Configure Microsoft 365 Defender to stream Advanced Hunting events to your Azure Event Hub

Applies to:

Important

Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

Prerequisites

Prior to configuring Microsoft 365 Defender to stream data to Event Hubs, ensure the following prerequisites are fulfilled:

  1. Create an Event Hubs (for information, see Set up Event Hubs).

  2. Creating an Event Hubs Namespace (for information, see Set up Event Hubs namespace).

  3. Add permissions to the entity who has the privileges of a Contributor so that this entity can export data to the Event Hubs. For more information on adding permissions, see Add permissions

Note

The Streaming API can be integrated either via Event Hubs or Azure Storage Account.

Enable raw data streaming

  1. Log on to Microsoft 365 Defender portal as a Global Administrator or Security Administrator.

  2. Go to the Streaming API settings page.

  3. Click on Add.

  4. Choose a name for your new settings.

  5. Choose Forward events to Azure Event Hub.

  6. You can select if you want to export the event data to a single Event Hub, or to export each event table to a different Event Hubs in your Event Hubs namespace.

  7. To export the event data to a single Event Hub, enter your Event Hub name and your Event Hub resource ID.

    To get your Event Hub resource ID, go to your Azure Event Hubs namespace page on Azure > Properties tab > copy the text under Resource ID:

    An Event Hub resource ID

  8. Go to the Supported Microsoft 365 Defender event types in event streaming API to review the support status of event types in the Microsoft 365 Streaming API.

  9. Choose the events you want to stream and click Save.

The schema of the events in Azure Event Hub

{
   "records": [
               {
                  "time": "<The time Microsoft 365 Defender received the event>"
                  "tenantId": "<The Id of the tenant that the event belongs to>"
                  "category": "<The Advanced Hunting table name with 'AdvancedHunting-' prefix>"
                  "properties": { <Microsoft 365 Defender Advanced Hunting event as Json> }
               }
               ...
            ]
}
  • Each Event Hubs message in Azure Event Hubs contains list of records.

  • Each record contains the event name, the time Microsoft 365 Defender received the event, the tenant it belongs (you'll only get events from your tenant), and the event in JSON format in a property called "properties".

  • For more information about the schema of Microsoft 365 Defender events, see Advanced Hunting overview.

  • In Advanced Hunting, the DeviceInfo table has a column named MachineGroup which contains the group of the device. Here every event will be decorated with this column as well.

Data types mapping

To get the data types for event properties, do the following steps:

  1. Log on to Microsoft 365 Defender and go to Advanced Hunting page.

  2. Run the following query to get the data types mapping for each event:

    {EventType}
    | getschema
    | project ColumnName, ColumnType
    
  • Here's an example for Device Info event:

    An example query for device info

Estimating initial Event Hub capacity

The following Advanced Hunting query can help provide a rough estimate of data volume throughput and initial event hub capacity based on events/sec and estimated MB/sec. We recommend running the query during regular business hours so as to capture ‘real’ throughput.

let bytes_ = 500;
union withsource=MDTables*
| where Timestamp > startofday(ago(6h))
| summarize count() by bin(Timestamp, 1m), MDTables
| extend EPS = count_ /60
| summarize avg(EPS), estimatedMBPerSec = (avg(EPS) * bytes_ ) / (1024*1024) by MDTables
| sort by toint(estimatedMBPerSec) desc

Monitoring created resources

You can monitor the resources created by the streaming API using Azure Monitor. For more information, see Log Analytics workspace data export in Azure Monitor.