Skip to main content

Configure storage account and storage queue for Microsoft Defender for Endpoint

This document illustrates the steps required for setting up the storage account and a storage queue to configure the integration of Microsoft Defender for Endpoint with Xshield platform.

Summary Table

Step NamePurpose of this Step
Create Storage AccountActs as the destination where Defender will send raw telemetry events like DeviceNetworkEvents.
Create Storage QueueQueue stores event notifications (triggers) for new data blobs uploaded by Defender.
Configure Event SubscriptionAutomatically forwards notifications to the queue when new telemetry blobs are created in storage.
Assign IAM Role - Blob Data ReaderAllows the Entra application to read blobs from the storage account (for retrieving event data).
Assign IAM Role - Queue Message ProcessorAllows Xshield (via the Entra app) to read and process messages from the queue (event triggers).
Retrieve Storage Account Resource IDNeeded to configure Defender’s Streaming API and tie it to the correct storage account.
Setup Defender Streaming APIEnsures only DeviceNetworkEvents are exported to blob storage for network visibility in Xshield.
tip

ColorTokens provides a terraform script to automate the manual steps outlined in this document. To use the terraform script, please follow the instructions in the Generate API Credentials for Integrating Microsoft Defender for Endpoint with Xshield platform using Terraform document

1. Create Storage Account, Storage Queue and Event Subscription

Follow the below steps to set up Storage Account, Storage Queue and Event Subscription:

1.1 Setup Storage Account

A storage account is required to receive network events from MDE

  1. Go to Storage Accounts > Create

    Storage-Account-01

    Storage-Account-02

  2. Provide a name for the storage account, select the subscription and resource group

    Storage-Account-03

  3. Go to the network tab, for Public network access, select Disable . To enable access from Xshield Platform to the storage account, continue with the next steps.

    Storage-Account-04

  4. Click Review + create and then Create

    Storage-Account-05

    Storage-Account-06

    Storage-Account-07

  5. Enable access from ColorTokens SaaS platform to your Azure Storage Account, run the following command with the required parameters to authorize access.

az storage account network-rule add --resource-group "<storage-account-resource-group>" --account-name "<storage-account-name>" --subnet /subscriptions/<ColorTokens-Subscription>/resourceGroups/<ColorTokens-Resource-Group>/providers/Microsoft.Network/virtualNetworks/<ColorTokens VNET>/subnets/<ColorTokens-subnet>

⚠️ Note: Please contact ColorTokens Support for ColorTokens subscription, resource group, vnet and subnet details.

1.2 Setup Storage Queue

Set up a queue in the storage account to capture and store incoming MDE network events.

  1. Go to Storage Accounts > Storage Account Name > Data storage > Queues

    Storage-Queue-01

  2. Click +Queue

    Storage-Queue-02

  3. Provide a name for the queue and click OK

    Storage-Queue-03

    Storage-Queue-04

note

Storage Account name & Storage Queue name is required to configure the integration in Xshield Platform. Please note these down.

1.3 Create Event Subscription for Blob Notifications

Configure Event Subscription on the storage account with Endpoint Type - Storage Queue to notify Xshield about new blob creation events.

  1. Go to Storage Account > Events > + Event Subscription

    Storage-Event-Subscription-01

    Storage-Event-Subscription-02

  2. In the Basics tab:

    • Provide a Name for the event subscription and System Topic Name
    • Under Filter to Event Types in the EVENT TYPES section, select only Blob Created
    • Select Storage Queue as the Endpoint type to send a notification to the storage queue when a blob is created
    • Click on Configure an Endpoint and select the storage queue created in the previous step

    Storage-Event-Subscription-03

    Storage-Event-Subscription-04

  3. In the Filters tab: To raise notification events only when blobs are created in the container insights-logs-advancedhunting-devicenetworkevents:

    • Enable Enable subject filtering
    • Set Subject Begins With to: 
      /blobServices/default/containers/insights-logs-advancedhunting-devicenetworkevents/

    Storage-Event-Subscription-05

  4. Finally, click on the Create button to create the Event Subscription

    Storage-Event-Subscription-06

2. Assign IAM Roles to Entra Application

Grant the Entra application permission to access and read blob data from the storage account, enabling it to retrieve event-related information as needed

2.1 Storage Account Access

  1. Go to Storage Account > Events > +Add > Add role assignment

    Storage-Container-Access-Control

  2. Under Role > Job function roles, select Storage Blob Data Reader

    Storage-Container-Access-Control-02

  3. Under Members tab, select on +Select members, and type your Entra ID application name under Select members and click Select Storage-Container-Access-Control-03

  4. Click on Review + assign to save the changes Storage-Container-Access-Control-04

    Storage-Container-Access-Control-05

2.2 Storage Queue Access

  1. Go to Storage Account > Data Storage > Queues > Click on the Storage Queue

    Queue-IAM-01

  2. Click on Access Control (IAM) > +Add > Add role assignment

    Queue-IAM-02

  3. Under Role > Job function roles, select Storage Queue Data Message Processor

    We need to provide the Application API credentials with Storage Queue Data Message Processor access to the storage queue. With this access, the Xshield platform can monitor this storage queue for new blob creation events.

    Queue-IAM-03

  4. Under Members tab, select on +Select members, and type your Entra ID application name under Select members and click Select

    Queue-IAM-04

  5. Click on Review + assign to save the changes

    Queue-IAM-05

3. Retrieve the Resource ID of the Storage Account

  1. Go to Storage Account > Overview > JSON View

    Storage-Account-JSON-View-01

  2. Copy the Resource ID from the JSON view. We will need this resource ID to export telemetry data to the storage account from Defender.

    Storage-Account-JSON-View-02

4. Configure Defender Telemetry Export via Streaming API

Microsoft Defender for XDR collects various telemetry events from machines onboarded to Defender for Endpoint. The Xshield platform requires access only to events in the DeviceNetworkEvents table to provide network visibility.

⚠️ IMPORTANT NOTE: Xshield only requires DeviceNetworkEvents. While configuring the Streaming API to export data to Blob Storage, make sure to select only DeviceNetworkEvents under the Devices section of Event Types.

  1. Go to Defender for Endpoint > Settings

    Streaming-API-01

  2. Select Microsoft Defender XDR

    Streaming-API-02

  3. Select Streaming API > +Add. Provide:

    • A value for name
    • Select Forward events to Azure Storage
    • Under Storage account Resource ID, enter the Resource ID of the Storage Account copied in the previous step (JSON View)
    • Under Event Types, select Devices > DeviceNetworkEvents
    • Click Submit

    Streaming-API-03

  4. The Streaming API is now Setup successfully.

    Streaming-API-04

⚠️ Note: This configuration will:

  • Export only: DeviceNetworkEvents
  • A container named insights-logs-advancedhunting-devicenetworkevents will be created automatically in the storage account.
  • Blobs will be stored in this container. ✅ Verify that blobs are being generated in the container before proceeding to the next steps. It can take up to 30 minutes for the first blob to appear in the storage container.

Storage-Blob-01

After completing these pre-requisites, please proceed to Activate Integration on Xshield section.

References and Support

For assistance, please contact ColorTokens Support.