| title | description | keywords | search.product | search.appverid | ms.service | ms.mktglfcycl | ms.sitesec | ms.pagetype | ms.author | author | ms.localizationpriority | manager | audience | ms.collection | ms.custom | ms.topic | ms.date | ||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Stream Microsoft Defender XDR events to your Storage account |
Learn how to configure Microsoft Defender XDR to stream Advanced Hunting events to your Storage account. |
raw data export, streaming API, API, Event Hubs, Azure storage, storage account, Advanced Hunting, raw data sharing |
eADQiWindows 10XVcnh |
met150 |
defender-xdr |
deploy |
library |
security |
macapara |
mjcaparas |
medium |
dansimp |
ITPro |
|
admindeeplinkDEFENDER |
conceptual |
02/08/2023 |
[!INCLUDE Microsoft Defender XDR rebranding]
Applies to:
Note
Try our new APIs using MS Graph security API. Find out more at: Use the Microsoft Graph security API - Microsoft Graph | Microsoft Learn.
[!includePrerelease information]
-
Create a Storage account in your tenant.
-
Log in to your Azure tenant, go to Subscriptions > Your subscription > Resource Providers > Register to Microsoft.Insights.
Once the Storage account is created, you'll need to:
-
Define the user who is logging into Microsoft Defender XDR as Contributor.
Go to Storage Account > Access control (IAM) > Add and verify under Role assignments.
-
Log in to Microsoft Defender XDR as a Global Administrator or Security Administrator.
-
Go to Settings > Microsoft Defender XDR > Streaming API. To go directly to the Streaming API page, use https://security.microsoft.com/settings/mtp_settings/raw_data_export.
-
Select Add.
-
In the Add new Streaming API settings flyout that appears, configure the following settings:
- Name: Choose a name for your new settings.
- Select Forward events to Azure Storage.
-
To display the Azure Resource Manager resource ID for a storage account in the Azure portal, follow these steps:
-
Navigate to your storage account in the Azure portal.
-
On the Overview page, in the Essentials section, select the JSON View link.
-
The resource ID for the storage account is displayed at the top of the page, copy the text under Storage Account Resource ID.
-
Back on the Add new Streaming API settings flyout, choose the Event types that you want to stream.
When you're finished, select Submit.
-
-
A blob container is created for each event type:
:::image type="content" source="/defender-endpoint/media/storage-account-event-schema.png" alt-text="Example of a blob container" lightbox="/defender-endpoint/media/storage-account-event-schema.png":::
-
The schema of each row in a blob is the following JSON:
{ "time": "<The time Microsoft Defender XDR received the event>" "tenantId": "<Your tenant ID>" "category": "<The Advanced Hunting table name with 'AdvancedHunting-' prefix>" "properties": { <Microsoft Defender XDR Advanced Hunting event as Json> } } -
Each blob contains multiple rows.
-
Each row contains the event name, the time Defender for Endpoint received the event, the tenant it belongs (you'll only get events from your tenant), and the event in JSON format in a property called "properties".
-
For more information about the schema of Microsoft Defender XDR events, see Advanced Hunting overview.
In order to get the data types for our events properties do the following:
-
Log in to Microsoft Defender XDR and go to Hunting > Advanced hunting. To go directly to the Advanced hunting page, use <security.microsoft.com/advanced-hunting>.
-
On the Query tab, run the following query to get the data types mapping for each event:
{EventType} | getschema | project ColumnName, ColumnType
-
Here's an example for Device Info event:
:::image type="content" source="/defender-endpoint/media/machine-info-datatype-example.png" alt-text="An example device info query" lightbox="/defender-endpoint/media/machine-info-datatype-example.png":::
You can monitor the resources created by the streaming API using Azure Monitor. For more information, see Monitor destinations - Azure Monitor | Microsoft Docs.