Configure Microsoft Defender for Endpoint to stream Advanced Hunting events to your Azure Event Hubs

Important

The improved Microsoft 365 security center is now available in public preview. This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. Learn what's new. This topic might apply to both Microsoft Defender for Endpoint and Microsoft 365 Defender. Refer to the Applies To section and look for specific call outs in this article where there might be differences.

Applies to:

Want to experience Defender for Endpoint? Sign up for a free trial.

Before you begin:

  1. Create an event hub in your tenant.

  2. Log in to your Azure tenant, go to **Subscriptions > Your subscription > Resource Providers > Register to Microsoft.insights.

Enable raw data streaming:

  1. Log in to the Microsoft Defender Security Center as a Global Administrator or Security Administrator.

  2. Go to the Data export settings page on Microsoft Defender Security Center.

  3. Click on Add data export settings.

  4. Choose a name for your new settings.

  5. Choose Forward events to Azure Event Hubs.

  6. Type your Event Hubs name and your Event Hubs resource ID.

    In order to get your Event Hubs resource ID, go to your Azure Event Hubs namespace page on Azure > properties tab > copy the text under Resource ID:

    Image of event hub resource Id1

  7. Choose the events you want to stream and click Save.

The schema of the events in Azure Event Hubs:

{
	"records": [
					{
						"time": "<The time WDATP received the event>"
						"tenantId": "<The Id of the tenant that the event belongs to>"
						"category": "<The Advanced Hunting table name with 'AdvancedHunting-' prefix>"
						"properties": { <WDATP Advanced Hunting event as Json> }
					}
					...
				]
}
  • Each event hub message in Azure Event Hubs contains list of records.

  • Each record contains the event name, the time Microsoft Defender for Endpoint received the event, the tenant it belongs (you will only get events from your tenant), and the event in JSON format in a property called "properties".

  • For more information about the schema of Microsoft Defender for Endpoint events, see Advanced Hunting overview.

  • In Advanced Hunting, the DeviceInfo table has a column named MachineGroup which contains the group of the device. Here every event will be decorated with this column as well. See Device Groups for more information.

Data types mapping:

To get the data types for event properties do the following:

  1. Log in to Microsoft Defender Security Center and go to Advanced Hunting page.

  2. Run the following query to get the data types mapping for each event:

    {EventType}
    | getschema
    | project ColumnName, ColumnType 
    
  • Here is an example for Device Info event:

    Image of event hub resource Id2