diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/event-hub-resource-id.png b/windows/security/threat-protection/microsoft-defender-atp/images/event-hub-resource-id.png new file mode 100644 index 0000000000..a61a727f7e Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/event-hub-resource-id.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-event-hub.md b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-event-hub.md new file mode 100644 index 0000000000..52cc7168e6 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-event-hub.md @@ -0,0 +1,50 @@ +--- +title: Stream Microsoft Defender Advanced Threat Protection events. +description: Learn how to configure Microsoft Defender ATP to stream Advanced Hunting events to your Event Hub. +keywords: raw data export, streaming API, API, Event hub, Azure storage, storage account, Advanced Hunting, raw data sharing +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +--- + +# Configure Microsoft Defender ATP to stream Advanced Hunting events to your Event hub + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configuresiem-abovefoldlink) + +## Preparations: + +- Create an [Event hub](https://docs.microsoft.com/en-us/azure/event-hubs/) in your tenant. +- Log in to your [Azure tenant](https://ms.portal.azure.com/), go to – Subscriptions > Your subscription > Resource Providers > Register to **Microsoft.insights** + +## Enable raw data streaming: + +- Log in to [MDATP portal](https://securitycenter.windows.com) with Global Admin user. +- Go to [Data export settings page](https://securitycenter.windows.com/interoperability/dataexport) on MDATP portal. +- Click on **Add data export settings**. +- Choose a Name to your new settings. +- Choose **Forward events to Azure Event Hub** +- Type your **Event hub name** and your **Event hub resource Id** + In order to get your **Event hub resource Id**, go to your Event hub namespace page on Azure > properties tab > copy the text under **Resource ID**: + + ![Image of event hub resource Id](images/event-hub-resource-id.png) +- Choose the events you want to stream and click Save. + + + +## Related topics +- [Overview of Advanced Hunting](overview-hunting) +- [Azure Event Hub documentation](https://docs.microsoft.com/en-us/azure/event-hubs/) diff --git a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export.md b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export.md index cfb25c8268..65d000cbb5 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export.md +++ b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export.md @@ -27,17 +27,17 @@ ms.topic: article ## Stream Advanced Hunting events to your event hub and/or Azure storage account. -Microsoft Defender ATP supports streaming all the events available through [Advanced Hunting](overview-hunting) to an [Event hub](https://docs.microsoft.com/en-us/azure/event-hubs/) and/or [Azure storage account](https://docs.microsoft.com/en-us/azure/event-hubs/). +Microsoft Defender ATP supports streaming all the events available through [Advanced Hunting](overview-hunting.md) to an [Event hub](https://docs.microsoft.com/en-us/azure/event-hubs/) and/or [Azure storage account](https://docs.microsoft.com/en-us/azure/event-hubs/). ## In this section Topic | Description :---|:--- -[Stream MDATP events to your event hub](enable-siem-integration.md)| Learn about enabling the streaming API in your tenant and configure MDATP to stream [Advanced Hunting](overview-hunting) to your event hub. -[Stream MDATP events to your Azure storage account](configure-splunk.md)| Learn about enabling the streaming API in your tenant and configure MDATP to stream [Advanced Hunting](overview-hunting) to your Azure storage account. +[Stream MDATP events to your event hub](raw-data-export-event-hub.md)| Learn about enabling the streaming API in your tenant and configure MDATP to stream [Advanced Hunting](overview-hunting.md) to your event hub. +[Stream MDATP events to your Azure storage account](raw-data-export-event-hub.md)| Learn about enabling the streaming API in your tenant and configure MDATP to stream [Advanced Hunting](overview-hunting.md) to your Azure storage account. ## Related topics -- [Overview of Advanced Hunting](overview-hunting) +- [Overview of Advanced Hunting](overview-hunting.md) - [Azure Event Hub documentation](https://docs.microsoft.com/en-us/azure/event-hubs/) - [Azure Storage Account documentation](https://docs.microsoft.com/en-us/azure/storage/common/storage-account-overview)