search

Azure / Azure-Sentinel

Cloud-native SIEM for intelligent security analytics for your entire enterprise.
https://azure.microsoft.com/en-us/services/azure-sentinel/
MIT License
4.55k stars 2.99k forks source link

Is there any way to deploy an data connector in MS Defender portal? #7864

Closed BSpatel183 closed 1 year ago

BSpatel183 commented 1 year ago

I want to create an indicators in defender from my client's application using API. Just want to know if I can publish my application on defender portal, just the way we can publish a data connector and other services in sentinel portal.

github-actions[bot] commented 1 year ago

Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.

github-actions[bot] commented 1 year ago

Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.

github-actions[bot] commented 1 year ago

Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.

samikroy commented 1 year ago

@BSpatel183 - You have to register the application in Azure AD with the specified permission if you only want to ingest IOCs to Defender and build an azure function or logic app to publish to Defender. Hope this helps.

BSpatel183 commented 1 year ago

@samikroy Thank you for your response.

(Just for example for sentinel integrations we are creating solution and need to raise PR to Azure sentinel git repo. Such a way it there any steps for publishing it into defender)

samikroy commented 1 year ago

@samikroy Thank you for your response.

  • I am also planning to create an azure function app, but my question is how we can publish that function app on defender?

(Just for example for sentinel integrations we are creating solution and need to raise PR to Azure sentinel git repo. Such a way it there any steps for publishing it into defender)

  • After getting published where we can find that on defender portal?

@BSpatel183 - As a consumer of Defender, we will are limited to build and publish this into our Azure Subscription which will not be visible in Defender but, it will be as follows

  1. Create an app registration in Azure AD (in the same tenant as defender is deployed)
  2. Write an azure function in azure function in one of the subscription attached the same active directory
  3. Use the App ID & secret to connect & ingest TI feeds to Defender.

We can then manage the app in azure ad & the function is azure subscription

BSpatel183 commented 1 year ago

@samikroy Got you point, thanks!

samikroy commented 1 year ago

@v-vdixit - This seems ready for closure.

github-actions[bot] commented 1 year ago

Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.