-Below is a screenshot of Defender TIΓÇÖs Threat Intelligence Home Page. Analysts can quickly scan new featured articles as well as begin their intelligence gathering, triage, incident response, and hunting efforts by performing a keyword, artifact or CVE-ID search.

-Insights are meant to be small facts or observations about a domain or IP address and provide Defender TI users with the ability to make an assessment about the artifact queried and improve a user's ability to determine if an indicator being investigated is malicious, suspicious, or benign.

-Microsoft collects, analyzes, and indexes internet data to assist users in detecting and responding to threats, prioritizing incidents, and proactively identifying adversariesΓÇÖ infrastructure associated with actor groups targeting their organization. Microsoft collects internet data via itsΓÇÖ PDNS sensor network, global proxy network of virtual users, port scans, and leverages third-party sources for malware and added Domain Name System (DNS) data.

-This internet data is categorized into two distinct groups: traditional and advanced. Traditional data sets include Resolutions, WHOIS, SSL Certificates, Subdomains, DNS, Reverse DNS, and Services. Advanced data sets include Trackers, Components, Host Pairs, and Cookies. Trackers, Components, Host Pairs, and Cookies data sets are collected from observing the Document Object Model (DOM) of web pages crawled. Additionally, Components and Trackers are also observed from detection rules that are triggered based on the banner responses from port scans or SSL Certificate details. Many of these data sets have various methods to sort, filter, and download data, making it easier to access information that may be associated with a specific artifact type or time in history.

-Defender TI tags are used to provide quick insight about an artifact, whether derived by the system or generated by other users. Tags aid analysts in connecting the dots between current incidents and investigations and their historical context for improved analysis.

-MicrosoftΓÇÖs Defender TI platform allows users to develop multiple project types for organizing indicators of interest and indicators of compromise from an investigation. Projects contain a listing of all associated artifacts and a detailed history that retains the names, descriptions, and collaborators.

-When a user searches an IP address, domain, or host in Defender TI, if that indicator is listed within a project the user has access to, the user can see a link to the project from the Projects sections in the Summary tab as well as Data tab. From here, the user can navigate to the details of the project for more context about the indicator before reviewing the other data sets for more information. This helps analysts to avoid reinventing the wheel of an investigation one of their Defender TI tenant users may have already started or add onto that investigation by adding new artifacts (indicators of compromise) related to that project (if they have been added as a collaborator to the project).

-description: Enable Corelight integration to gain visibility focused on IoT/OT devices in areas of the network where MDE is not deployed

-keywords: enable siem connector, siem, connector, security information and events

-search.product: eADQiWindows 10XVcnh

-ms.sitesec: library

-ms.pagetype: security

-# Enable Corelight as data source in Microsoft Defender for Endpoint

-**Applies to:**

-> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-enablesiem-abovefoldlink)

-Microsoft has partnered with [Corelight](https://corelight.com/integrations/iot-security), provider of the industry's leading open network detection and response (NDR) platform, to help you discover IoT/OT devices across your organization. Using data, sent from Corelight network appliances, Microsoft 365 Defender gains increased visibility into the network activities of unmanaged devices, including communication with other unmanaged devices or external networks.

-With this data source enabled, all events from Corelight network appliances are sent to Microsoft 365 Defender. You can view these activities in the unmanaged devices timeline, available in the Microsoft Defender for Endpoint device inventory. For more information, see [Device discovery](device-discovery.md).

-## Prerequisites

-1. To setup the Corelight data integration, the user must have the following roles:

- - Tenant Global Administrator in Azure Active Directory

- - Security Administrator for the Azure subscription that will be used for the Microsoft Defender for IoT integration

-2. An onboarded Defender for IoT plan. For more information, see [Enable Enterprise IoT security with Defender for Endpoint](/azure/defender-for-iot/organizations/eiot-defender-for-endpoint/).

-## Enabling the Corelight integration

-To enable the Corelight integration, you'll need to take the following steps:

-[Step 1: Turn on Corelight as a data source](#step-1-turn-on-corelight-as-a-data-source)<br>

-[Step 2: Provide permission for Corelight to send events to Microsoft 365 Defender](#step-2-provide-permission-for-corelight-to-send-events-to-microsoft-365-defender)<br>

-[Step 3: Configure your Corelight appliance to send data to Microsoft 365 Defender](#step-3-configure-your-corelight-appliance-to-send-data-to-microsoft-365-defender)

-### Step 1: Turn on Corelight as a data source

-1. In the navigation pane of the [https://security.microsoft.com](https://security.microsoft.com/) portal, select **Settings** \> **Device discovery** \> **Data sources**.

- :::image type="content" source="../../media/defender-endpoint/enable-corelight.png" alt-text="The data sources page in the Microsoft 365 Defender portal" lightbox="../../media/defender-endpoint/enable-corelight.png":::

-2. Select **Send Corelight data to M365D** and select **Save**.

-### Step 2: Provide permission for Corelight to send events to Microsoft 365 Defender

-> [!NOTE]

-> You must be a global admin to grant Corelight permission to access resources in your organization.

-1. As a Tenant Global Administrator, go to this [link](<https://login.microsoftonline.com/common/oauth2/authorize?prompt=consent&client_id=d8be544e-9d1a-4825-a5cb-fb447457f692&response_type=code&sso_reload=true>) to grant permission.

-2. Go to [https://security.microsoft.com](https://security.microsoft.com/) portal, select **Settings** \> **Microsoft 365 Defender**, and take note of the **Tenant ID**. You'll need this information when configuring your Corelight appliance.

-### Step 3: Configure your Corelight appliance to send data to Microsoft 365 Defender

-> [!NOTE]

-> The integration is available in Corelight Sensor software v25 and later.

->

-> You will need internet connectivity for your sensor to reach both the Defender and Corelight cloud services for the solution to work.

-#### Enable the integration in the Corelight web interface

-1. In the Corelight web interface, navigate to **Sensor** \> **Export**.

- :::image type="content" source="images/exporttodefender.png" alt-text="The kafka export" lightbox="images/exporttodefender.png":::

-2. Enable **Export To Microsoft Defender**.

-3. Enter your Microsoft 356 Defender Tenant ID.

-4. Optionally, you can:

- - set the **Zeek Logs to Exclude**. The minimal set of logs you must include are: dns, conn, files, http, ssl, ssh, x509, snmp, smtp, ftp, sip, dhcp, and notice.

- - choose to create a **Microsoft Defender Log Filter**.

-5. Select **Apply Changes**.

-#### Enable the integration in the corelight-client

-1. Enable **Export To Microsoft Defender** using the following command in the corelight-client:

- ``` command

- corelight-client configuration update \

- --bro.export.defender.enable True

- ```

-2. Set your tenant ID

-3. Optionally, you can use the following command to exclude certain logs or to create a Microsoft Defender log filter. The minimal set of logs you must include are: dns, conn, files, http, ssl, ssh, x509, snmp, smtp, ftp, sip, dhcp, and notice.

- ``` command

- corelight-client configuration update \

- --bro.export.defender.exclude=<logs_to_exclude> \

- --bro.export.defender.filter=<logs_to_filter>

- ```

-## See also

-## Device discovery Integrations

-To address the challenge of gaining enough visibility to locate, identify, and secure your complete OT/IOT asset inventory Microsoft Defender for Endpoint now supports the following integrations:

-> Device discovery Integrations with [Microsoft Defender for IoT](/azure/defender-for-iot/organizations/) and [Corelight](https://corelight.com/integrations/iot-security) are available to help locate, identify, and secure your complete OT/IOT asset inventory. Devices discovered with these integrations will appear on the **IoT devices** tab. For more information, see [Device discovery integrations](device-discovery.md#device-discovery-integrations).

-| [Corelight](https://corelight.com/integrations/iot-security)| Using data, sent from Corelight network appliances, Microsoft 365 Defender gains increased visibility into the network activities of unmanaged devices, including communication with other unmanaged devices or external networks.

-|[Open NDR](https://go.microsoft.com/fwlink/?linkid=2201964)|Corelight|Augment device inventory in Microsoft 365 Defender with network evidence for complete visibility.|

- Microsoft has partnered with [Corelight](https://corelight.com/company/zeek-now-component-of-microsoft-windows), a leader in open source Network Detection and Response (NDR), to provide a new open-source integration with [Zeek](https://corelight.com/about-zeek/how-zeek-works) for Defender for Endpoint. With this integration, organizations can super-charge their investigation efforts with rich network signals and reduce the time it takes to detect network-based threats by having unprecedented visibility into network traffic from the endpoints' perspective.

- The new Zeek integration is available in the latest version of the Defender for Endpoint agent via the following knowledge base articles:

- - [KB5016691](https://support.microsoft.com/topic/august-25-2022-kb5016691-os-build-22000-918-preview-59097044-915a-49a0-8870-49823236adbd)

- - [KB5016693](https://support.microsoft.com/topic/august-16-2022-kb5016693-os-build-20348-946-preview-ee90d0bc-c162-4124-b7c6-f963ee7b17ed)

- - [KB5016688](https://support.microsoft.com/topic/august-26-2022-kb5016688-os-builds-19042-1949-19043-1949-and-19044-1949-preview-ec31ebdc-067d-44dd-beb0-eabcc984d843)

- - [KB5016690](https://support.microsoft.com/topic/august-23-2022-kb5016690-os-build-17763-3346-preview-b81d1ac5-75c7-42c1-b638-f13aa4242f42)

- > [!NOTE]

- > This integration doesn't currently support the use of custom scripts to gain visibility into extra signals.