table column naming conventions.
  6. Only alerts and incidents created in the last 1 minute are ingested into custom tables ‘SecurityAlert_CL’ and ‘SecurityIncident_CL’.

GitHub: Defender XDR Cross-tenant Data Connector

You Should Know:

Here are some practical commands and codes related to the article:

1. OData Query Example:

https://api.securitycenter.microsoft.com/api/alerts?$filter=createdDateTime ge 2023-10-01T00:00:00Z
  1. Azure CLI Command to Create Data Collection Rule:
    az monitor data-collection rule create --name "MyDataCollectionRule" --resource-group "MyResourceGroup" --location "EastUS" --data-sources "[{\"kind\":\"azureMonitorLogs\",\"streams\":[\"Microsoft-SecurityAlert\",\"Microsoft-SecurityIncident\"],\"dataSourceConfiguration\":{\"createdDateTime\":\"2023-10-01T00:00:00Z\"}}]"
    

3. PowerShell Script to Ingest Data into Sentinel:

$workspaceId = "YourWorkspaceId"
$workspaceKey = "YourWorkspaceKey"
$logType = "SecurityAlert_CL"
$json = Get-Content -Path "C:\path\to\alerts.json" | ConvertFrom-Json
$json | ForEach-Object {
$body = $_ | ConvertTo-Json
Invoke-RestMethod -Uri "https://$workspaceId.ods.opinsights.azure.com/api/logs?api-version=2016-04-01" -Method Post -Headers @{"Authorization"="SharedKey $workspaceId:$workspaceKey"} -Body $body -ContentType "application/json"
}

4. Linux Command to Monitor Logs:

tail -f /var/log/syslog | grep "SecurityAlert"

5. Windows Command to Check Event Logs:

wevtutil qe Security /q:"*[System[(EventID=4624)]]" /f:text

What Undercode Say:

The cross-tenant data connector for Defender XDR is a significant advancement in cybersecurity automation. By leveraging custom data connectors and data collection rules, organizations can efficiently manage and analyze security alerts and incidents across multiple tenants. The provided workflow and commands offer a practical approach to implementing such solutions, ensuring timely and accurate data ingestion into Sentinel. This method not only enhances security operations but also provides a scalable solution for multi-tenant environments. For further exploration, refer to the GitHub repository for detailed code and implementation guidelines.

References:

Reported By: Debac Microsoft – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

Whatsapp
TelegramFeatured Image