Forum Discussion
Defender for Identity - Streaming of events possible?
Hello!
In Defender for Endpoint events can be forwarded through Azure Event hubs or Azure storage (see https://docs.microsoft.com/en-US/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-event-hub). How do I archieve the same functionality through Defender for Identity?
Particular I am interesting in the following tables:
- IdentityQueryEvents (DC DNS events)
- IdentityDirectoryEvents (DC events)
I could not find such data-export functionality in the Azure-ATP portal.
Additionally I've enabled telemetry data-sharing between Defender for Endpoint and Defender for Identity, so I can access the schema tables from Microsoft 365 security (central portal) but still even I cannot use the internal Defender-ATP data-exporter to enable/click forwarding for these data tables.
The current CEF exporter for Defender for Identity (see https://docs.microsoft.com/en-US/defender-for-identity/cef-format-sa) in CEF-format only gives alerts and some additional test-messages. Couldn't find the raw events here too.
So how do I forward all Defender for Identity raw data to an Azure Hub/Azure storage so e.g. Advanced Hunting of that data is possible in third party SIEM?
Related MS-Blog for hunting in Azure-ATP data via KQL: https://techcommunity.microsoft.com/t5/microsoft-365-defender/hunt-for-threats-using-events-captured-by-azure-atp-on-your/ba-p/1598212
Regards from Germany
Bill
- This feature has been added by MS officially two years later.
Blog post: https://techcommunity.microsoft.com/t5/microsoft-365-defender-blog/microsoft-365-defender-streaming-api-identity-and-cloudapp/ba-p/3290516
3 Replies
- This feature has been added by MS officially two years later.
Blog post: https://techcommunity.microsoft.com/t5/microsoft-365-defender-blog/microsoft-365-defender-streaming-api-identity-and-cloudapp/ba-p/3290516 Hi Bill,
All Defender for Identity activities are available in the M365D advanced hunting feature
And will be made available to stream via its API capabilities
*Note, the APIs are currently being evaluated so some functionality might be missing
You can also export Defender for Identity via MCAS SIEM connector
Or Tsemah- Thanks for your answer! MCAS connector for Defender for Identity does not print all raw events. But the other API you mentioned... Streaming https://docs.microsoft.com/en-US/microsoft-365/security/mtp/api-advanced-hunting?view=o365-worldwide Thats the solution to get access to it (or kinda every raw data if needed). Did not really think of it that way 🙂 Thank you for your reply!
