deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-28 13:17:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

styles

Browse Source
This commit is contained in:
Joey Caparas 2019-06-27 11:14:06 -07:00
parent 96a3c67970
commit ea19c2a0f6
3 changed files with 17 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
windows/security/threat-protection/microsoft-defender-atp/raw-data-export-event-hub.md
View File

@ -1,7 +1,7 @@
---
title: Stream Microsoft Defender Advanced Threat Protection events.
description: Learn how to configure Microsoft Defender ATP to stream Advanced Hunting events to your Event Hub.
keywords: raw data export, streaming API, API, Event Hub, Azure storage, storage account, Advanced Hunting, raw data sharing
keywords: raw data export, streaming API, API, Azure Event Hubs, Azure storage, storage account, Advanced Hunting, raw data sharing
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
@ -17,7 +17,7 @@ ms.collection: M365-security-compliance
ms.topic: article
---
# Configure Microsoft Defender ATP to stream Advanced Hunting events to your Event Hubs
# Configure Microsoft Defender ATP to stream Advanced Hunting events to your Azure Event Hubs
**Applies to:**
@ -27,24 +27,24 @@ Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://w
## Before you begin:
1. Create an [Event Hub](https://docs.microsoft.com/en-us/azure/event-hubs/) in your tenant.
2. Log in to your [Azure tenant](https://ms.portal.azure.com/), go to > Subscriptions > Your subscription > Resource Providers > Register to **Microsoft.insights**
1. Create an [event hub](https://docs.microsoft.com/en-us/azure/event-hubs/) in your tenant.
2. Log in to your [Azure tenant](https://ms.portal.azure.com/), go to **Subscriptions > Your subscription > Resource Providers > Register to **Microsoft.insights****.
## Enable raw data streaming:
1. Log in to [Microsoft Defender Security Center](https://securitycenter.windows.com) with a Global Admin user.
2. Go to [Data export settings page](https://securitycenter.windows.com/interoperability/dataexport) on MDATP portal.
2. Go to [Data export settings page](https://securitycenter.windows.com/interoperability/dataexport) on Microsoft Defender Security Center.
3. Click on **Add data export settings**.
4. Choose a Name to your new settings.
5. Choose **Forward events to Azure Event Hubs**
4. Choose a name for your new settings.
5. Choose **Forward events to Azure Event Hubs**.
6. Type your **Event Hubs name** and your **Event Hubs resource ID**.
In order to get your **Event Hubs resource ID**, go to your Event Hubs namespace page on [Azure](https://ms.portal.azure.com/) > properties tab > copy the text under **Resource ID**:
In order to get your **Event Hubs resource ID**, go to your Azure Event Hubs namespace page on [Azure](https://ms.portal.azure.com/) > properties tab > copy the text under **Resource ID**:
![Image of event hub resource Id](images/event-hub-resource-id.png)
7. Choose the events you want to stream and click Save.
7. Choose the events you want to stream and click **Save**.
## The schema of the events in the Event Hubs:
## The schema of the events in Azure Event Hubs:
```
{
@ -60,7 +60,7 @@ Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://w
}
```
- Each event hub message in Event Hubs contains list of records.
- Each event hub message in Azure Event Hubs contains list of records.
- Each record contains the event name, the time Microsoft Defender ATP received the event, the tenant it belongs (you will only get events from your tenant), and the event in JSON format in a property called "**properties**".
- For more information about the schema of Microsoft Defender ATP events, see [Advanced Hunting overview](overview-hunting.md).

10
windows/security/threat-protection/microsoft-defender-atp/raw-data-export-storage.md
View File

@ -28,15 +28,15 @@ Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://w
## Before you begin:
1. Create a [Storage account](https://docs.microsoft.com/en-us/azure/storage/common/storage-account-overview) in your tenant.
2. Log in to your [Azure tenant](https://ms.portal.azure.com/), go to > Subscriptions > Your subscription > Resource Providers > Register to **Microsoft.insights**
2. Log in to your [Azure tenant](https://ms.portal.azure.com/), go to **Subscriptions > Your subscription > Resource Providers > Register to **Microsoft.insights****.
## Enable raw data streaming:
1. Log in to [Microsoft Defender ATP portal](https://securitycenter.windows.com) with Global Admin user.
2. Go to [Data export settings page](https://securitycenter.windows.com/interoperability/dataexport) on Microsoft Defender ATP portal.
2. Go to [Data export settings page](https://securitycenter.windows.com/interoperability/dataexport) on Microsoft Defender Security Center.
3. Click on **Add data export settings**.
4. Choose a Name to your new settings.
5. Choose **Forward events to Azure Storage**
4. Choose a name for your new settings.
5. Choose **Forward events to Azure Storage**.
6. Type your **Storage Account Resource Id**. In order to get your **Storage Account Resource Id**, go to your Storage account page on [Azure portal](https://ms.portal.azure.com/) > properties tab > copy the text under **Storage account resource ID**:
![Image of event hub resource Id](images/storage-account-resource-id.png)
@ -61,7 +61,7 @@ Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://w
```
- Each blob contains multiple rows.
- Each row contains the event name, the time Microsofte Defender ATP received the event, the tenant it belongs (you will only get events from your tenant), and the event in JSON format in a property called "properties".
- Each row contains the event name, the time Microsoft Defender ATP received the event, the tenant it belongs (you will only get events from your tenant), and the event in JSON format in a property called "properties".
- For more information about the schema of Microsoft Defender ATP events, see [Advanced Hunting overview](overview-hunting.md).
## Data types mapping:

2
windows/security/threat-protection/microsoft-defender-atp/raw-data-export.md
View File

@ -33,7 +33,7 @@ Microsoft Defender ATP supports streaming all the events available through [Adva
Topic | Description
:---|:---
[Stream Microsoft Defender ATP events to Event Hubs](raw-data-export-event-hub.md)| Learn about enabling the streaming API in your tenant and configure Microsoft Defender ATP to stream [Advanced Hunting](overview-hunting.md) to Event Hubs.
[Stream Microsoft Defender ATP events to Azure Event Hubs](raw-data-export-event-hub.md)| Learn about enabling the streaming API in your tenant and configure Microsoft Defender ATP to stream [Advanced Hunting](overview-hunting.md) to Event Hubs.
[Stream Microsoft Defender ATP events to your Azure storage account](raw-data-export-storage.md)| Learn about enabling the streaming API in your tenant and configure Microsoft Defender ATP to stream [Advanced Hunting](overview-hunting.md) to your Azure storage account.