Defender for Identity - Streaming of events possible?

%3CLINGO-SUB%20id%3D%22lingo-sub-2019998%22%20slang%3D%22en-US%22%3EDefender%20for%20Identity%20-%20Streaming%20of%20events%20possible%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2019998%22%20slang%3D%22en-US%22%3E%3CP%3EHello!%3C%2FP%3E%3CP%3EIn%20%3CSTRONG%3EDefender%20for%20Endpoint%3C%2FSTRONG%3E%20events%20can%20be%20forwarded%20through%20%3CSTRONG%3EAzure%20Event%20hubs%3C%2FSTRONG%3E%20or%20%3CSTRONG%3EAzure%20storage%3C%2FSTRONG%3E%20(see%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-US%2Fwindows%2Fsecurity%2Fthreat-protection%2Fmicrosoft-defender-atp%2Fraw-data-export-event-hub%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Elink%3C%2FA%3E).%20How%20do%20I%20archieve%20the%20same%20functionality%20through%20Defender%20for%20Identity%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EParticular%20I%20am%20interesting%20in%20the%20following%20tables%3A%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CDIV%3E%3CDIV%3E%3CDIV%3E%3CUL%3E%3CLI%3E%3CSTRONG%3EIdentityQueryEvents%20%3C%2FSTRONG%3E(DC%20DNS%20events)%3C%2FLI%3E%3CLI%3E%3CSPAN%3E%3CSTRONG%3EIdentityDirectoryEvents%3C%2FSTRONG%3E%20(DC%20events)%3C%2FSPAN%3E%3C%2FLI%3E%3C%2FUL%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20could%20not%20find%20such%20data-export%20functionality%20in%20the%20Azure-ATP%20portal.%3C%2FP%3E%3CP%3EAdditionally%20I've%20enabled%20telemetry%20data-sharing%20between%20Defender%20for%20Endpoint%20and%20Defender%20for%20Identity%2C%20so%20I%20can%20access%20the%20schema%20tables%20from%20Microsoft%20365%20security%20(central%20portal)%20but%20still%20even%20I%20cannot%20use%20the%20internal%20Defender-ATP%20data-exporter%20to%20enable%2Fclick%20forwarding%20for%20these%20data%20tables.%3C%2FP%3E%3CP%3EThe%20current%20CEF%20exporter%20for%20Defender%20for%20Identity%20(see%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-US%2Fdefender-for-identity%2Fcef-format-sa%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Elink%3C%2FA%3E)%20in%20CEF-format%20only%20gives%20alerts%20and%20some%20additional%20test-messages.%20Couldn't%20find%20the%20raw%20events%20here%20too.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20how%20do%20I%20forward%20all%20Defender%20for%20Identity%20raw%20data%20to%20an%20Azure%20Hub%2FAzure%20storage%20so%20e.g.%20Advanced%20Hunting%20of%20that%20data%20is%20possible%20in%20third%20party%20SIEM%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%20from%20Germany%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBill%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hello!

In Defender for Endpoint events can be forwarded through Azure Event hubs or Azure storage (see link). How do I archieve the same functionality through Defender for Identity?

 

Particular I am interesting in the following tables:

  • IdentityQueryEvents (DC DNS events)
  • IdentityDirectoryEvents (DC events)

 

I could not find such data-export functionality in the Azure-ATP portal.

Additionally I've enabled telemetry data-sharing between Defender for Endpoint and Defender for Identity, so I can access the schema tables from Microsoft 365 security (central portal) but still even I cannot use the internal Defender-ATP data-exporter to enable/click forwarding for these data tables.

The current CEF exporter for Defender for Identity (see link) in CEF-format only gives alerts and some additional test-messages. Couldn't find the raw events here too.

 

So how do I forward all Defender for Identity raw data to an Azure Hub/Azure storage so e.g. Advanced Hunting of that data is possible in third party SIEM?

 

Related MS-Blog for hunting in Azure-ATP data via KQL: https://techcommunity.microsoft.com/t5/microsoft-365-defender/hunt-for-threats-using-events-captured...

 

 

Regards from Germany

 

Bill

1 Reply

@BillTheKid 

Hi Bill,

All Defender for Identity activities are available in the M365D advanced hunting feature

And will be made available to stream via its API capabilities

*Note, the APIs are currently being evaluated so some functionality might be missing

 

You can also export Defender for Identity via MCAS SIEM connector