deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-23 06:13:41 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity
Files
c19fa00cc3ec2d444be06aec695c70a841f15c40
windows-itpro-docs/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-storage.md
Ben Alfasi 8abc55d6be Streaming API - Machine group information
2020-02-20 16:12:05 +02:00

4.3 KiB
Raw Blame History

title, description, keywords, search.product, search.appverid, ms.prod, ms.mktglfcycl, ms.sitesec, ms.pagetype, ms.author, author, ms.localizationpriority, manager, audience, ms.collection, ms.topic
title description keywords search.product search.appverid ms.prod ms.mktglfcycl ms.sitesec ms.pagetype ms.author author ms.localizationpriority manager audience ms.collection ms.topic
Stream Microsoft Defender Advanced Threat Protection events to your Storage account Learn how to configure Microsoft Defender ATP to stream Advanced Hunting events to your Storage account. raw data export, streaming API, API, Event Hubs, Azure storage, storage account, Advanced Hunting, raw data sharing eADQiWindows 10XVcnh met150 w10 deploy library security macapara mjcaparas medium dansimp ITPro M365-security-compliance article

Configure Microsoft Defender ATP to stream Advanced Hunting events to your Storage account

Applies to:

Want to experience Microsoft Defender ATP? Sign up for a free trial.

Before you begin:

  1. Create a Storage account in your tenant.
  2. Log in to your Azure tenant, go to Subscriptions > Your subscription > Resource Providers > Register to Microsoft.insights.
  3. Go to Settings > Advanced Features > Preview features and turn Preview features On.

Enable raw data streaming:

  1. Log in to Microsoft Defender ATP portal with Global Admin user.
  2. Go to Data export settings page on Microsoft Defender Security Center.
  3. Click on Add data export settings.
  4. Choose a name for your new settings.
  5. Choose Forward events to Azure Storage.
  6. Type your Storage Account Resource Id. In order to get your Storage Account Resource Id, go to your Storage account page on Azure portal > properties tab > copy the text under Storage account resource ID:

Image of event hub resource Id

  1. Choose the events you want to stream and click Save.

The schema of the events in the Storage account:

  • A blob container will be created for each event type:

Image of event hub resource Id

  • The schema of each row in a blob is the following JSON:
{
        "time": "<The time WDATP received the event>"
        "tenantId": "<Your tenant ID>"
        "category": "<The Advanced Hunting table name with 'AdvancedHunting-' prefix>"
        "properties": { <WDATP Advanced Hunting event as Json> }
}
  • Each blob contains multiple rows.
  • Each row contains the event name, the time Microsoft Defender ATP received the event, the tenant it belongs (you will only get events from your tenant), and the event in JSON format in a property called "properties".
  • For more information about the schema of Microsoft Defender ATP events, see Advanced Hunting overview.
  • In Advanced Hunting, the DeviceInfo table has a column named MachineGroup which contains the group of the machine. Here every event will be decorated with this column as well. See Machine Groups for more information.

Data types mapping:

In order to get the data types for our events properties do the following:

  1. Log in to Microsoft Defender Security Center and go to Advanced Hunting page.
  2. Run the following query to get the data types mapping for each event:
{EventType}
| getschema
| project ColumnName, ColumnType
  • Here is an example for Machine Info event:

Image of event hub resource ID

Related topics