Collect Microsoft Defender for Endpoint on iOS logs

This document describes how you can collect Microsoft Defender for Endpoint on iOS logs by setting up a Google SecOps feed using Microsoft Azure Blob Storage V2.

Microsoft Defender for Endpoint on iOS is a mobile threat defense solution that protects iOS devices against phishing, unsafe network connections, and malicious apps. It provides web protection using a local VPN and integrates with Microsoft Intune for device management. Events from iOS devices are captured in the same Advanced Hunting tables as other Defender for Endpoint platforms, including DeviceEvents, DeviceInfo, DeviceLogonEvents, and DeviceNetworkEvents.

Before you begin

Ensure that you have the following prerequisites:

• A Google SecOps instance
• Privileged access to Microsoft Azure portal with permissions to:
  • Create Storage Accounts
  • Configure Diagnostic Settings (for Azure services)
  • Manage access keys
• Access to Microsoft Defender portal with permissions to:
  • Configure Data export settings
  • Manage Microsoft Defender XDR settings
• iOS devices running iOS 16.0 or later

• Devices enrolled via Intune Company Portal or registered via Microsoft Authenticator

Configure Azure Storage Account

Create Storage Account

1. In the Azure portal, search for Storage accounts.
2. Click + Create.

3. Provide the following configuration details:

   Setting	Value
   Subscription	Select your Azure subscription
   Resource group	Select existing or create new
   Storage account name	Enter a unique name (for example, defenderioslogssa)
   Region	Select the region (for example, East US)
   Performance	Standard (recommended)
   Redundancy	GRS (Geo-redundant storage) or LRS (Locally redundant storage)

4. Click Review + create.

5. Review the overview of the account and click Create.

6. Wait for the deployment to complete.

Get Storage Account credentials

1. Go to the Storage Account you just created.
2. In the left navigation, select Access keys under Security + networking.
3. Click Show keys.
4. Copy and save the following for later use:
   • Storage account name: The name you created (for example, defenderioslogssa)
   • Key 1 or Key 2: The shared access key (a 512-bit random string in base-64 encoding)

Get Blob Service endpoint

1. In the same Storage Account, select Endpoints from the left navigation.
2. Copy and save the Blob service endpoint URL.
   • Example: https://defenderioslogssa.blob.core.windows.net/

Get Storage Account Resource ID

1. In the same Storage Account, select Properties from the left navigation.
2. Scroll down to find Storage account resource ID.
3. Click the copy icon next to the Resource ID and save it for later use.
   • Example: /subscriptions/12345678-1234-1234-1234-123456789012/resourceGroups/myResourceGroup/providers/Microsoft.Storage/storageAccounts/defenderioslogssa

Configure Microsoft Defender for Endpoint data export

1. Sign in to the Microsoft Defender portal at https://security.microsoft.com.
2. Go to Settings > Microsoft Defender XDR > Data export settings.
3. Click + Add data export settings.
4. In the Name field, enter a descriptive name (for example, Export to Chronicle).
5. In the Forward events to section, select Azure Storage.
6. In the Storage account resource ID field, paste the Storage Account Resource ID you copied earlier.

7. In the Choose events section, select the event types to export. For comprehensive iOS device monitoring, select the following:

   • DeviceEvents: General device events including app launches and system events
   • DeviceInfo: Device inventory information including OS version and device properties
   • DeviceLogonEvents: Sign-in and authentication events
   • DeviceNetworkEvents: Network connections and web protection events
   • DeviceProcessEvents: Process creation and termination events
   • DeviceFileEvents: File creation, modification, and deletion events
   • AlertInfo: Alert metadata from Defender for Endpoint
   • AlertEvidence: Evidence associated with alerts

8. Click Save.

   After configuration, Microsoft Defender for Endpoint begins exporting events to your Azure Storage Account. Events are organized in blob containers with the following naming pattern:

   • deviceevents
   • deviceinfo
   • devicelogonevents
   • devicenetworkevents
   • deviceprocessevents
   • devicefileevents
   • alertinfo
   • alertevidence

• Each container stores events in a hierarchical folder structure organized by date and time:

  container-name/
    └── year=YYYY/month=MM/day=DD/hour=HH/
        └── [event-files].json
  

Configure a feed in Google SecOps to ingest Microsoft Defender for Endpoint on iOS logs

You need to create a separate feed for each event type container. Repeat the following steps for each container you want to ingest.

1. Go to SIEM Settings > Feeds.
2. Click Add New Feed.
3. On the next page, click Configure a single feed.
4. In the Feed name field, enter a name for the feed (for example, Defender iOS - DeviceEvents).
5. Select Microsoft Azure Blob Storage V2 as the Source type.
6. Select Microsoft Defender for Endpoint on iOS as the Log type.
7. Click Next.

8. Specify values for the following input parameters:

   • Azure URI: Enter the Blob Service endpoint URL with the container path:

   https://defenderioslogssa.blob.core.windows.net/deviceevents/
   

   Replace the following:

   • defenderioslogssa: Your Azure storage account name.
   • deviceevents: The blob container name for the event type.
   • Source deletion option: Select the deletion option according to your preference:
   • Never: Never deletes any files after transfers.
   • Delete transferred files: Deletes files after successful transfer.
   • Delete transferred files and empty directories: Deletes files and empty directories after successful transfer.
   • Maximum File Age: Include files modified in the last number of days (default is 180 days)
   • Shared key: Enter the shared key value (access key) you captured from the Storage Account
   • Asset namespace: The asset namespace
   • Ingestion labels: The label to be applied to the events from this feed (for example, defender_ios)

9. Click Next.

10. Review your new feed configuration in the Finalize screen, and then click Submit.

Repeat the above steps for each event type container you want to ingest (for example, deviceinfo, devicelogonevents, devicenetworkevents, etc.). Use descriptive feed names to distinguish between event types.

Configure Azure Storage firewall (if enabled)

If your Azure Storage Account uses a firewall, you must add Google SecOps IP ranges.

1. In the Azure portal, go to your Storage Account.
2. Select Networking under Security + networking.
3. Under Firewalls and virtual networks, select Enabled from selected virtual networks and IP addresses.
4. In the Firewall section, under Address range, click + Add IP range.

5. Add each Google SecOps IP range in CIDR notation.

   To get the current IP ranges:

   • See IP Allowlisting documentation
   • Or retrieve them programmatically using the Feed Management API

6. Click Save.

UDM mapping table

Need more help? Get answers from Community members and Google SecOps professionals.