Merge pull request #4299 from MicrosoftDocs/repo_sync_working_branch

Confirm merge from repo_sync_working_branch to master to sync with https://github.com/MicrosoftDocs/windows-itpro-docs (branch public)

windows/security/threat-protection/microsoft-defender-atp/raw-data-export-event-hub.md

@@ -31,16 +31,23 @@ Want to experience Defender for Endpoint? [Sign up for a free trial.](https://ww
 ## Before you begin:
 
 1. Create an [event hub](https://docs.microsoft.com/azure/event-hubs/) in your tenant.
-2. Log in to your [Azure tenant](https://ms.portal.azure.com/), go to **Subscriptions > Your subscription > Resource Providers > Register to **Microsoft.insights****.
+
+2. Log in to your [Azure tenant](https://ms.portal.azure.com/), go to **Subscriptions > Your subscription > Resource Providers > Register to **Microsoft.insights**.
 
 ## Enable raw data streaming:
 
 1. Log in to [Microsoft Defender Security Center](https://securitycenter.windows.com) with a Global Admin user.
+
 2. Go to [Data export settings page](https://securitycenter.windows.com/interoperability/dataexport) on Microsoft Defender Security Center.
+
 3. Click on **Add data export settings**.
+
 4. Choose a name for your new settings.
+
 5. Choose **Forward events to Azure Event Hubs**.
+
 6. Type your **Event Hubs name** and your **Event Hubs resource ID**.
+
    In order to get your **Event Hubs resource ID**, go to your Azure Event Hubs namespace page on [Azure](https://ms.portal.azure.com/) > properties tab > copy the text under **Resource ID**:
 
    ![Image of event hub resource Id](images/event-hub-resource-id.png)
@@ -64,8 +71,11 @@ Want to experience Defender for Endpoint? [Sign up for a free trial.](https://ww
 ```
 
 - Each event hub message in Azure Event Hubs contains list of records.
+
 - Each record contains the event name, the time Microsoft Defender ATP received the event, the tenant it belongs (you will only get events from your tenant), and the event in JSON format in a property called "**properties**".
+
 - For more information about the schema of Microsoft Defender for Endpoint events, see [Advanced Hunting overview](advanced-hunting-overview.md).
+
 - In Advanced Hunting, the **DeviceInfo** table has a column named **MachineGroup** which contains the group of the device. Here every event will be decorated with this column as well. See [Device Groups](machine-groups.md) for more information.
 
 ## Data types mapping:
@@ -73,21 +83,22 @@ Want to experience Defender for Endpoint? [Sign up for a free trial.](https://ww
 To get the data types for event properties do the following:
 
 1. Log in to [Microsoft Defender Security Center](https://securitycenter.windows.com) and go to [Advanced Hunting page](https://securitycenter.windows.com/hunting-package).
+
 2. Run the following query to get the data types mapping for each event:
  
-```
+   ```
-{EventType}
+   {EventType}
-| getschema
+   | getschema
-| project ColumnName, ColumnType 
+   | project ColumnName, ColumnType 
-
+   ```
-```
 
 - Here is an example for Device Info event: 
 
-![Image of event hub resource Id](images/machine-info-datatype-example.png)
+  ![Image of event hub resource Id](images/machine-info-datatype-example.png)
 
 ## Related topics
 - [Overview of Advanced Hunting](advanced-hunting-overview.md)
 - [Microsoft Defender for Endpoint streaming API](raw-data-export.md)
 - [Stream Microsoft Defender for Endpoint events to your Azure storage account](raw-data-export-storage.md)
 - [Azure Event Hubs documentation](https://docs.microsoft.com/azure/event-hubs/)
+- [Troubleshoot connectivity issues - Azure Event Hubs](https://docs.microsoft.com/azure/event-hubs/troubleshooting-guide)

windows/security/threat-protection/microsoft-defender-atp/raw-data-export-storage.md

@@ -31,19 +31,24 @@ Want to experience Defender for Endpoint? [Sign up for a free trial.](https://ww
 ## Before you begin:
 
 1. Create a [Storage account](https://docs.microsoft.com/azure/storage/common/storage-account-overview) in your tenant.
+
 2. Log in to your [Azure tenant](https://ms.portal.azure.com/), go to **Subscriptions > Your subscription > Resource Providers > Register to Microsoft.insights**.
-3. Go to **Settings > Advanced Features > Preview features** and turn Preview features **On**.
 
 ## Enable raw data streaming:
 
 1. Log in to [Microsoft Defender for Endpoint portal](https://securitycenter.windows.com) with Global Admin user.
-2. Go to [Data export settings page](https://securitycenter.windows.com/interoperability/dataexport) on Microsoft Defender Security Center.
-3. Click on **Add data export settings**.
-4. Choose a name for your new settings.
-5. Choose **Forward events to Azure Storage**.
-6. Type your **Storage Account Resource Id**. In order to get your **Storage Account Resource Id**, go to your Storage account page on [Azure portal](https://ms.portal.azure.com/) > properties tab > copy the text under **Storage account resource ID**:
 
-  ![Image of event hub resource Id](images/storage-account-resource-id.png)
+2. Go to [Data export settings page](https://securitycenter.windows.com/interoperability/dataexport) on Microsoft Defender Security Center.
+
+3. Click on **Add data export settings**.
+
+4. Choose a name for your new settings.
+
+5. Choose **Forward events to Azure Storage**.
+
+6. Type your **Storage Account Resource ID**. In order to get your **Storage Account Resource ID**, go to your Storage account page on [Azure portal](https://ms.portal.azure.com/) > properties tab > copy the text under **Storage account resource ID**:
+
+   ![Image of event hub resource ID](images/storage-account-resource-id.png)
 
 7. Choose the events you want to stream and click **Save**.
 
@@ -51,22 +56,25 @@ Want to experience Defender for Endpoint? [Sign up for a free trial.](https://ww
 
 - A blob container will be created for each event type: 
 
-![Image of event hub resource Id](images/storage-account-event-schema.png)
+  ![Image of event hub resource ID](images/storage-account-event-schema.png)
 
 - The schema of each row in a blob is the following JSON: 
 
-```
+  ```
-{
+  {
           "time": "<The time WDATP received the event>"
           "tenantId": "<Your tenant ID>"
           "category": "<The Advanced Hunting table name with 'AdvancedHunting-' prefix>"
           "properties": { <WDATP Advanced Hunting event as Json> }
-}               
+  }               
-```
+  ```
 
 - Each blob contains multiple rows.
+
 - Each row contains the event name, the time Defender for Endpoint received the event, the tenant it belongs (you will only get events from your tenant), and the event in JSON format in a property called "properties".
+
 - For more information about the schema of Microsoft Defender for Endpoint events, see [Advanced Hunting overview](advanced-hunting-overview.md).
+
 - In Advanced Hunting, the **DeviceInfo** table has a column named **MachineGroup** which contains the group of the device. Here every event will be decorated with this column as well. See [Device Groups](machine-groups.md) for more information.
 
 ## Data types mapping:
@@ -74,18 +82,18 @@ Want to experience Defender for Endpoint? [Sign up for a free trial.](https://ww
 In order to get the data types for our events properties do the following:
 
 1. Log in to [Microsoft Defender Security Center](https://securitycenter.windows.com) and go to [Advanced Hunting page](https://securitycenter.windows.com/hunting-package).
+
 2. Run the following query to get the data types mapping for each event: 
 
-```
+   ```
-{EventType}
+   {EventType}
-| getschema
+   | getschema
-| project ColumnName, ColumnType 
+   | project ColumnName, ColumnType 
-
+   ```
-```
 
 - Here is an example for Device Info event: 
 
-![Image of event hub resource ID](images/machine-info-datatype-example.png)
+  ![Image of event hub resource ID](images/machine-info-datatype-example.png)
 
 ## Related topics
 - [Overview of Advanced Hunting](advanced-hunting-overview.md)