| title | description | ms.service | ms.author | author | ms.localizationpriority | manager | audience | ms.collection | ms.topic | ms.subservice | ms.custom | search.appverid | ms.date | |||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Stream Microsoft Defender for Endpoint events to your Storage account |
Learn how to configure Microsoft Defender for Endpoint to stream Advanced Hunting events to your Storage account. |
defender-endpoint |
siosulli |
siosulli |
medium |
deniseb |
ITPro |
|
reference |
reference |
api |
met150 |
06/28/2024 |
[!INCLUDE Microsoft Defender XDR rebranding]
Applies to:
Note
For the full data streaming experience available, please visit Stream Microsoft Defender XDR events | Microsoft Learn.
Want to experience Defender for Endpoint? Sign up for a free trial.
-
Create a Storage account in your tenant.
-
Sign in to your Azure tenant, go to Subscriptions > Your subscription > Resource Providers > Register to Microsoft.insights.
Important
Microsoft recommends that you use roles with the fewest permissions. This helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
-
Sign in to the Microsoft Defender portal as a Security Administrator.
-
Go to Data export settings page in Microsoft Defender XDR.
-
Select on Add data export settings.
-
Choose a name for your new settings.
-
Choose Forward events to Azure Storage.
-
Type your Storage Account Resource ID. In order to get your Storage Account Resource ID, go to your Storage account page on Azure portal > properties tab > copy the text under Storage account resource ID:
:::image type="content" source="../media/storage-account-resource-id.png" alt-text="The Event Hubs with resource ID1" lightbox="../media/storage-account-resource-id.png":::
-
Choose the events you want to stream and select Save.
-
A blob container is created for each event type:
:::image type="content" source="../media/storage-account-event-schema.png" alt-text="The Event Hubs with resource ID2" lightbox="../media/storage-account-event-schema.png":::
-
The schema of each row in a blob is the following JSON:
{ "time": "<The time WDATP received the event>" "tenantId": "<Your tenant ID>" "category": "<The Advanced Hunting table name with 'AdvancedHunting-' prefix>" "properties": { <WDATP Advanced Hunting event as Json> } } -
Each blob contains multiple rows.
-
Each row contains the event name, the time Defender for Endpoint received the event, the tenant it belongs (you get events only from your tenant), and the event in JSON format in a property called
properties. -
For more information about the schema of Microsoft Defender for Endpoint events, see Advanced Hunting overview.
-
In Advanced Hunting, the DeviceInfo table has a column named MachineGroup which contains the group of the device. Here, every event is decorated with this column as well. For more information, see Device Groups.
[!NOTE] Device group creation is supported in Defender for Endpoint Plan 1 and Plan 2.
In order to get the data types for our events properties, take the following steps:
-
Sign in to the Microsoft Defender portal and go to Advanced Hunting page.
-
Run the following query to get the data types mapping for each event:
{EventType} | getschema | project ColumnName, ColumnType
Here's an example for Device Info event:
:::image type="content" source="../media/data-types-mapping-query.png" alt-text="The Event Hubs with resource ID3" lightbox="../media/data-types-mapping-query.png":::