SOLVED

Defender for Identity - Streaming of events possible?

%3CLINGO-SUB%20id%3D%22lingo-sub-2019998%22%20slang%3D%22en-US%22%3EDefender%20for%20Identity%20-%20Streaming%20of%20events%20possible%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2019998%22%20slang%3D%22en-US%22%3E%3CP%3EHello!%3C%2FP%3E%3CP%3EIn%20%3CSTRONG%3EDefender%20for%20Endpoint%3C%2FSTRONG%3E%20events%20can%20be%20forwarded%20through%20%3CSTRONG%3EAzure%20Event%20hubs%3C%2FSTRONG%3E%20or%20%3CSTRONG%3EAzure%20storage%3C%2FSTRONG%3E%20(see%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-US%2Fwindows%2Fsecurity%2Fthreat-protection%2Fmicrosoft-defender-atp%2Fraw-data-export-event-hub%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Elink%3C%2FA%3E).%20How%20do%20I%20archieve%20the%20same%20functionality%20through%20Defender%20for%20Identity%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EParticular%20I%20am%20interesting%20in%20the%20following%20tables%3A%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CDIV%3E%3CDIV%3E%3CDIV%3E%3CUL%3E%3CLI%3E%3CSTRONG%3EIdentityQueryEvents%20%3C%2FSTRONG%3E(DC%20DNS%20events)%3C%2FLI%3E%3CLI%3E%3CSPAN%3E%3CSTRONG%3EIdentityDirectoryEvents%3C%2FSTRONG%3E%20(DC%20events)%3C%2FSPAN%3E%3C%2FLI%3E%3C%2FUL%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20could%20not%20find%20such%20data-export%20functionality%20in%20the%20Azure-ATP%20portal.%3C%2FP%3E%3CP%3EAdditionally%20I've%20enabled%20telemetry%20data-sharing%20between%20Defender%20for%20Endpoint%20and%20Defender%20for%20Identity%2C%20so%20I%20can%20access%20the%20schema%20tables%20from%20Microsoft%20365%20security%20(central%20portal)%20but%20still%20even%20I%20cannot%20use%20the%20internal%20Defender-ATP%20data-exporter%20to%20enable%2Fclick%20forwarding%20for%20these%20data%20tables.%3C%2FP%3E%3CP%3EThe%20current%20CEF%20exporter%20for%20Defender%20for%20Identity%20(see%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-US%2Fdefender-for-identity%2Fcef-format-sa%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Elink%3C%2FA%3E)%20in%20CEF-format%20only%20gives%20alerts%20and%20some%20additional%20test-messages.%20Couldn't%20find%20the%20raw%20events%20here%20too.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20how%20do%20I%20forward%20all%20Defender%20for%20Identity%20raw%20data%20to%20an%20Azure%20Hub%2FAzure%20storage%20so%20e.g.%20Advanced%20Hunting%20of%20that%20data%20is%20possible%20in%20third%20party%20SIEM%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%20from%20Germany%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBill%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2021932%22%20slang%3D%22en-US%22%3ERe%3A%20Defender%20for%20Identity%20-%20Streaming%20of%20events%20possible%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2021932%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F229526%22%20target%3D%22_blank%22%3E%40BillTheKid%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHi%20Bill%2C%3C%2FP%3E%0A%3CP%3EAll%20Defender%20for%20Identity%20activities%20are%20available%20in%20the%20M365D%20advanced%20hunting%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Fmtp%2Fadvanced-hunting-overview%3Fview%3Do365-worldwide%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Efeature%3C%2FA%3E%3C%2FP%3E%0A%3CP%3EAnd%20will%20be%20made%20available%20to%20stream%20via%20its%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Fmtp%2Fapi-advanced-hunting%3Fview%3Do365-worldwide%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3EAPI%20capabilities%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E*Note%2C%20the%20APIs%20are%20currently%20being%20evaluated%20so%20some%20functionality%20might%20be%20missing%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20can%20also%20export%20Defender%20for%20Identity%20via%20MCAS%20SIEM%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fcloud-app-security%2Fsiem%23%3A~%3Atext%3DYou%2520can%2520integrate%2520Microsoft%2520Cloud%2Cinto%2520Microsoft%2520Cloud%2520App%2520Security.%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Econnector%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hello!

In Defender for Endpoint events can be forwarded through Azure Event hubs or Azure storage (see link). How do I archieve the same functionality through Defender for Identity?

 

Particular I am interesting in the following tables:

  • IdentityQueryEvents (DC DNS events)
  • IdentityDirectoryEvents (DC events)

 

I could not find such data-export functionality in the Azure-ATP portal.

Additionally I've enabled telemetry data-sharing between Defender for Endpoint and Defender for Identity, so I can access the schema tables from Microsoft 365 security (central portal) but still even I cannot use the internal Defender-ATP data-exporter to enable/click forwarding for these data tables.

The current CEF exporter for Defender for Identity (see link) in CEF-format only gives alerts and some additional test-messages. Couldn't find the raw events here too.

 

So how do I forward all Defender for Identity raw data to an Azure Hub/Azure storage so e.g. Advanced Hunting of that data is possible in third party SIEM?

 

Related MS-Blog for hunting in Azure-ATP data via KQL: https://techcommunity.microsoft.com/t5/microsoft-365-defender/hunt-for-threats-using-events-captured...

 

 

Regards from Germany

 

Bill

2 Replies
Best Response confirmed by BillTheKid (Occasional Contributor)
Solution

@BillTheKid 

Hi Bill,

All Defender for Identity activities are available in the M365D advanced hunting feature

And will be made available to stream via its API capabilities

*Note, the APIs are currently being evaluated so some functionality might be missing

 

You can also export Defender for Identity via MCAS SIEM connector

@Or Tsemah- Thanks for your answer! MCAS connector for Defender for Identity does not print all raw events. But the other API you mentioned... Streaming API for Advanced Hunting. Thats the solution to get access to it (or kinda every raw data if needed). Did not really think of it that way :) Thank you for your reply!