Configure Microsoft 365 Defender to stream Advanced Hunting events to your Storage account

0
(0)

 Important

Some information relates to prereleased product which may be substantially modified before it’s commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

Before you begin

  1. Create a Storage account in your tenant.
  2. Log in to your Azure tenant, go to Subscriptions > Your subscription > Resource Providers > wp-signup.php to Microsoft.Insights.

Enable raw data streaming

  1. Log in to Microsoft 365 Defender as a Global Administrator or Security Administrator.
  2. Go to Settings > Microsoft 365 Defender > Streaming API. To go directly to the Streaming API page, use https://security.microsoft.com/settings/mtp_settings/raw_data_export.
  3. Click Add.
  4. In the Add new Streaming API settings flyout that appears, configure the following settings:
    1. Name: Choose a name for your new settings.
    2. Select Forward events to Azure Storage.
    3. In the Storage Account Resource ID box that appears, type your Storage Account Resource ID. To get your Storage Account Resource ID, open the Azure portal at https://portal.azure.com, click Storage accounts > go to the properties tab > copy the text under Storage Account Resource ID.

      Image of event hub resource ID1.

    4. Back on the Add new Streaming API settings flyout, choose the Event types that you want to stream.

    When you’re finished, click Submit.

The schema of the events in the Storage account

  • A blob container will be created for each event type:

    Image of event hub resource ID2.

  • The schema of each row in a blob is the following JSON:
    JSON

    {
        "time": "<The time Microsoft 365 Defender received the event>"
        "tenantId": "<Your tenant ID>"
        "category": "<The Advanced Hunting table name with 'AdvancedHunting-' prefix>"
        "properties": { <Microsoft 365 Defender Advanced Hunting event as Json> }
}
  • Each blob contains multiple rows.
  • Each row contains the event name, the time Defender for Endpoint received the event, the tenant it belongs (you will only get events from your tenant), and the event in JSON format in a property called “properties”.
  • For more information about the schema of Microsoft 365 Defender events, see Advanced Hunting overview.

Data types mapping

In order to get the data types for our events properties do the following:

  1. Log in to Microsoft 365 Defender and go to Hunting > Advanced hunting. To go directly to the Advanced hunting page, use <security.microsoft.com/advanced-hunting>.
  2. On the Query tab, run the following query to get the data types mapping for each event:
    text

    {EventType}
| getschema
| project ColumnName, ColumnType
  • Here is an example for Device Info event:

    Image of event hub resource ID3.

Source : Official Microsoft Brand
Editor by : BEST Antivirus KBS Team

How useful was this post?

Click on a star to rate it!

Average rating 0 / 5. Vote count: 0

No votes so far! Be the first to rate this post.

(Visited 4 times, 1 visits today)
Tagged: