Microsoft Defender Advanced Threat Hunting
- Miguel Lauriano
- Aparna Rr
About the Device
Advanced hunting is a query-based threat-hunting tool that lets you explore up to 30 days of raw data. You can proactively inspect events in your network to locate threat indicators and entities. The flexible access to data enables unconstrained hunting for both known and potential threats.
You can use the threat-hunting queries to build custom detection rules. These rules run automatically to check for and then respond to suspected breach activity, misconfigured machines, and other findings.
Device Information
 Entity | Particulars |
|---|---|
Vendor Name | Microsoft |
Product Name | Defender Advanced Threat Hunting |
Type of Device | Cloud |
Collection Method
Log Type | Â Ingestion label | Preferred Logging Protocol - Format | Log collection method |
|---|---|---|---|
Microsoft Defender for Endpoint | MICROSOFT_DEFENDER_ENDPOINT | JSON | CyberHub |
Device Configuration
Prerequisites:
An Azure subscription that you can sign in to.
A user with either the Global Administrator or Microsoft Defender Advanced Threat Hunting Administrator role.
Azure Storage Account to store the logs or an Event Hub to stream the logs.Â
Log in to your Azure tenant, navigate to Subscriptions > Your subscription > Resource Providers > Register to Microsoft.insights.
Reference URLs
How to create storage account: https://docs.microsoft.com/en-us/azure/storage/common/storage-account-create?tabs=azure-portal
How to configure Event Hub: https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-create
To enable raw data streaming
Log in to Microsoft Defender for Endpoint portal as a Global Administrator or Security Administrator.
Navigate to Data export settings on Microsoft Defender Security Center.
Click Add data export.
Choose a name for your new settings.
As per customer requirement, either you can store logs in Storage Account or stream the logs to Event Hub.
To archive to a storage account
Choose Forward events to Azure Storage.
Type your Storage Account Resource ID. In order to get your Storage Account Resource ID, navigate to your Storage account page on Azure portal > properties tab > copy the text under Storage account resource ID.
Choose the events you want to stream and click Save.
The schema of the events in the Storage account
A blob container will be created for each event type:
The schema of each row in a blob is the following JSON:
{
"time": "<The time WDATP received the event>"
"tenantId": "<Your tenant ID>"
"category": "<The Advanced Hunting table name with 'AdvancedHunting-' prefix>"
"properties": { <WDATP Advanced Hunting event as Json> }
}Each blob contains multiple rows. Each row contains the event name, the time Defender for Endpoint received the event, the tenant it belongs (you will only get events from your tenant), and the event in JSON format in a property called "properties". For more information about the schema of Microsoft Defender for Endpoint events, see Advanced Hunting overview. In Advanced Hunting, the DeviceInfo table has a column named MachineGroup which contains the group of the device. Here every event will be decorated with this column as well. See Device Groups for more information.
To Stream logs to an event hub
Choose Forward events to Azure Event Hubs.
Type your Event Hubs name and your Event Hubs resource ID.
In order to get your Event Hubs resource ID, go to your Azure Event Hubs namespace page on Azure > properties tab > copy the text under Resource ID:
Choose the events you want to stream and click Save.
The schema of the events in Azure Event Hubs
{
"records": [
{
"time": "<The time WDATP received the event>"
"tenantId": "<The Id of the tenant that the event belongs to>"
"category": "<The Advanced Hunting table name with 'AdvancedHunting-' prefix>"
"properties": { <WDATP Advanced Hunting event as Json> }
}
...
]
}Each event hub message in Azure Event Hubs contains list of records. Each record contains the event name, the time Microsoft Defender for Endpoint received the event, the tenant it belongs (you will only get events from your tenant), and the event in JSON format in a property called "properties". For more information about the schema of Microsoft Defender for Endpoint events, see Advanced Hunting overview. In Advanced Hunting, the DeviceInfo table has a column named MachineGroup which contains the group of the device. Here every event will be decorated with this column as well. See Device Groups for more information.
Integration Parameters
Parameters required from customer for Integration.
Via Azure Storage:
Property | Default Value | Description |
|---|---|---|
Logging Source | N/A | Select Storage |
eventHubConnectionString | N/A | N/A (keep blank) |
consumerGroupName | N/A | N/A (keep blank) |
Account Key | Custome value | Access Key to access storage account |
Blob Container | N/A | Storage blob Container name e.g. |
Storage Account Name | Custom Value | Azure storage account name |
Subscription | N/A | Subscription ID that customer wants to be monitored |
initialReadPolicy | N/A | Select Beginning to start reading from beginning and End to start reading logs from the end |
Via Azure EventHub:
Property | Default Value | Description |
|---|---|---|
Logging Source | N/A | Select EventHub |
eventHubConnectionString | N/A | Event hub connection string |
consumerGroupName | N/A | Optional and used if consumer Group is other than default |
Account Key | Custom Value | Access Key to access storage account |
Blob Container | N/A | Storage blob Container name |
Storage Account Name | Custom Value | Azure storage account name |
Subscription | N/A | Set EventHub name |
initialReadPolicy | N/A | N/A (keep default selection) |
About Accenture:
Accenture is a leading global professional services company that helps the world’s leading businesses, governments and other organizations build their digital core, optimize their operations, accelerate revenue growth and enhance citizen services—creating tangible value at speed and scale. We are a talent and innovation led company with 738,000 people serving clients in more than 120 countries. Technology is at the core of change today, and we are one of the world’s leaders in helping drive that change, with strong ecosystem relationships. We combine our strength in technology with unmatched industry experience, functional expertise and global delivery capability. We are uniquely able to deliver tangible outcomes because of our broad range of services, solutions and assets across Strategy & Consulting, Technology, Operations, Industry X and Accenture Song. These capabilities, together with our culture of shared success and commitment to creating 360° value, enable us to help our clients succeed and build trusted, lasting relationships. We measure our success by the 360° value we create for our clients, each other, our shareholders, partners and communities. Visit us at www.accenture.com.
About Accenture Security
Accenture Security is a leading provider of end-to-end cybersecurity services, including advanced cyber defense, applied cybersecurity solutions and managed security operations. We bring security innovation, coupled with global scale and a worldwide delivery capability through our network of Advanced Technology and Intelligent Operations centers. Helped by our team of highly skilled professionals, we enable clients to innovate safely, build cyber resilience and grow with confidence. Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security.
Legal notice: Accenture, the Accenture logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of Accenture and its subsidiaries in the United States and in foreign countries. All trademarks are properties of their respective owners. This document is intended for general informational purposes only and does not take into account the reader’s specific circumstances, and may not reflect the most current developments. Accenture disclaims, to the fullest extent permitted by applicable law, any and all liability for the accuracy and completeness of the information in this presentation and for any acts or omissions made based on such information. Accenture does not provide legal, regulatory, audit, or tax advice. Readers are responsible for obtaining such advice from their own legal counsel or other licensed professionals.