...
You can use the threat-hunting queries to build custom detection rules. These rules run automatically to check for and then respond to suspected breach activity, misconfigured machines, and other findings.
Device Information
Entity | Particulars |
|---|---|
Vendor Name | Microsoft |
Product Name | Defender Advanced Threat Hunting |
Type of Device | Cloud |
Collection Method
Log Type | Ingestion label | Preferred Logging Protocol - Format | Log collection method |
|---|---|---|---|
Microsoft Defender for Endpoint | MICROSOFT_DEFENDER_ENDPOINT (Raw log telemetry) | JSON | CyberHub |
Device Configuration
Please follow the steps below to enable raw log telemetry.
Prerequisites:
An Azure subscription that you can sign in to.
A user who's a with either the Global Administrator or Microsoft or Microsoft Defender Advanced Threat Hunting Administrator Hunting Administrator role.
Azure Storage Account to store the logs or an Event Hub to stream the logs.
Log in to your Azure tenant, go navigate to Subscriptions > Your subscription > Resource Providers > Register to Microsoft.insights.
Reference URLs
How to create storage account: https://docs.microsoft.com/en-us/azure/storage/common/storage-account-create?tabs=azure-portal
How to configure Event Hub: https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-create
Enable To enable raw data streaming
Log in to Microsoft Defender for Endpoint portal as a Global Administrator or Security Administrator.
Go Navigate to Data export settings page on Microsoft Defender Security Center.
Click on Add data export settings.
Choose a name for your new settings.
As per customer requirement, either you can store logs in Storage Account or stream the logs to Event Hub.
A. Archive To archive to a storage account
Choose Forward events to Azure Storage.
Type your Storage Account Resource ID. In order to get your Storage Account Resource ID, go navigate to your Storage account page on Azure portal > properties tab > copy the text under Storage account resource ID.
...
Choose the events you want to stream and click Save.
...
Each blob contains multiple rows. Each row contains the event name, the time Defender for Endpoint received the event, the tenant it belongs (you will only get events from your tenant), and the event in JSON format in a property called "properties". For more information about the schema of Microsoft Defender for Endpoint events, see Advanced Hunting overview. In Advanced Hunting, the DeviceInfo table has a column named MachineGroup which contains the group of the device. Here every event will be decorated with this column as well. See Device Groups for more information.
B. To Stream logs to an event hub
...
Parameters required from customer for Integration.
Via Azure Storage:
Property | Default Value | Description |
|---|
IP Address
Microsoft Defender Advanced Threat Hunting interface IP address
Logging Source | N/A | Select Storage |
eventHubConnectionString | N/A | N/A (keep blank) |
consumerGroupName | N/A | N/A (keep blank) |
Account Key | Custome value | Access Key to access storage account |
Blob Container | N/A | Storage blob Container name e.g. |
Storage Account Name | Custom Value | Azure storage account name |
Subscription | N/A | Subscription ID that customer wants to be monitored |
initialReadPolicy | N/A | Select Beginning to start reading from beginning and End to start reading logs from the end |
Via Azure EventHub:
Property | Default Value | Description |
|---|---|---|
Logging Source | N/A | Select EventHub |
eventHubConnectionString | N/A | Event hub connection string |
consumerGroupName | N/A | Optional and used if consumer Group is other than default |
Account Key | Custom Value | Access Key to access storage account |
Blob Container | N/A | Storage blob Container name |
Storage Account Name | Custom Value | Azure storage account name |
Subscription | N/A | Set EventHub name |
initialReadPolicy | N/A | N/A (keep default selection) |