Microsoft Defender XDR Streaming API
We have an API configured, and it is my understanding that you should be able to tie directly to a sentinel workspace and it should be configured like the image. But none of the options are selected for event hub connections or Storage accounts. For any NEW connections, an Event Hub or Storage account is required before it can be created.
We are trying to understand the ramifications of making changes to these APIs knowing that the requirements have changed for them?
Our concern is, If we try and enable an Event Hub, will we be able to go back to the current configuration if necessary?
Delete maybe the only option and recreate with an Event hub connection. That is what we are trying to nail down.
Can we modify it in anyway or is a delete and restart with no ability to go back to the current configuration?