cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Defender for Identity - Streaming of events possible?

%3CLINGO-SUB%20id%3D%22lingo-sub-2019998%22%20slang%3D%22en-US%22%3EDefender%20for%20Identity%20-%20Streaming%20of%20events%20possible%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2019998%22%20slang%3D%22en-US%22%3E%3CP%3EHello!%3C%2FP%3E%3CP%3EIn%20%3CSTRONG%3EDefender%20for%20Endpoint%3C%2FSTRONG%3E%20events%20can%20be%20forwarded%20through%20%3CSTRONG%3EAzure%20Event%20hubs%3C%2FSTRONG%3E%20or%20%3CSTRONG%3EAzure%20storage%3C%2FSTRONG%3E%20(see%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-US%2Fwindows%2Fsecurity%2Fthreat-protection%2Fmicrosoft-defender-atp%2Fraw-data-export-event-hub%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Elink%3C%2FA%3E).%20How%20do%20I%20archieve%20the%20same%20functionality%20through%20Defender%20for%20Identity%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EParticular%20I%20am%20interesting%20in%20the%20following%20tables%3A%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CDIV%3E%3CDIV%3E%3CDIV%3E%3CUL%3E%3CLI%3E%3CSTRONG%3EIdentityQueryEvents%20%3C%2FSTRONG%3E(DC%20DNS%20events)%3C%2FLI%3E%3CLI%3E%3CSPAN%3E%3CSTRONG%3EIdentityDirectoryEvents%3C%2FSTRONG%3E%20(DC%20events)%3C%2FSPAN%3E%3C%2FLI%3E%3C%2FUL%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20could%20not%20find%20such%20data-export%20functionality%20in%20the%20Azure-ATP%20portal.%3C%2FP%3E%3CP%3EAdditionally%20I've%20enabled%20telemetry%20data-sharing%20between%20Defender%20for%20Endpoint%20and%20Defender%20for%20Identity%2C%20so%20I%20can%20access%20the%20schema%20tables%20from%20Microsoft%20365%20security%20(central%20portal)%20but%20still%20even%20I%20cannot%20use%20the%20internal%20Defender-ATP%20data-exporter%20to%20enable%2Fclick%20forwarding%20for%20these%20data%20tables.%3C%2FP%3E%3CP%3EThe%20current%20CEF%20exporter%20for%20Defender%20for%20Identity%20(see%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-US%2Fdefender-for-identity%2Fcef-format-sa%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Elink%3C%2FA%3E)%20in%20CEF-format%20only%20gives%20alerts%20and%20some%20additional%20test-messages.%20Couldn't%20find%20the%20raw%20events%20here%20too.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20how%20do%20I%20forward%20all%20Defender%20for%20Identity%20raw%20data%20to%20an%20Azure%20Hub%2FAzure%20storage%20so%20e.g.%20Advanced%20Hunting%20of%20that%20data%20is%20possible%20in%20third%20party%20SIEM%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%20from%20Germany%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBill%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2021932%22%20slang%3D%22en-US%22%3ERe%3A%20Defender%20for%20Identity%20-%20Streaming%20of%20events%20possible%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2021932%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F229526%22%20target%3D%22_blank%22%3E%40BillTheKid%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHi%20Bill%2C%3C%2FP%3E%0A%3CP%3EAll%20Defender%20for%20Identity%20activities%20are%20available%20in%20the%20M365D%20advanced%20hunting%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Fmtp%2Fadvanced-hunting-overview%3Fview%3Do365-worldwide%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Efeature%3C%2FA%3E%3C%2FP%3E%0A%3CP%3EAnd%20will%20be%20made%20available%20to%20stream%20via%20its%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Fmtp%2Fapi-advanced-hunting%3Fview%3Do365-worldwide%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3EAPI%20capabilities%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E*Note%2C%20the%20APIs%20are%20currently%20being%20evaluated%20so%20some%20functionality%20might%20be%20missing%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20can%20also%20export%20Defender%20for%20Identity%20via%20MCAS%20SIEM%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fcloud-app-security%2Fsiem%23%3A~%3Atext%3DYou%2520can%2520integrate%2520Microsoft%2520Cloud%2Cinto%2520Microsoft%2520Cloud%2520App%2520Security.%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Econnector%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
BillTheKid
Occasional Contributor

‎Dec 29 2020 03:29 AM - edited ‎Dec 29 2020 05:57 PM

‎Dec 29 2020 03:29 AM - edited ‎Dec 29 2020 05:57 PM

Defender for Identity - Streaming of events possible?

Hello!

In Defender for Endpoint events can be forwarded through Azure Event hubs or Azure storage (see link). How do I archieve the same functionality through Defender for Identity?

 

Particular I am interesting in the following tables:

  • IdentityQueryEvents (DC DNS events)
  • IdentityDirectoryEvents (DC events)

 

I could not find such data-export functionality in the Azure-ATP portal.

Additionally I've enabled telemetry data-sharing between Defender for Endpoint and Defender for Identity, so I can access the schema tables from Microsoft 365 security (central portal) but still even I cannot use the internal Defender-ATP data-exporter to enable/click forwarding for these data tables.

The current CEF exporter for Defender for Identity (see link) in CEF-format only gives alerts and some additional test-messages. Couldn't find the raw events here too.

 

So how do I forward all Defender for Identity raw data to an Azure Hub/Azure storage so e.g. Advanced Hunting of that data is possible in third party SIEM?

 

Related MS-Blog for hunting in Azure-ATP data via KQL: https://techcommunity.microsoft.com/t5/microsoft-365-defender/hunt-for-threats-using-events-captured...

 

 

Regards from Germany

 

Bill

591 Views
0 Likes
2 Replies
Reply
2 Replies
best response confirmed by BillTheKid (Occasional Contributor)
Or Tsemah

‎Dec 29 2020 11:11 PM

‎Dec 29 2020 11:11 PM

Solution

Re: Defender for Identity - Streaming of events possible?

@BillTheKid 

Hi Bill,

All Defender for Identity activities are available in the M365D advanced hunting feature

And will be made available to stream via its API capabilities

*Note, the APIs are currently being evaluated so some functionality might be missing

 

You can also export Defender for Identity via MCAS SIEM connector

1 Like
Reply
BillTheKid

‎Jan 24 2021 04:14 PM - edited ‎Jan 24 2021 04:16 PM

‎Jan 24 2021 04:14 PM - edited ‎Jan 24 2021 04:16 PM

Re: Defender for Identity - Streaming of events possible?

@Or Tsemah- Thanks for your answer! MCAS connector for Defender for Identity does not print all raw events. But the other API you mentioned... Streaming API for Advanced Hunting. Thats the solution to get access to it (or kinda every raw data if needed). Did not really think of it that way :) Thank you for your reply!

0 Likes
Reply