Some information relates to prereleased product which may be substantially modified before it’s commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

Before you begin

  1. Create an Event hub in your tenant.
  2. Log in to your Azure tenant, go to Subscriptions > Your subscription > Resource Providers > wp-signup.php to Microsoft.Insights.
  3. Create an Event Hub Namespace, go to Event Hub > Add and select the pricing tier, throughput units and Auto-Inflate appropriate for expected load. For more information, see Event Hubs pricing.

Add contributor permissions

Once the Event Hub namespace is created you will need to:

  1. Define the user who will be logging into Microsoft 365 Defender as Contributor.
  2. If you are connecting to an application, add the App Registration Service Principal as Reader, Azure Event Hub Data Receiver (this can also be done at Resource Group or Subscription level).

    Go to Event hubs namespace > Access control (IAM) > Add and verify under Role assignments.

Enable raw data streaming

  1. Log in to Microsoft 365 Defender portal as a Global Administrator or Security Administrator.
  2. Go to the Streaming API settings page.
  3. Click on Add.
  4. Choose a name for your new settings.
  5. Choose Forward events to Azure Event Hub.
  6. You can select if you want to export the event data to a single Event Hub, or to export each event table to a different event hub in your Event Hub namespace.
  7. To export the event data to a single Event Hub, enter your Event Hub name and your Event Hub resource ID.

    To get your Event Hub resource ID, go to your Azure Event Hub namespace page on Azure > Properties tab > copy the text under Resource ID:

    Image of Event Hub resource Id1.

  8. Go to the Supported Microsoft 365 Defender event types in event streaming API to review the support status of event types in the Microsoft 365 Streaming API.
  9. Choose the events you want to stream and click Save.

The schema of the events in Azure Event Hub


   "records": [
                  "time": "<The time Microsoft 365 Defender received the event>"
                  "tenantId": "<The Id of the tenant that the event belongs to>"
                  "category": "<The Advanced Hunting table name with 'AdvancedHunting-' prefix>"
                  "properties": { <Microsoft 365 Defender Advanced Hunting event as Json> }
  • Each Event Hub message in Azure Event Hub contains list of records.
  • Each record contains the event name, the time Microsoft 365 Defender received the event, the tenant it belongs (you will only get events from your tenant), and the event in JSON format in a property called “properties“.
  • For more information about the schema of Microsoft 365 Defender events, see Advanced Hunting overview.
  • In Advanced Hunting, the DeviceInfo table has a column named MachineGroup which contains the group of the device. Here every event will be decorated with this column as well.

Data types mapping

To get the data types for event properties do the following:

  1. Log in to Microsoft 365 Defender and go to Advanced Hunting page.
  2. Run the following query to get the data types mapping for each event:

    | getschema
    | project ColumnName, ColumnType
  • Here is an example for Device Info event:

    Image of Event Hub resource Id2.

Source : Official Microsoft Brand
Editor by : BEST Antivirus KBS Team

How useful was this post?

Click on a star to rate it!

Average rating 0 / 5. Vote count: 0

No votes so far! Be the first to rate this post.