diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/event-hub-resource-id.png b/windows/security/threat-protection/microsoft-defender-atp/images/event-hub-resource-id.png index a61a727f7e..a83123905f 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/event-hub-resource-id.png and b/windows/security/threat-protection/microsoft-defender-atp/images/event-hub-resource-id.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/machine-info-datatype-example.png b/windows/security/threat-protection/microsoft-defender-atp/images/machine-info-datatype-example.png index fc87c883bd..41c451506b 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/machine-info-datatype-example.png and b/windows/security/threat-protection/microsoft-defender-atp/images/machine-info-datatype-example.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/storage-account-event-schema.png b/windows/security/threat-protection/microsoft-defender-atp/images/storage-account-event-schema.png index 21e3728769..d9409e3ab1 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/storage-account-event-schema.png and b/windows/security/threat-protection/microsoft-defender-atp/images/storage-account-event-schema.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/storage-account-resource-id.png b/windows/security/threat-protection/microsoft-defender-atp/images/storage-account-resource-id.png index 25171e900c..cbd0d20303 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/storage-account-resource-id.png and b/windows/security/threat-protection/microsoft-defender-atp/images/storage-account-resource-id.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-event-hub.md b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-event-hub.md index 68f4140b42..fe534eb0ce 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-event-hub.md +++ b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-event-hub.md @@ -27,21 +27,22 @@ Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://w ## Before you begin: -- Create an [Event hub](https://docs.microsoft.com/en-us/azure/event-hubs/) in your tenant. -- Log in to your [Azure tenant](https://ms.portal.azure.com/), go to > Subscriptions > Your subscription > Resource Providers > Register to **Microsoft.insights** +1. Create an [Event hub](https://docs.microsoft.com/en-us/azure/event-hubs/) in your tenant. +2. Log in to your [Azure tenant](https://ms.portal.azure.com/), go to > Subscriptions > Your subscription > Resource Providers > Register to **Microsoft.insights** ## Enable raw data streaming: -- Log in to [MDATP portal](https://securitycenter.windows.com) with Global Admin user. -- Go to [Data export settings page](https://securitycenter.windows.com/interoperability/dataexport) on MDATP portal. -- Click on **Add data export settings**. -- Choose a Name to your new settings. -- Choose **Forward events to Azure Event Hub** -- Type your **Event hub name** and your **Event hub resource Id**. +1. Log in to [Microsoft Defender Security Center](https://securitycenter.windows.com) with a Global Admin user. +2. Go to [Data export settings page](https://securitycenter.windows.com/interoperability/dataexport) on MDATP portal. +3. Click on **Add data export settings**. +4. Choose a Name to your new settings. +5. Choose **Forward events to Azure Event Hub** +6. Type your **Event hub name** and your **Event hub resource Id**. In order to get your **Event hub resource Id**, go to your Event hub namespace page on [Azure](https://ms.portal.azure.com/) > properties tab > copy the text under **Resource ID**: ![Image of event hub resource Id](images/event-hub-resource-id.png) -- Choose the events you want to stream and click Save. + +7. Choose the events you want to stream and click Save. ## The schema of the events in the Event-Hub: @@ -59,16 +60,17 @@ Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://w } ``` -- As you can see, each event hub message in the Event-Hub contains list of records. -- Each record contains the event name, the time WDATP received the event, the tenant it belongs ( You will only get events from your tenant ), and the event in Json format in a property called "properties". -- Check out [Advanced Hunting overview](overview-hunting.md) to learn about the schema of WDATP events. +- Each event hub message in the Event-Hub contains list of records. +- Each record contains the event name, the time Microsoft Defender ATP received the event, the tenant it belongs (you will only get events from your tenant), and the event in JSON format in a property called "**properties**". +- For more information about the schema of Microsoft Defender ATP events, see [Advanced Hunting overview](overview-hunting.md) to learn about the schema of Microsoft Defender ATP events. ## Data types mapping: In order to get the data types for our events properties do the following: - Login to our portal and go to [Advanced Hunting page](https://securitycenter.windows.com/hunting-package). -- Run the following query to get the data types mapping for each event: +- Run the following query to get the data types mapping for each event: + ``` {EventType} | getschema @@ -82,6 +84,6 @@ In order to get the data types for our events properties do the following: ## Related topics - [Overview of Advanced Hunting](overview-hunting.md) -- [MDATP Streaming API](raw-data-export.md) -- [Stream MDATP events to your Azure storage account](raw-data-export-storage.md) +- [Microsoft Defender ATP streaming API](raw-data-export.md) +- [Stream Microsoft Defender ATP events to your Azure storage account](raw-data-export-storage.md) - [Azure Event Hub documentation](https://docs.microsoft.com/en-us/azure/event-hubs/) diff --git a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-storage.md b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-storage.md index 6e68d86344..1abe81f5ee 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-storage.md +++ b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-storage.md @@ -23,25 +23,25 @@ ms.topic: article - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configuresiem-abovefoldlink) +Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configuresiem-abovefoldlink) -## Preparations: +## Before you begin: -- Create a [Storage account](https://docs.microsoft.com/en-us/azure/storage/common/storage-account-overview) in your tenant. -- Log in to your [Azure tenant](https://ms.portal.azure.com/), go to > Subscriptions > Your subscription > Resource Providers > Register to **Microsoft.insights** +1. Create a [Storage account](https://docs.microsoft.com/en-us/azure/storage/common/storage-account-overview) in your tenant. +2. Log in to your [Azure tenant](https://ms.portal.azure.com/), go to > Subscriptions > Your subscription > Resource Providers > Register to **Microsoft.insights** ## Enable raw data streaming: -- Log in to [MDATP portal](https://securitycenter.windows.com) with Global Admin user. -- Go to [Data export settings page](https://securitycenter.windows.com/interoperability/dataexport) on MDATP portal. -- Click on **Add data export settings**. -- Choose a Name to your new settings. -- Choose **Forward events to Azure Storage** -- Type your **Storage Account Resource Id**. - In order to get your **Storage Account Resource Id**, go to your Storage account page on [Azure portal](https://ms.portal.azure.com/) > properties tab > copy the text under **Storage account resource ID**: +1. Log in to [Microsoft Defender ATP portal](https://securitycenter.windows.com) with Global Admin user. +2. Go to [Data export settings page](https://securitycenter.windows.com/interoperability/dataexport) on Microsoft Defender ATP portal. +3. Click on **Add data export settings**. +4. Choose a Name to your new settings. +5. Choose **Forward events to Azure Storage** +6. Type your **Storage Account Resource Id**. In order to get your **Storage Account Resource Id**, go to your Storage account page on [Azure portal](https://ms.portal.azure.com/) > properties tab > copy the text under **Storage account resource ID**: ![Image of event hub resource Id](images/storage-account-resource-id.png) -- Choose the events you want to stream and click Save. + +7. Choose the events you want to stream and click Save. ## The schema of the events in the Storage account: @@ -61,7 +61,7 @@ ms.topic: article ``` - each blob contains multiple rows. -- Each raw contains the event name, the time WDATP received the event, the tenant it belongs ( You will only get events from your tenant ), and the event in Json format in a property called "properties". +- Each raw contains the event name, the time WDATP received the event, the tenant it belongs ( You will only get events from your tenant ), and the event in JSON format in a property called "properties". - Check out [Advanced Hunting overview](overview-hunting.md) to learn about the schema of WDATP events. ## Data types mapping: @@ -79,10 +79,10 @@ In order to get the data types for our events properties do the following: - Here is an example for Machine Info event: -![Image of event hub resource Id](images/machine-info-datatype-example.png) +![Image of event hub resource ID](images/machine-info-datatype-example.png) ## Related topics - [Overview of Advanced Hunting](overview-hunting.md) -- [MDATP Streaming API](raw-data-export.md) -- [Stream MDATP events to your Azure storage account](raw-data-export-storage.md) +- [Microsoft Defender Advanced Threat Protection Streaming API](raw-data-export.md) +- [Stream Microsoft Defender Advanced Threat Protection events to your Azure storage account](raw-data-export-storage.md) - [Azure Storage Account documentation](https://docs.microsoft.com/en-us/azure/storage/common/storage-account-overview)