Has anyone been able to successfully send events to an Event Hub for Defender for Cloud?:
I've configured this days ago, but i have yet to receive a single event (i am monitoring my Event Hub ingress). I ticked all boxes for events to receive, in a streaming fashion ("Streaming updates" tickbox). It is my test tenant, and I am Owner on everything, everything saves and configures just fine, i cannot find any errors.
I didn't tick "Export as a trusted service" because i don't need that extra security measure, my Event Hub isn't behind a firewall.
To generate security alerts (one of the events that should be exported) I made use of the sample alert functionality: - I generated those after I configured the continuous export to Event Hub.
I also created a Function App with TLS 1.0, after setting up the export. This should yield a recommendation which also should be exported. I am aware that, for recommendations, it can take day(s) to receive events, as stated here: . But it should not be the case for security alerts.
Has anyone been able to successfully send events to an Event Hub for Defender for Cloud?: https://learn.microsoft/en-us/azure/defender-for-cloud/continuous-export#set-up-continuous-export-in-the-azure-portal-1
I've configured this days ago, but i have yet to receive a single event (i am monitoring my Event Hub ingress). I ticked all boxes for events to receive, in a streaming fashion ("Streaming updates" tickbox). It is my test tenant, and I am Owner on everything, everything saves and configures just fine, i cannot find any errors.
I didn't tick "Export as a trusted service" because i don't need that extra security measure, my Event Hub isn't behind a firewall.
To generate security alerts (one of the events that should be exported) I made use of the sample alert functionality: https://learn.microsoft/en-us/azure/defender-for-cloud/alert-validation#generate-sample-security-alerts - I generated those after I configured the continuous export to Event Hub.
I also created a Function App with TLS 1.0, after setting up the export. This should yield a recommendation which also should be exported. I am aware that, for recommendations, it can take day(s) to receive events, as stated here: https://learn.microsoft/en-us/azure/defender-for-cloud/faq-general#why-are-recommendations-sent-at-different-intervals-. But it should not be the case for security alerts.
Share Improve this question edited Mar 16 at 7:33 r3verse asked Mar 14 at 19:29 r3verser3verse 99210 silver badges23 bronze badges 4- Ensure that the Event Hub has the correct role assignments. The "Azure Event Hubs Data Sender" role should be assigned to the "Windows Azure Security Resource Provider" for the Event Hub namespace. – Sampath Commented Mar 17 at 3:33
- @Sampath thanks but I did that, even though it's not required when you untick the trusted service box – r3verse Commented Mar 17 at 5:06
- I have export to Workspace for recommendations and automation flow for my alerts but I have not tried Event hub. Maybe you could try switch it to Log Analytics Workspace and see if your events and recommendations show up there. If they do it might be some issue connecting to the event hub. Double check your event hub so that networking is set to public access or so. – JohanSellberg Commented Mar 17 at 10:31
- @JohanSellberg thanks johan, Log Analytics is already something i have configured and that works fine. I double checked your suggestion and everything is configured accordingly – r3verse Commented Mar 17 at 10:43
1 Answer
Reset to default 1 +100I was able to reproduce your scenario. From my what I can deduce, the sample alerts do not stream into Event Hub. I will look into why this is thee case. However, to test this, I recommend that you trigger an actual alert from your machine.
will need to create a folder in Location C: named C:\test-MDATP-test\invoice.exe
Launch cmd as administrator and execute the below
Then execute WindowStyle Hidden $ErrorActionPreference = 'silentlycontinue';(New-Object System.Net.WebClient).DownloadFile('http://127.0.0.1/1.exe', 'C:\test-MDATP-test\invoice.exe');Start-Process 'C:\test-MDATP-test\invoice.exe'The cmd screen will disapper and an alert will be created on MDC and streamed to Event Hub
Note: If you have MDE you’ll need to ensure that the connection between MDE and MDC is properly set up:
Ensure Endpoint protection is set to on (Not Partial) under MDS – You can find this under Home> Microsoft Defender for Cloud > Environment settings >You Subscription>Defender Plans> Servers > Settings > Endpoint Protection
Source: https://learn.microsoft/en-gb/azure/defender-for-cloud/alert-validation#simulate-alerts-on-your-azure-vms-windows