cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Microsoft Defender ATP Streaming API - Public Preview - DIY example
By
Haim Goldshtein
Published Jul 23 2019 05:16 AM 7,993 Views
Haim Goldshtein
Microsoft
‎Jul 23 2019 05:16 AM

Microsoft Defender ATP Streaming API - Public Preview - DIY example

‎Jul 23 2019 05:16 AM

Stream your advanced hunting events to your Azure storage account and control your data with Azure storage lifecycle rules

image.png 10 Minutes

image.pngLow complexity 

 

title-New.png

Oftentimes, organizations require better control over their raw data. Typical scenarios where increased control is needed include:

 

  • Data retention policies.
  • Business needs for long term investigations.
  • Integration with other security\Big-data products.

To answer this need, Microsoft Defender ATP allows you to stream advanced hunting events to Azure Event Hubs or to an Azure storage account.

In this blog, I am going to demonstrate how you can easily stream your advanced hunting events to Azure storage account and set an Azure blob storage lifecycle rule to move old data to low-cost storage.

 

Let’s start 

The following four simple steps will get you up and running with the required configurations:

  • Step 1: Create a storage account in your Azure tenant.
  • Step 2: Register to Microsoft.insights provider with your subscription.
  • Step 3: Enable raw data streaming in Microsoft Defender ATP Portal.
  • Step 4: Set an Azure blob lifecycle rule.

Note:

you can find full documentation for raw data streaming API in this link.

 

Step 1 - Create a storage account in your Azure tenant:

To create an Azure storage account, follow these steps:

  1. Sign in to the Azure portal.
  2. Go to All Services > Storage Account.storage accont.png
  3. Click Add.
  4. In the Create storage account form enter the following:
    Create storage account.png

    1 – Choose your Azure’s subscription.

    2 – Choose the Resource Group you want to add the storage account to.

    3 – Give your new storage account a name.

       

    Leave all other fields set to their default values, or you can use the tooltip for each configuration to find the meaning of each setting.

     

  5. Select Review + Create to review your storage account settings and create the account.
  6. Select Create.
  7. Save your new storage account resource ID (you will need it on Step 3)
    • Go to Storage account > {your new storage account name} > Properties.
    • Copy the value in “storage account resource ID” textbox and save it in Step 3: Enable Raw data streaming in Microsoft Defender ATP Portal.

storage account ID.png

Done! You have successfully created a new storage account.

 

Step 2: Create a subscription to Microsoft.insights provider

  1. Log in to your Azure tenant.
  2. Go to Subscriptions > {Your subscription name}.
    subsription.png
  3. Go to Resource Providers. Click on Microsoft.insights and select Register.
    subsription2.png

    Done! You have successfully registered to Microsoft.insights provider.

Step 3: Enable Raw data streaming in Microsoft Defender ATP Portal

  1. Log in to Microsoft Defender ATP portal with a Global Admin role.
  2. Go to Interoperability > Data export settings> Add data export settings.
    Enable data export-new.png
  3. Choose a Name to your new settings.
  4. Select Forward events to Azure Storage.
  5. Type your Storage Account Resource ID you saved at the end of Step 1.
  6. Choose the event type you want to forward.
  7. Click Save.
    add data export settings-New.png

Done! You have successfully enabled raw data steaming.

 

In about 5 minutes, data will start to be written to the blob storage.

You can view your raw data files on Azure portal:

Go to Storage account > {your new storage account name} > overview > Blobs.

viewBlob.png

 

You’ll see that new file created for each event type on an hourly basis:

 

title-New.png

The schema of each row in each file in the blob is the following JSON:

{

        "time": ""

        "tenantId": ""

        "category": ""

        "properties": { }

}

 

Step 4: Set Azure blob lifecycle rule

You now have your data stored on your storage blob. Let’s create a rule that set the periods of time for each stage in our data lifecycle.

 

I will demonstrate how I created a rule for the following lifecycle definition:

backup lifecycle.png

  • Move blob data from hot storage to cold storage after 30 days from last modification.
  • Move blob data from cold storage to archive storage after 90 days from last modification.
  • Delete blob data after 365 days from last modification.

 

  1. Open Azure Portal.
  2. Go to Storage account > {your new storage account name} > overview > Blob.
  3. viewBlob.png
  4. Under Blob Service, select Lifecycle management -> Add rule.
    blob lifecycle service menu.png
  5. Give your new rule a name and check the setting you want to set in the rule.

    blob lifecycle rule.png
  6. Click Review + add

Done!  you have successfully created an Azure storage lifecycle rule for your raw Microsoft Defender ATP data.

 

In the next blog, we will demonstrate how to stream advanced hunting events to Azure Event Hubs.

 

Thanks, 

@Haim Goldshtein, Security software engineer, Microsoft Defender ATP   

@Dan Michelson, Program Manager, Microsoft Defender ATP   

@Ben Alfasi, Software engineer, Microsoft Defender ATP 

10 Comments
Version history
Last update:
‎Mar 01 2020 12:50 AM
Updated by: