Configuring MDFC and Microsoft Sentinel to use the same Log Analytics Workspace and why you should!
So this week I've had the pleasure of setting up Microsoft Defender for Cloud (MDFC) for a client with a view to onboarded all Azure virtual machines however the client also wanted the option to enable Microsoft Sentinel further down the line so I set out to look at the best practices around this. In this blog post I will enable MDFC and configure it to use a custom Log Analytics Workspace so that the same workspace can also be used for Sentinel, the reason this is recommend is so that Sentinel can ingest all logs collected by MDFC.
Before we start with anything I would advise you read through the Workspace architecture best practices for Microsoft Sentinel | Microsoft Docs as it will help you to determine the right workspace architecture for your environment, more useful info here: Design your Microsoft Sentinel workspace architecture | Microsoft Docs.
Our scenario is your typical small to medium size business that wants to start using the entire Microsoft Defender stack including Microsoft Defender for Cloud, part of the Azure Security Centre with integration to Microsoft Sentinel at some point.
So first things first, head to the Azure portal.
You'll want to make sure you have an Azure subscription available, along with the appropriate permissions, from the Azure portal search for Resource Groups and create one, use a naming convention that makes sense for your workload, I like to follow MS best practice which can be found here: Define your naming convention - Cloud Adoption Framework | Microsoft Docs
Because we will be configuring this as part of our wider SOC infrastructure, I am going to name the resource group as such.
Add any tags you might want to use and then create the resource group.
Now search for Log Ananlytics Workspace and create a new workspace.
Make sure to select the correct subscription and the new resource group you have created earlier. Following the above technical best practice for Sentinel, we will continue with our naming convention as this workspace will be used as part of the wider SOC deployment.
Add any tags and create the workspace.
Now we have our resource group and custom workspace, it's time to turn on Defender for Cloud and change the associated log analytics workspace used for automatic provisioning. As you may know, when MDFC is enabled, a default workspace is created, however this default workspace cannot be used for Sentinel hence the need for a custom workspace, as MS recommend, see below.
Search for Defender for cloud and fire it up!
If this is the first time you've been into Defender for Cloud you'll be greeted with the Getting started pane and asked to upgrade your subscription, for now we'll select skip at this stage.
It takes a few seconds to update but you'll then see the following information popup, you'll want to click this and make sure the appropriate RBAC permissions are set on your account.
In my case I want this to be the Security Admin role but the principle of least privilege should be applied here, so take that into consideration.
Head back to the Overview pane for MDFC and then to the Environment settings under Management and find the Azure subscription you've used to create the previous resources.
From here you'll want to enable MDFC on the resource types you plan to use it for, in my case this is just Servers. Take note that by default the plan for Servers is Plan 2, the plan relates to the version of Defender for Servers that is deployed, if you want to change this to Plan 1 you can do so here but I would suggest keeping on Plan 2. Once you enable here for your resource type, the resources will start to enroll to the Defender for platform, in my scenario here, servers will start to appear in the Defender for Endpoint portal after the MDE extension is automatically installed.
For now we will leave the auto provisioning settings, we'll come back to them!
If you end up back at the Overview pane at any point you might be prompted to install the log analytics agents required to collect data, just continue without deploying the agents or select remind me later.
Now here's where I found a weird bug with the portal. We will need to enable MDFC on the log analytics workspace as this is a pre-requisite in order to set the data collection settings for auto provisioning, but if you go direct to the workspace via Environment settings to do this the portal warns you that you are downgrading MDFC.
As we certainly don't want to downgrade anything, we need to find a way to enable it on the workspace without any sort of downgrading going on, here's how I do it.
You can head to either the Workload protections pane and select the Enable Microsoft Defender for Cloud button which will take you to the workspace to upgrade.
Or go directly to the Getting started pane which will now only show the log analytics workspace we have created, whereas before this pane only showed us the subscription. Go ahead and upgrade that bad boy!
Now we have Defender for Cloud enabled both at the subscription level and on the custom workspace, you'll know it's been upgraded when you are greeted with the below notification.
Now we are going to head back into the Environment settings except this time we will select the workspace instead of the subscription.
Make sure the resource types you want to apply to are enabled, in my case they are and then head to the Data collection pane.
Here's where we will configure the level of logging we want for our log analytics agents, keep in mind that more log ingestion will likely mean higher ingestion costs, select the appropriate level, if you are unsure I would recommend selecting Common, you can always change it at a later date, in my case I want to select All Events.
Next job is to update the auto provisioning settings so that MDFC will deploy the agents using the correct workspace (not the default one created by MDFC).
Head back to the subscription under Environment settings and then choose the Auto provisioning pane.
Enable the extensions you require and in the case of Log Analytics Agent for Azure VMs, you'll get the following pane slide in on the right.
From here you'll want to select Connect Azure VMs to a different workspace and choose our custom workspace we created earlier, you'll notice that the data collection settings we set earlier also pull through automatically.
You'll also get the following popup asking if you want to onboard any previous VMs to the new workspace, this is useful if you have deployed MDFC using the default workspace and want to switch to a custom one. Your use case may vary but I would normally recommend selecting Existing and new VMs here.
You'll notice once that has been accepted the configuration for the agent auto provision is using the correct workspace details.
So let's recap on what we've done.
Created a Resource Group to store our SOC related Azure resources.
Created a custom Log Analytics Workspace.
Updated our accounts RBAC permissions to the appropriate permissions.
Enabled Microsoft Defender for Cloud on both the subscription and the workspace level (without having to downgrade anything).
Updated the data collection settings for Defender for Cloud on our custom workspace.
Configured auto provisioning to deploy the log analytics agent automatically and from the custom workspace.
And that's all there is to configuring Microsoft Defender for Cloud to use a custom workspace. This now means when we go to enable Microsoft Sentinel we can use the same custom workspace already associated with MDFC which will allow Sentinel to ingest all logs from MDFC!