Configure Microsoft Defender XDR to stream Advanced Hunting events to your Storage account

Applies to:

Note

Try our new APIs using MS Graph security API. Find out more at: Use the Microsoft Graph security API - Microsoft Graph | Microsoft Learn.

Important

Some information in this article relates to a prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, with respect to the information provided here.

Before you begin

  1. Create a Storage account in your tenant.

  2. Log in to your Azure tenant, go to Subscriptions > Your subscription > Resource Providers > Register to Microsoft.Insights.

Add contributor permissions

Once the Storage account is created, you'll need to:

  1. Define the user who is logging into Microsoft Defender XDR as Contributor.

    Go to Storage Account > Access control (IAM) > Add and verify under Role assignments.

Enable raw data streaming

  1. Log in to Microsoft Defender XDR as a Security Administrator at a minimum.

Important

Microsoft recommends that you use roles with the fewest permissions. Using lower permissioned accounts helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.

  1. Go to Settings > Microsoft Defender XDR > Streaming API. To go directly to the Streaming API page, use https://security.microsoft.com/settings/mtp_settings/raw_data_export.

  2. Select Add.

  3. In the Add new Streaming API settings flyout that appears, configure the following settings:

    1. Name: Choose a name for your new settings.
    2. Select Forward events to Azure Storage.
  4. To display the Azure Resource Manager resource ID for a storage account in the Azure portal, follow these steps:

    1. Navigate to your storage account in the Azure portal.

    2. On the Overview page, in the Essentials section, select the JSON View link.

    3. The resource ID for the storage account is displayed at the top of the page, copy the text under Storage Account Resource ID.

    4. Back on the Add new Streaming API settings flyout, choose the Event types that you want to stream.

    When you're finished, select Submit.

The schema of the events in the Storage account

  • A blob container is created for each event type:

    Example of a blob container

  • The schema of each row in a blob is the following JSON:

    {
            "time": "<The time Microsoft Defender XDR received the event>"
            "tenantId": "<Your tenant ID>"
            "category": "<The Advanced Hunting table name with 'AdvancedHunting-' prefix>"
            "properties": { <Microsoft Defender XDR Advanced Hunting event as Json> }
    }
    
  • Each blob contains multiple rows.

  • Each row contains the event name, the time Defender for Endpoint received the event, the tenant it belongs (you'll only get events from your tenant), and the event in JSON format in a property called "properties".

  • For more information about the schema of Microsoft Defender XDR events, see Advanced Hunting overview.

Data types mapping

In order to get the data types for our events properties do the following:

  1. Log in to Microsoft Defender XDR and go to Hunting > Advanced hunting. To go directly to the Advanced hunting page, use <security.microsoft.com/advanced-hunting>.

  2. On the Query tab, run the following query to get the data types mapping for each event:

    {EventType}
    | getschema
    | project ColumnName, ColumnType
    
  • Here's an example for Device Info event:

    An example device info query

Monitoring created resources

You can monitor the resources created by the streaming API using Azure Monitor. For more information, see Monitor destinations - Azure Monitor | Microsoft Docs.

Tip

Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender XDR Tech Community.