12-29-2020 03:29 AM - edited 12-29-2020 05:57 PM
Hello!
In Defender for Endpoint events can be forwarded through Azure Event hubs or Azure storage (see link). How do I archieve the same functionality through Defender for Identity?
Particular I am interesting in the following tables:
I could not find such data-export functionality in the Azure-ATP portal.
Additionally I've enabled telemetry data-sharing between Defender for Endpoint and Defender for Identity, so I can access the schema tables from Microsoft 365 security (central portal) but still even I cannot use the internal Defender-ATP data-exporter to enable/click forwarding for these data tables.
The current CEF exporter for Defender for Identity (see link) in CEF-format only gives alerts and some additional test-messages. Couldn't find the raw events here too.
So how do I forward all Defender for Identity raw data to an Azure Hub/Azure storage so e.g. Advanced Hunting of that data is possible in third party SIEM?
Related MS-Blog for hunting in Azure-ATP data via KQL: https://techcommunity.microsoft.com/t5/microsoft-365-defender/hunt-for-threats-using-events-captured...
Regards from Germany
Bill
12-29-2020 11:11 PM
Hi Bill,
All Defender for Identity activities are available in the M365D advanced hunting feature
And will be made available to stream via its API capabilities
*Note, the APIs are currently being evaluated so some functionality might be missing
You can also export Defender for Identity via MCAS SIEM connector