Редактиране

Споделяне чрез


Stream Microsoft Defender XDR events to your storage account

Applies to:

Note

Try our new APIs using MS Graph security API. Find out more at: Use the Microsoft Graph security API - Microsoft Graph | Microsoft Learn.

Important

Some information in this article relates to a prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, with respect to the information provided here.

Before you begin

  • Create a Storage account in your tenant.
  • Sign in to your Azure tenant, and go to Subscriptions > Your subscription > Resource Providers > Register to Microsoft.Insights.

Add contributor permissions

Once the storage account is created, you need to define the user who is signing in as a contributor.

  1. Go to Storage Account > Access control (IAM), and then select Add.

  2. Verify the user is listed under Role assignments.

Enable raw data streaming

Note

When using the Streaming API to an Azure Storage account, ensure the option Allow trusted Microsoft services to access this storage account is enabled in the storage account settings to allow for data to be streamed from Microsoft Defender for Endpoint.

  1. Go to the Microsoft Defender portal and sign in using an account with at least Security Administrator permissions.

    Important

    Microsoft recommends that you use roles with the fewest permissions. Using lower permissioned accounts helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.

  2. Go to Settings > Microsoft Defender XDR > Streaming API. To go directly to the Streaming API page, use https://security.microsoft.com/settings/mtp_settings/raw_data_export.

  3. Select Add.

  4. In the Add new Streaming API settings flyout that appears, configure the following settings:

    • Name: Choose a name for your new settings.
    • Select Forward events to Azure Storage.
  5. To display the Azure Resource Manager resource ID for a storage account in the Azure portal, follow these steps:

    1. Navigate to your storage account in the Azure portal.

    2. In the Overview page, in the Essentials section, select the JSON View link.

    3. The resource ID for the storage account is displayed at the top of the page. Copy the text under Storage Account Resource ID.

    4. In the Add new Streaming API settings flyout, choose the Event types that you want to stream.

    5. When you're finished, select Submit.

The schema of the events in the Storage account

  • A blob container is created for each event type:

    Example of a blob container

  • The schema of each row in a blob is the following JSON:

    {
            "time": "<The time Microsoft Defender XDR received the event>"
            "tenantId": "<Your tenant ID>"
            "category": "<The Advanced Hunting table name with 'AdvancedHunting-' prefix>"
            "properties": { <Microsoft Defender XDR Advanced Hunting event as Json> }
    }
    
  • Each blob contains multiple rows.

  • Each row contains the event name, the time Defender for Endpoint received the event, the tenant it belongs (you'll only get events from your tenant), and the event in JSON format in a property called "properties".

  • For more information about the schema of Microsoft Defender XDR events, see Advanced Hunting overview.

Data types mapping

To get the data types for events properties, follow these steps:

  1. Go to the Microsoft Defender portal and sign in.

  2. Go to Hunting > Advanced hunting. To go directly to the Advanced hunting page, use https://security.microsoft.com/advanced-hunting.

  3. On the Query tab, run the following query to get the data types mapping for each event:

    {EventType}
    | getschema
    | project ColumnName, ColumnType
    

    Here's an example for Device Info event:

    An example device info query

Monitoring created resources

You can monitor the resources created by the streaming API using Azure Monitor. For more information, see Monitor destinations - Azure Monitor.

Tip

Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender XDR Tech Community.