deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-21 05:13:40 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

s

Browse Source
This commit is contained in:
Ben Alfasi
2019-06-26 13:06:33 +03:00
parent 8d12a21ca3
commit a1a5e82186
5 changed files with 90 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

BIN
windows/security/threat-protection/microsoft-defender-atp/images/storage-account-event-schema.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 58 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/storage-account-resource-id.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 7.8 KiB

1
windows/security/threat-protection/microsoft-defender-atp/raw-data-export-event-hub.md
View File

@ -57,7 +57,6 @@ ms.topic: article
<09>
]
}
```
- As you can see, each event hub message in the Event-Hub contains list of records.

86
windows/security/threat-protection/microsoft-defender-atp/raw-data-export-storage.md Normal file
View File

@ -0,0 +1,86 @@
---
title: Stream Microsoft Defender Advanced Threat Protection events.
description: Learn how to configure Microsoft Defender ATP to stream Advanced Hunting events to your Storage account.
keywords: raw data export, streaming API, API, Event hub, Azure storage, storage account, Advanced Hunting, raw data sharing
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# Configure Microsoft Defender ATP to stream Advanced Hunting events to your Storage account
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configuresiem-abovefoldlink)
## Preparations:
- Create an [Storage account](https://docs.microsoft.com/en-us/azure/storage/common/storage-account-overview) in your tenant.
- Log in to your [Azure tenant](https://ms.portal.azure.com/), go to <20> Subscriptions > Your subscription > Resource Providers > Register to **Microsoft.insights**
## Enable raw data streaming:
- Log in to [MDATP portal](https://securitycenter.windows.com) with Global Admin user.
- Go to [Data export settings page](https://securitycenter.windows.com/interoperability/dataexport) on MDATP portal.
- Click on **Add data export settings**.
- Choose a Name to your new settings.
- Choose **Forward events to Azure Storage**
- Type your **Storage Account Resource Id**
In order to get your **Storage Account Resource Id**, go to your Storage account page on Azure > properties tab > copy the text under **Storage account resource ID**:
![Image of event hub resource Id](images/storage-account-resource-id.png)
- Choose the events you want to stream and click Save.
## The schema of the events in the Storage account:
- A blobs container will be created for each event type:
![Image of event hub resource Id](images/storage-account-event-schema.png)
- The schema of each row in a Blob is the following Json:
```
{
"time": "<The time WDATP received the event>"
"tenantId": "<Your tenant ID>"
"category": "<The Advanced Hunting table name with 'AdvancedHunting-' prefix>"
"properties": { <WDATP Advanced Hunting event as Json> }
}
```
- each blob contains multiple rows.
- Each raw contains the event name, the time WDATP received the event, the tenant it belongs ( You will only get events from your tenant ), and the event in Json format in a property called "properties".
- Check out [Advanced Hunting overview](overview-hunting) to learn about the schema of WDATP events.
## Data types mapping:
In order to get the data types for our events properties do the following:
- Login to our portal and go to [Advanced Hunting page](https://securitycenter.windows.com/hunting-package).
- Run the following query to get the data types mapping for each event:
```
{EventType}
| getschema
| project ColumnName, ColumnType
```
- Here is an example for Machine Info event:
![Image of event hub resource Id](images/machine-info-datatype-example.png)
## Related topics
- [Overview of Advanced Hunting](overview-hunting)
- [Azure Storage Account documentation](https://docs.microsoft.com/en-us/azure/storage/common/storage-account-overview)

2
windows/security/threat-protection/microsoft-defender-atp/raw-data-export.md
View File

@ -34,7 +34,7 @@ Microsoft Defender ATP supports streaming all the events available through [Adva
Topic | Description
:---|:---
[Stream MDATP events to your event hub](raw-data-export-event-hub.md)| Learn about enabling the streaming API in your tenant and configure MDATP to stream [Advanced Hunting](overview-hunting.md) to your event hub.
[Stream MDATP events to your Azure storage account](raw-data-export-event-hub.md)| Learn about enabling the streaming API in your tenant and configure MDATP to stream [Advanced Hunting](overview-hunting.md) to your Azure storage account.
[Stream MDATP events to your Azure storage account](raw-data-export-storage.md)| Learn about enabling the streaming API in your tenant and configure MDATP to stream [Advanced Hunting](overview-hunting.md) to your Azure storage account.
## Related topics