cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Microsoft Defender ATP Streaming API - Public Preview - DIY example
By
Haim Goldshtein
Published Jul 23 2019 05:16 AM 7,973 Views
Haim Goldshtein
Microsoft
‎Jul 23 2019 05:16 AM

Microsoft Defender ATP Streaming API - Public Preview - DIY example

‎Jul 23 2019 05:16 AM

Stream your advanced hunting events to your Azure storage account and control your data with Azure storage lifecycle rules

image.png 10 Minutes

image.pngLow complexity 

 

title-New.png

Oftentimes, organizations require better control over their raw data. Typical scenarios where increased control is needed include:

 

  • Data retention policies.
  • Business needs for long term investigations.
  • Integration with other security\Big-data products.

To answer this need, Microsoft Defender ATP allows you to stream advanced hunting events to Azure Event Hubs or to an Azure storage account.

In this blog, I am going to demonstrate how you can easily stream your advanced hunting events to Azure storage account and set an Azure blob storage lifecycle rule to move old data to low-cost storage.

 

Let’s start 

The following four simple steps will get you up and running with the required configurations:

  • Step 1: Create a storage account in your Azure tenant.
  • Step 2: Register to Microsoft.insights provider with your subscription.
  • Step 3: Enable raw data streaming in Microsoft Defender ATP Portal.
  • Step 4: Set an Azure blob lifecycle rule.

Note:

you can find full documentation for raw data streaming API in this link.

 

Step 1 - Create a storage account in your Azure tenant:

To create an Azure storage account, follow these steps:

  1. Sign in to the Azure portal.
  2. Go to All Services > Storage Account.storage accont.png
  3. Click Add.
  4. In the Create storage account form enter the following:
    Create storage account.png

    1 – Choose your Azure’s subscription.

    2 – Choose the Resource Group you want to add the storage account to.

    3 – Give your new storage account a name.

       

    Leave all other fields set to their default values, or you can use the tooltip for each configuration to find the meaning of each setting.

     

  5. Select Review + Create to review your storage account settings and create the account.
  6. Select Create.
  7. Save your new storage account resource ID (you will need it on Step 3)
    • Go to Storage account > {your new storage account name} > Properties.
    • Copy the value in “storage account resource ID” textbox and save it in Step 3: Enable Raw data streaming in Microsoft Defender ATP Portal.

storage account ID.png

Done! You have successfully created a new storage account.

 

Step 2: Create a subscription to Microsoft.insights provider

  1. Log in to your Azure tenant.
  2. Go to Subscriptions > {Your subscription name}.
    subsription.png
  3. Go to Resource Providers. Click on Microsoft.insights and select Register.
    subsription2.png

    Done! You have successfully registered to Microsoft.insights provider.

Step 3: Enable Raw data streaming in Microsoft Defender ATP Portal

  1. Log in to Microsoft Defender ATP portal with a Global Admin role.
  2. Go to Interoperability > Data export settings> Add data export settings.
    Enable data export-new.png
  3. Choose a Name to your new settings.
  4. Select Forward events to Azure Storage.
  5. Type your Storage Account Resource ID you saved at the end of Step 1.
  6. Choose the event type you want to forward.
  7. Click Save.
    add data export settings-New.png

Done! You have successfully enabled raw data steaming.

 

In about 5 minutes, data will start to be written to the blob storage.

You can view your raw data files on Azure portal:

Go to Storage account > {your new storage account name} > overview > Blobs.

viewBlob.png

 

You’ll see that new file created for each event type on an hourly basis:

 

title-New.png

The schema of each row in each file in the blob is the following JSON:

{

        "time": ""

        "tenantId": ""

        "category": ""

        "properties": { }

}

 

Step 4: Set Azure blob lifecycle rule

You now have your data stored on your storage blob. Let’s create a rule that set the periods of time for each stage in our data lifecycle.

 

I will demonstrate how I created a rule for the following lifecycle definition:

backup lifecycle.png

  • Move blob data from hot storage to cold storage after 30 days from last modification.
  • Move blob data from cold storage to archive storage after 90 days from last modification.
  • Delete blob data after 365 days from last modification.

 

  1. Open Azure Portal.
  2. Go to Storage account > {your new storage account name} > overview > Blob.
  3. viewBlob.png
  4. Under Blob Service, select Lifecycle management -> Add rule.
    blob lifecycle service menu.png
  5. Give your new rule a name and check the setting you want to set in the rule.

    blob lifecycle rule.png
  6. Click Review + add

Done!  you have successfully created an Azure storage lifecycle rule for your raw Microsoft Defender ATP data.

 

In the next blog, we will demonstrate how to stream advanced hunting events to Azure Event Hubs.

 

Thanks, 

@Haim Goldshtein, Security software engineer, Microsoft Defender ATP   

@Dan Michelson, Program Manager, Microsoft Defender ATP   

@Ben Alfasi, Software engineer, Microsoft Defender ATP 

10 Comments
Joe Stern
Iron Contributor
‎Jul 23 2019 07:21 AM
‎Jul 23 2019 07:21 AM

Thanks for this -- just as a heads-up, the "Interoperability" component of the Microsoft Defender Security Center portal pictured in step 3 is now called "Partners & APIs". The icon of overlapping circles remains the same. 

0 Likes
Like
Haim Goldshtein
Microsoft
‎Jul 24 2019 12:33 AM
‎Jul 24 2019 12:33 AM

Thank you @Joe Stern ,

I've updated the screenshot with our latest portal change.

 

Thanks,

Haim

PrashTechTalk
Brass Contributor
‎Jan 22 2020 01:11 PM
‎Jan 22 2020 01:11 PM

Haim, Thankyou for this one.  May i know if i can stream these logs in a different tenant other than the tenant associated with Defender ATP. Say streaming logs in Multitenant model with the same approach having a storage in a different tenant.

0 Likes
Like
DineshCR
Copper Contributor
‎Mar 14 2023 12:32 PM
‎Mar 14 2023 12:32 PM

Hello @Haim Goldshtein and @Dan Michelson  thank you for taking the time to put together this document....i am wondering if there's a new method to doing this? because what i see in my defender portal is totally different. I don't see the option for APi and will you guys be able to do another refresher on this? please. we are currently going through auditing and have to show that we save logs for up to an year but by default defender only saves data for 180days. This would be a huge help and refresher! thank you again.

DefenderPortal.png

0 Likes
Like
Jonhed
Steel Contributor
‎Mar 19 2023 05:21 AM
‎Mar 19 2023 05:21 AM

@DineshCR 
See below.

https://learn.microsoft.com/en-us/microsoft-365/security/defender/streaming-api-storage?view=o365-wo...

0 Likes
Like
DineshCR
Copper Contributor
‎Mar 20 2023 10:42 AM
‎Mar 20 2023 10:42 AM

 Hey @Jonhed 

I did go through that document as well...it says i need to be an either Global or Security admin which i am...i've opened a ticket with defender and hopefully they will be able to help me figure out what's happening. Because it seems we have a p1 as well. 

admin.png

0 Likes
Like
Jonhed
Steel Contributor
‎Mar 20 2023 03:48 PM
‎Mar 20 2023 03:48 PM

@DineshCR 

What exactly is happening?

The screenshot you sent is only partial so I cant see enough to tell.

 

Do you not see the Settings option at the bottom of the left side Menu?

Are you able to access the settings but do not see the streaming API settings?

 

Also you mentioned P1. Do you mean you only have MDE P1 licensing? You probably need P2 to access the logs.

0 Likes
Like
Jonhed
Steel Contributor
‎Mar 20 2023 03:55 PM
‎Mar 20 2023 03:55 PM

This blog post is old, and refers to the old MDE security center.

It is different from the current Microsoft 365 Defender, so tye blog post screenshots are not valid any more.

0 Likes
Like
DineshCR
Copper Contributor
‎Mar 20 2023 03:57 PM
‎Mar 20 2023 03:57 PM

@Jonhed  Nope I don't see it...

 

Microsoft-365.png

0 Likes
Like
Jonhed
Steel Contributor
‎Mar 20 2023 04:04 PM
‎Mar 20 2023 04:04 PM

Do you have P1 or P2 licensing?

Accessing these logs within the portal requires P2, so you probably need P2 to export them too.

 

Not sure if what you are seeing is correct though, so best bet is to wait for the support answer.

0 Likes
Like
Version history
Last update:
‎Mar 01 2020 12:50 AM
Updated by: