...
Log Type | Ingestion label | Preferred Logging Protocol - Format | Log collection method |
|---|---|---|---|
Microsoft Defender for Endpoint | MICROSOFT_DEFENDER_ENDPOINT (Raw log telemetry) | JSON | CyberHub |
Device Configuration
Please follow the steps below to enable raw log telemetry.
Prerequisites:
An Azure subscription that you can sign in to.
A user with either the Global Administrator or Microsoft Defender Advanced Threat Hunting Administrator role.
Azure Storage Account to store the logs or an Event Hub to stream the logs.
Log in to your Azure tenant, navigate to Subscriptions > Your subscription > Resource Providers > Register to Microsoft.insights.
...
Parameters required from customer for Integration.
Via Azure Storage:
Property | Default Value | Description |
|---|---|---|
Logging Source | N/A | Select Storage |
eventHubConnectionString | N/A | N/A (keep blank) |
consumerGroupName | N/A | N/A (keep blank) |
Account Key | Custome value | Access Key to access storage account |
Blob Container | N/A | Storage blob Container name e.g. |
Storage Account Name | Custom Value | Azure storage account name |
Subscription | N/A | Subscription ID that customer wants to be monitored |
initialReadPolicy | N/A | Select Beginning to start reading from beginning and End to start reading logs from the end |
Via Azure EventHub:
Property | Default Value | Description |
|---|---|---|
Logging Source | N/A | Select EventHub |
eventHubConnectionString | N/A | Event hub connection string |
consumerGroupName | N/A | Optional and used if consumer Group is other than default |
Account Key | Custom Value | Access Key to access storage account |
Blob Container | N/A | Storage blob Container name |
Storage Account Name | Custom Value | Azure storage account name |
Subscription | N/A | Set EventHub name |
initialReadPolicy | N/A | N/A (keep default selection) |