Configure Microsoft Defender for Endpoint to stream Advanced Hunting events to your Azure Event Hubs

Applies to:

• Microsoft Defender for Endpoint Plan 1
• Microsoft Defender for Endpoint

Note

For the full data streaming experience available, please visit Stream Microsoft Defender XDR events | Microsoft Learn.

Want to experience Defender for Endpoint? Sign up for a free trial.

Before you begin

1. Create an event hub in your tenant.

2. Sign in to your Azure tenant, go to Subscriptions > Your subscription > Resource Providers > Register to Microsoft.insights.

Important

Microsoft recommends that you use roles with the fewest permissions. This helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.

Enable raw data streaming

1. Sign in to the Microsoft Defender portal as a Security Administrator.

2. Go to the Data export settings page in the Microsoft Defender portal.

3. Select Add data export settings.

4. Choose a name for your new settings.

5. Choose Forward events to Azure Event Hubs.

6. Type your Event Hubs name and your Event Hubs resource ID.

Note

Leaving Event Hubs name as empty will create an event hub for each category in the selected namespace. Event Hubs namespaces have a limit of 10 Event Hubs if you are not using a Dedicated Event Hubs Cluster.

In order to get your Event Hubs resource ID, go to your Azure Event Hubs namespace page on Azure > properties tab > copy the text under Resource ID:

7. Choose the events you want to stream and select Save.

The schema of the events in Azure Event Hubs

{
    "records": [
                    {
                        "time": "<The time WDATP received the event>"
                        "tenantId": "<The Id of the tenant that the event belongs to>"
                        "category": "<The Advanced Hunting table name with 'AdvancedHunting-' prefix>"
                        "properties": { <WDATP Advanced Hunting event as Json> }
                    }
                    ...
                ]
}

• Each event hub message in Azure Event Hubs contains list of records.

• Each record contains the event name, the time Microsoft Defender for Endpoint received the event, the tenant it belongs (you only get events from your tenant), and the event in JSON format in a property called "properties".

• For more information about the schema of Microsoft Defender for Endpoint events, see Advanced Hunting overview.

• In Advanced Hunting, the DeviceInfo table has a column named MachineGroup which contains the group of the device. Here, every event is decorated with this column as well. For more information, see Device Groups.

  Note

  Device group creation is supported in Defender for Endpoint Plan 1 and Plan 2.

Data types mapping

To get the data types for event properties, do the following:

1. Sign in to Microsoft Defender portal and go to Advanced Hunting page.

2. Run the following query to get the data types mapping for each event:

   {EventType}
   | getschema
   | project ColumnName, ColumnType 
   

• Here's an example for Device Info event:

  

Related articles

• Stream Microsoft Defender XDR events | Microsoft Learn
• Overview of Advanced Hunting
• Microsoft Defender for Endpoint streaming API
• Stream Microsoft Defender for Endpoint events to your Azure storage account
• Azure Event Hubs documentation
• Troubleshoot connectivity issues - Azure Event Hubs

Tip

Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.