Dec 29 2020 03:29 AM - edited Dec 29 2020 05:57 PM
Hello!
In Defender for Endpoint events can be forwarded through Azure Event hubs or Azure storage (see link). How do I archieve the same functionality through Defender for Identity?
Particular I am interesting in the following tables:
I could not find such data-export functionality in the Azure-ATP portal.
Additionally I've enabled telemetry data-sharing between Defender for Endpoint and Defender for Identity, so I can access the schema tables from Microsoft 365 security (central portal) but still even I cannot use the internal Defender-ATP data-exporter to enable/click forwarding for these data tables.
The current CEF exporter for Defender for Identity (see link) in CEF-format only gives alerts and some additional test-messages. Couldn't find the raw events here too.
So how do I forward all Defender for Identity raw data to an Azure Hub/Azure storage so e.g. Advanced Hunting of that data is possible in third party SIEM?
Related MS-Blog for hunting in Azure-ATP data via KQL: https://techcommunity.microsoft.com/t5/microsoft-365-defender/hunt-for-threats-using-events-captured...
Regards from Germany
Bill
Dec 29 2020 11:11 PM
Hi Bill,
All Defender for Identity activities are available in the M365D advanced hunting feature
And will be made available to stream via its API capabilities
*Note, the APIs are currently being evaluated so some functionality might be missing
You can also export Defender for Identity via MCAS SIEM connector
Jan 24 2021 04:14 PM - edited Jan 24 2021 04:16 PM
@Or Tsemah- Thanks for your answer! MCAS connector for Defender for Identity does not print all raw events. But the other API you mentioned... Streaming API for Advanced Hunting. Thats the solution to get access to it (or kinda every raw data if needed). Did not really think of it that way 🙂 Thank you for your reply!
Jun 19 2022 06:00 AM
SolutionJun 19 2022 06:00 AM
Solution