From a64def95112b6bbd8924e4f186772914c449dfd7 Mon Sep 17 00:00:00 2001 From: Ben Alfasi Date: Wed, 26 Jun 2019 11:38:24 +0300 Subject: [PATCH] 2 --- .../images/event-hub-resource-id.png | Bin 0 -> 4741 bytes .../raw-data-export-event-hub.md | 50 ++++++++++++++++++ .../microsoft-defender-atp/raw-data-export.md | 8 +-- 3 files changed, 54 insertions(+), 4 deletions(-) create mode 100644 windows/security/threat-protection/microsoft-defender-atp/images/event-hub-resource-id.png create mode 100644 windows/security/threat-protection/microsoft-defender-atp/raw-data-export-event-hub.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/event-hub-resource-id.png b/windows/security/threat-protection/microsoft-defender-atp/images/event-hub-resource-id.png new file mode 100644 index 0000000000000000000000000000000000000000..a61a727f7eaa6c19318050d477113fabab7b4bf5 GIT binary patch literal 4741 zcmc&&XE+<&+mC8#c^;}&)U39sU0SoGt?}5@7D}j*TJ;yB6(TxRQ7iUL)v6G)sJ&{$ zNbFUiYDS1!L1Mh=bG={RumAVMIrq7*`#$Hse`j6icOst{>-^2a%K`uZ{?^mgG6Mh@ z6X-s_y(Hn6J=rW$~{8r$>nluPK+?Z@hlT>~fxqCo@~yk@@vSJ}!=wwksFsib9(# zO~&o^0}l*K8s~-&G!vWlNyRW4CX|*=*;|X*q9+wrn@~*$@F`%al&(D&P?4kyTOAx7 zX4u4k)1;7CJqHfHwS8iT59$AwwrkV46^kNJTOMY9@}wu&wwKWda@K%UH=7n>f^ZpG z?+l*xWW+K808$2dDkTP6-G{kLjyR7rHWv&XLG^P*h*2MTS5GHE9VIS-_jC1PObJ6`RV^&HF$Cd;1Vj(PLU^6&kFs??=^@DRT&3HxG zIR0ZD;aP=$mN;g*(X&r-L8reNjyBP#>Wt3YTcpaE7HzR`d3ijC=9@G~RADL9NPQbMNV4a3eH6T+lW{QAE`B#1BrVLV6Yq1qG02wv-)s>_X9C>^dz$p~fu;E`p? ze7n4MD%tgK5n-hbvB*kMpXhs>nJ{yTGdHoaK-l~}J@}(B4;&h*@AoO=m(pjA>^{a( zT%j=bhGsj3#I(Po`$J*u@cL+<3quqzPOU8FlkuPZYVNKC8CUt-e^-6pU{d4~q^5oK zLsK`ymh(SDk5VM)dFv)XyOb7uw?M2{230=1%RUt_bb(FNufgg($CQtuzr zkm~1taiJKr@rhBnEUQ0On<9Rh)neBT!iCltjgwv?R>~U4-Wjm!-P+pP5X=?T*%r8+af%Cfks=&N zjqW_dN-WEn&#Y_4vCxmBGqO_rQ|~(mk2H0Z^Qh?9(YVN_cVa2PG@^kcAC4tNAp! zEKu7=&zxAPt}+({;`avGQ)9#af(`ZpgIXE#O?bp`S zEMFanJ*{Tah8%A?ME)#)2Qvb(&Mp;LuNV zS^@3)@wNI@c&u6Fz;eI&9Hu*@mMYX5x;uzE-5XSzpKl<8ZTqi=*6httmxYdZTWML_ zWc%U-(Rt!*LiO&X2!YI8(q-K(nXA~PF}PjBuYrBN77?KI$r_g7Hvj_9%wLYLtob^w zEttx&Qd;HdHuuSIcHG>qO>(NKVwRJ6>nW`N4+2CU`@n?lc&hZYQu*2&QKx-%^R1~N zaSW;{|2PS`UHPQAOiumw(o!ruS%p@FET5f7V*uf2ZZb{YsUdn9m1O@KN%I`VKw8J~ zR)~|+M#+b?Ck~6`VAEKB1EWkt)laDnOz8oy?VV>; zNt9{tWj4-?zg0`(NX?Vj40|#c8i5BvQdUYA%&1}tK++5DcY$K9oGrFn7{O~*e1fah zv!Wl)wk*-R!}S$QQ&_FvA_Apm_D`Yl<=s~PRjx3KrAy{cJF%G4YEDm5#IQAb#4azF zX_|64LQ!zw=fU5=6{@<`_-0A$L(EJ&<2$svAi`@A*}nENA!*h|1?RdFG^pJ>r>D|q z(2kv6j8t=*Iz`@Rri5QMtbfwGN>%lklAB~a~^$uh}mHb1%fto>ift2^;lkwYf`&XXMueSn#f?O|r7 z+#qOFE>V2fq(u-@>Lu4eUYz^^RS-fDv1Dnk_;}!G8fG0{d#kfvLp1HmA9QJ&rf4+Wz zJN9u)#^Rvm!#Ia#!L^l&f{+RaSMOyjTXB*7w+>f^`-Y{UpGB zF7v{nhH9?FGzYOyQwM<>wsgYXcQoOe;L<#BpKzt#9;G^~|NMF5^59ycJx z{WYskox<3_aLxUCU)y9SH<&5z-J>E|8qCTv`?Wi!0&e%0Xh{i(DK1 z+MJ8hCph{@pNxJImY7D&CO=r@Yd|R?SE73G)vso=rAbR|6TnkV6yz>fOTDpFx+@oellUP@5OzC=?Bj|m@RAjKUB%O7pB7`?)zp|2EuA|S zEhI6bheYlTd*08N2n5saApo$)MD^ z55IUVwP$3!(`7PzOuPJZo+L0?6wDdA115!?Y1|FyhD%Oj<&r`-m&?F)pOtYI1eBZjtr-koKy+#3s`KWm)(`VbbT_J z0GmB);2l?wmhIws2+|b;e}dekQh8=gUHSa){WH`q@f!awD_|-OYBeoHEL#r^k|Fcg zTrzTfRd;V6`wwey6aOv4{7{tTASNm>W$J;k5Tk8n(syf5tmvhJK3+?&g-)r1I$Olf z9J8o|lzCu*v{jf++7-Pj z=KSoZevP2JNA>i;mv2w)<$EOjZRe8>+jT4=GIAdFO6(75@R(nld>-W<5gLr>i>$ju zTk^jU;Prs0p=f@GI~1kh#EVR+h;6Sh$4Ewc+lKr+EE(`+A^xzmH47#6skOd!ZP`Es zon#m}`q)u^uPiM1lpU|>q{?Qtp08+bhM!Oa>hZ@UJc1k{jh~oEv0KP~@DdnG+ccSd zc)p@;yEB?>6B^cfXks0@NPTM8x)Cv$c|Nt@sk~&aWxFrkpuldxlHE06JkhyP0jc4H zN_+2OJ{F8#<|*XqceC(Hs%0%Hp?2{yi!FNPN~XWz9Z49f3`8r9DT5R>d8Gt<#(NYj ztnM+WkSaLnmy&o#ZRLQ>_OrJ?z-2No?ldwI4z9&~i;I%8xLk8o6$t+7_s!=vFDx7w z6@7W~rbURt&FtGLRL`VZo>J!q`(Lf2M&8cOi$}Ywr`Tv1x5QKAYXeNV>BQ$R{c~rD zwk<%mO)$myInn3M=cOd1t6^!G%(OfP=Ix7J*%Vdmy2Gu=j+DDM;`7h>myF1bR_obX{BWG2U*0HuM~h6Ual?98VNWp~P?cif&j9{?YCVtqZ% z?J-W(>%NL-L&Qw3((lh>t4rm~hFje+e5asJ(zEO36Dvk1`GzgberKSRwCWc5Ww_Z4 zr*m+6P0bw9Z{p7@TnTX;9o#FYLi%NxSe*g{d9`1uZ8QW0ul`hbhOvI@&y!{>&zhY2 zT6Y&~EV{pVS}oPz2a3*ocF89SGCbw&)R(nCq9bbsJkorn%VL0QP##?>#dwgGvBBMY zbcQ0=W5;uVas|z-mWtf!2l3r=#bu};62iiH{ctlWe!p`#T1Ics3B_!A-#EXZU_;Ji zIsTYEyZ_EvDMK1Fbi#GvMc|7pRR{roD5j_9$qt{$-g><726V z?!?5zo;aaK<=H`8%;<7yQSjkVo(2vE43{$UL%r$6ukBLXoSmIJ32z9ig;2(1P|FF$ zuJs~7`RxYKZM3?V5c2iHY9m?9Z}23E+Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configuresiem-abovefoldlink) + +## Preparations: + +- Create an [Event hub](https://docs.microsoft.com/en-us/azure/event-hubs/) in your tenant. +- Log in to your [Azure tenant](https://ms.portal.azure.com/), go to – Subscriptions > Your subscription > Resource Providers > Register to **Microsoft.insights** + +## Enable raw data streaming: + +- Log in to [MDATP portal](https://securitycenter.windows.com) with Global Admin user. +- Go to [Data export settings page](https://securitycenter.windows.com/interoperability/dataexport) on MDATP portal. +- Click on **Add data export settings**. +- Choose a Name to your new settings. +- Choose **Forward events to Azure Event Hub** +- Type your **Event hub name** and your **Event hub resource Id** + In order to get your **Event hub resource Id**, go to your Event hub namespace page on Azure > properties tab > copy the text under **Resource ID**: + + ![Image of event hub resource Id](images/event-hub-resource-id.png) +- Choose the events you want to stream and click Save. + + + +## Related topics +- [Overview of Advanced Hunting](overview-hunting) +- [Azure Event Hub documentation](https://docs.microsoft.com/en-us/azure/event-hubs/) diff --git a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export.md b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export.md index cfb25c8268..65d000cbb5 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export.md +++ b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export.md @@ -27,17 +27,17 @@ ms.topic: article ## Stream Advanced Hunting events to your event hub and/or Azure storage account. -Microsoft Defender ATP supports streaming all the events available through [Advanced Hunting](overview-hunting) to an [Event hub](https://docs.microsoft.com/en-us/azure/event-hubs/) and/or [Azure storage account](https://docs.microsoft.com/en-us/azure/event-hubs/). +Microsoft Defender ATP supports streaming all the events available through [Advanced Hunting](overview-hunting.md) to an [Event hub](https://docs.microsoft.com/en-us/azure/event-hubs/) and/or [Azure storage account](https://docs.microsoft.com/en-us/azure/event-hubs/). ## In this section Topic | Description :---|:--- -[Stream MDATP events to your event hub](enable-siem-integration.md)| Learn about enabling the streaming API in your tenant and configure MDATP to stream [Advanced Hunting](overview-hunting) to your event hub. -[Stream MDATP events to your Azure storage account](configure-splunk.md)| Learn about enabling the streaming API in your tenant and configure MDATP to stream [Advanced Hunting](overview-hunting) to your Azure storage account. +[Stream MDATP events to your event hub](raw-data-export-event-hub.md)| Learn about enabling the streaming API in your tenant and configure MDATP to stream [Advanced Hunting](overview-hunting.md) to your event hub. +[Stream MDATP events to your Azure storage account](raw-data-export-event-hub.md)| Learn about enabling the streaming API in your tenant and configure MDATP to stream [Advanced Hunting](overview-hunting.md) to your Azure storage account. ## Related topics -- [Overview of Advanced Hunting](overview-hunting) +- [Overview of Advanced Hunting](overview-hunting.md) - [Azure Event Hub documentation](https://docs.microsoft.com/en-us/azure/event-hubs/) - [Azure Storage Account documentation](https://docs.microsoft.com/en-us/azure/storage/common/storage-account-overview)