Views:
You can enable Microsoft Defender for Endpoint Log Collection on both new and existing Azure subscriptions in Cloud Accounts. Trend Vision One collects the data from Microsoft Defender and saves it in a log repository that you specify, which you then can view in Data Source and Log Management. You can also observe data, including security configuration risk events, in Cyber Risk Exposure Management. After enabling the feature in Trend Vision One you must configure Microsoft Defender to export events to Trend Vision One.
Note
Note
To enable this feature, you must be assigned the Key Vault Secrets role in Azure. This role is required to create and manage secrets in Azure Key Vault during deployment.

Procedure

  1. Enable Microsoft Defender for Endpoint Log Collection for a new or existing Azure subscription:
    1. Go to Cloud SecurityCloud Accounts.
    2. Click the Azure tab.
    3. Click Add Subscription or select an Azure subscription from the list.
    4. On the Features and permissions page (if you are adding a new subscription), or the Resource update tab (if you are configuring an existing subscription), enable Microsoft Defender for Endpoint Log Collection .
    5. By default, Microsoft Defender for Endpoint Log Collection deploys to all regions. To remove regions, click the Deployment list and clear the checkbox beside each region you want to remove.
  2. If you would like to enable log collection for XDR, click Scanner settings to configure additional settings.
    1. To enable the use of collected data for XDR, select SecOps Management.
    2. To collect the data in a log repository, select a log repository from the list. If no log repositories exist, click the link to add a log repository in Data Source and Log Management. After adding a log repository, click the refresh icon to show the repository in the list and select it.
  3. Save your changes. If you are adding a new Azure subscription, complete the steps to add the subscription. For more information, see Adding an Azure subscription.
  4. Configure Microsoft Defender to export events:
    1. In Microsoft Defender, go to General > Streaming API.
    2. Click Add to create a new Streaming API setting.
    3. Provide a name for the setting.
    4. Select Forward events to Event Hub.
    5. In the Event-Hub Resource ID field, enter /subscriptions/{subscriptionID}/resourceGroups/trendmicro-clm-mde-rg/providers/Microsoft.EventHub/namespaces/clm-eventhub-ns-{first 8 chars of subscriptionID}.
    6. In the Event-Hub name field, enter insights-logs-advancedhunting.
    7. In the Event Types area, select all Alerts & Behaviors and Devices.
    8. Click Submit.

What to do next

To ensure that Trend Vision One retains the Microsoft Defender data for an adequate period, you can configure the retention period for the log repository. The default retention period is 30 days. For more information see Log repositories.