Announcing Microsoft 365 Defender Streaming API Public Preview

Published Jun 02 2021 06:53 PM 8,352 Views
Microsoft

Announcing Microsoft 365 Defender Streaming API Public Preview

The Microsoft 365 Defender team is happy to announce the Microsoft 365 Defender Streaming API is now available in Public Preview.
Microsoft 365 Defender Streaming API lets you export events to your Azure Event Hubs or your Azure Storage account and from there to your location of choice. This enables you to run custom analytics over that data or ingest into other Security Operations systems, such as SIEM or SOAR products.
If you use the Microsoft Defender for Endpoint Raw data export API to stream device events, the Microsoft 365 Defender Streaming API extends this to include email and alert events.

Event Category

Event Type (Advanced Hunting Event table name)

Alerts New!

AlertInfo, AlertEvidence

Devices

DeviceInfo, DeviceNetworkInfo, DeviceProcessEvents, DeviceFileEvents, DeviceNetworkEvents, DeviceRegistryEvents, DeviceLogonEvents, DeviceImageLoadEvents, Device Events, DeviceFileCertificateInfo

Email New!

EmailEvents, EmailAttachmentInfo, EmailUrlInfo, EmailPostDeliveryEvents


The Streaming API exports the selected event types in the Microsoft 365 Defender Advanced Hunting schema. For more information, see Understand the Advanced Hunting Schema.

If you are using the Streaming API for the first time, you can find step-by-step instructions in the Microsoft 365 Streaming API Guide on configuring the Microsoft 365 Streaming API to stream events to your Azure Event Hubs or to your Azure Storage Account.

If you are familiar with the Microsoft Defender for Endpoint Raw data export API, you can simply go to the Microsoft 365 Defender Portal (https://security.microsoft.com) > Settings > Microsoft 365 Defender > Streaming API, enter your Azure Event Hub or Azure Storage Account information and select the event types you want to export (see below).

 

M365D Settings - Streaming API - choose event types.png

Select the events you want to export in the Microsoft 365 Defender Streaming API settings

 

We’d love to hear your feedback!

 

Microsoft 365 Defender Team

3 Comments
%3CLINGO-SUB%20id%3D%22lingo-sub-2410767%22%20slang%3D%22en-US%22%3EAnnouncing%20Microsoft%20365%20Defender%20Streaming%20API%20Public%20Preview%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2410767%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSTRONG%3E%3CFONT%20size%3D%226%22%3EAnnouncing%20Microsoft%20365%20Defender%20Streaming%20API%20Public%20Preview%3C%2FFONT%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EThe%20Microsoft%20365%20Defender%20team%20is%20happy%20to%20announce%20the%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Fdefender%2Fstreaming-api%3Fview%3Do365-worldwide%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EMicrosoft%20365%20Defender%20Streaming%20API%3C%2FA%3E%20is%20now%20available%20in%20Public%20Preview.%20%3CBR%20%2F%3EMicrosoft%20365%20Defender%20Streaming%20API%20lets%20you%20export%20events%20to%20your%20Azure%20Event%20Hubs%20or%20your%20Azure%20Storage%20account%20and%20from%20there%20to%20your%20location%20of%20choice.%20This%20enables%20you%20to%20run%20custom%20analytics%20over%20that%20data%20or%20ingest%20into%20other%20Security%20Operations%20systems%2C%20such%20as%20SIEM%20or%20SOAR%20products.%3CBR%20%2F%3EIf%20you%20use%20the%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Fdefender-endpoint%2Fraw-data-export%3Fview%3Do365-worldwide%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EMicrosoft%20Defender%20for%20Endpoint%20Raw%20data%20export%20API%3C%2FA%3E%20to%20stream%20device%20events%2C%20the%20Microsoft%20365%20Defender%20Streaming%20API%20extends%20this%20to%20include%20email%20and%20alert%20events.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3CTABLE%20style%3D%22width%3A%20740px%3B%22%20width%3D%22760px%22%3E%0A%3CTBODY%3E%0A%3CTR%3E%0A%3CTD%20style%3D%22%20text-align%20%3A%20left%3B%20%22%3E%3CP%3E%3CFONT%20size%3D%223%22%20color%3D%22%230000FF%22%3E%3CSTRONG%3EEvent%20Category%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20style%3D%22%20text-align%20%3A%20left%3B%20%22%3E%3CP%3E%3CFONT%20size%3D%223%22%20color%3D%22%23000000%22%3E%3CSTRONG%3EEvent%20Type%3C%2FSTRONG%3E%20(Advanced%20Hunting%20Event%20table%20name)%3C%2FFONT%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20style%3D%22%20text-align%20%3A%20left%3B%20%22%3E%3CP%3E%3CFONT%20size%3D%223%22%3E%3CFONT%20color%3D%22%230000FF%22%3E%3CSTRONG%3EAlerts%3C%2FSTRONG%3E%3C%2FFONT%3E%20%3CFONT%20color%3D%22%23FF0000%22%3E%3CSTRONG%3E%3CSUP%3ENew!%3C%2FSUP%3E%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20style%3D%22%20text-align%20%3A%20left%3B%20%22%3E%3CP%3E%3CFONT%20size%3D%223%22%3EAlertInfo%2C%20AlertEvidence%3C%2FFONT%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20style%3D%22%20text-align%20%3A%20left%3B%20%22%3E%3CP%3E%3CFONT%20size%3D%223%22%20color%3D%22%230000FF%22%3E%3CSTRONG%3EDevices%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20style%3D%22%20text-align%20%3A%20left%3B%20%22%3E%3CP%3E%3CFONT%20size%3D%223%22%3EDeviceInfo%2C%20DeviceNetworkInfo%2C%20DeviceProcessEvents%2C%20DeviceFileEvents%2C%20DeviceNetworkEvents%2C%20DeviceRegistryEvents%2C%20DeviceLogonEvents%2C%20DeviceImageLoadEvents%2C%20Device%20Events%2C%20DeviceFileCertificateInfo%3C%2FFONT%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20style%3D%22%20text-align%20%3A%20left%3B%20%22%3E%3CP%3E%3CFONT%20size%3D%223%22%3E%3CFONT%20color%3D%22%230000FF%22%3E%3CSTRONG%3EEmail%3C%2FSTRONG%3E%3C%2FFONT%3E%20%3CFONT%20color%3D%22%23FF0000%22%3E%3CSTRONG%3E%3CSUP%3ENew!%3C%2FSUP%3E%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20style%3D%22%20text-align%20%3A%20left%3B%20%22%3E%3CP%3E%3CFONT%20size%3D%223%22%3EEmailEvents%2C%20EmailAttachmentInfo%2C%20EmailUrlInfo%2C%20EmailPostDeliveryEvents%3C%2FFONT%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3C%2FTBODY%3E%0A%3C%2FTABLE%3E%0A%3CP%3E%3CBR%20%2F%3EThe%20Streaming%20API%20exports%20the%20selected%20event%20types%20in%20the%20Microsoft%20365%20Defender%20Advanced%20Hunting%20schema.%20For%20more%20information%2C%20see%20%3CA%20href%3D%22https%3A%2F%2Fgo.microsoft.com%2Ffwlink%2F%3Flinkid%3D2164957%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EUnderstand%20the%20Advanced%20Hunting%20Schema%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3EIf%20you%20are%20using%20the%20Streaming%20API%20for%20the%20first%20time%2C%20you%20can%20find%20step-by-step%20instructions%20in%20the%20%3CA%20href%3D%22https%3A%2F%2Fgo.microsoft.com%2Ffwlink%2F%3Flinkid%3D2165134%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EMicrosoft%20365%20Streaming%20API%20Guide%3C%2FA%3E%20on%20configuring%20the%20Microsoft%20365%20Streaming%20API%20to%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Fdefender%2Fstreaming-api-event-hub%3Fview%3Do365-worldwide%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Estream%20events%20to%20your%20Azure%20Event%20Hubs%3C%2FA%3E%20or%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Fdefender%2Fstreaming-api-storage%3Fview%3Do365-worldwide%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Eto%20your%20Azure%20Storage%20Account%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3EIf%20you%20are%20familiar%20with%20the%20Microsoft%20Defender%20for%20Endpoint%20Raw%20data%20export%20API%2C%20you%20can%20simply%20go%20to%20the%20Microsoft%20365%20Defender%20Portal%20(%3CA%20href%3D%22https%3A%2F%2Fsecurity.microsoft.com%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsecurity.microsoft.com%3C%2FA%3E)%20%26gt%3B%20Settings%20%26gt%3B%20Microsoft%20365%20Defender%20%26gt%3B%20Streaming%20API%2C%20enter%20your%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fevent-hubs%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EAzure%20Event%20Hub%3C%2FA%3E%20or%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fstorage%2Fcommon%2Fstorage-account-overview%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EAzure%20Storage%20Account%3C%2FA%3E%20information%20and%20select%20the%20event%20types%20you%20want%20to%20export%20(see%20below).%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22M365D%20Settings%20-%20Streaming%20API%20-%20choose%20event%20types.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F285811iDA017C5EFA686320%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22M365D%20Settings%20-%20Streaming%20API%20-%20choose%20event%20types.png%22%20alt%3D%22M365D%20Settings%20-%20Streaming%20API%20-%20choose%20event%20types.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20style%3D%22%20text-align%3A%20center%3B%20%22%3E%3CFONT%20size%3D%222%22%3E%3CEM%3E%3CFONT%20color%3D%22%230000FF%22%3ESelect%20the%20events%20you%20want%20to%20export%20in%20the%20Microsoft%20365%20Defender%20Streaming%20API%20settings%3C%2FFONT%3E%3C%2FEM%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EWe%E2%80%99d%20love%20to%20hear%20your%20feedback!%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%26nbsp%3B%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EMicrosoft%20365%20Defender%20Team%3C%2FSTRONG%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-2410767%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22M365D%20Streaming%20API%20Settings%20-%20teaser.png%22%20style%3D%22width%3A%20564px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F285800iE6D84121520C80F8%2Fimage-dimensions%2F564x349%3Fv%3Dv2%22%20width%3D%22564%22%20height%3D%22349%22%20role%3D%22button%22%20title%3D%22M365D%20Streaming%20API%20Settings%20-%20teaser.png%22%20alt%3D%22M365D%20Streaming%20API%20Settings%20-%20teaser.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EHave%20you%20ever%20wondered%20how%20to%20export%20security%20events%20from%20Microsoft%20365%20Defender%20to%20your%20Analytics%2C%20SIEM%2C%20or%20SOAR%20systems%3F%20%3CSTRONG%3EMicrosoft%20365%20Defender%20Streaming%20API%3C%2FSTRONG%3E%26nbsp%3Bis%20the%20answer.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2410767%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EMicrosoft%20365%20A5%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2411873%22%20slang%3D%22en-US%22%3ERe%3A%20Announcing%20Microsoft%20365%20Defender%20Streaming%20API%20Public%20Preview%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2411873%22%20slang%3D%22en-US%22%3E%3CP%3EWould%20love%20to%20see%20MDI%20raw%20data%20also%20being%20streamable%2C%20including%20all%20its%20tables.%20For%20example%20that%20would%20allow%20to%20get%20all%20DNS%20events%20from%20DCs%20into%203rd-party%20SIEMs.%20Currently%20this%20is%20only%20possible%20via%20Advanced%20Hunting%20API%20and%20pushing%20results%20back%20(e.g.%20a%20simple%20%7C%20IdentityQueryEvents).%20Please%20add%20support%20for%20Defender%20for%20Identity%20streaming%20of%20all%20tables.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2412218%22%20slang%3D%22en-US%22%3ERe%3A%20Announcing%20Microsoft%20365%20Defender%20Streaming%20API%20Public%20Preview%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2412218%22%20slang%3D%22en-US%22%3E%3CP%3ENice%2C%26nbsp%3Bis%20it%20possible%20also%20to%20enable%20this%20also%20for%20other%20columns%20like%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EApps%20%26amp%3B%20identities%20%26gt%3B%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CDIV%3E%3CDIV%3E%3CSPAN%3EIdentityLogonEvents%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%26nbsp%3Bwhere%26nbsp%3BTimestamp%26nbsp%3B%26gt%3B%26nbsp%3Bago(7d)%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%26nbsp%3Bwhere%26nbsp%3BFailureReason%26nbsp%3B%3D%3D%22AccountLocked%22%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%26nbsp%3Bproject%26nbsp%3BLogonTime%26nbsp%3B%3D%26nbsp%3BTimestamp%2C%26nbsp%3BLogonType%2C%26nbsp%3BAccountName%2C%26nbsp%3BAccountDomain%2C%26nbsp%3BFailureReason%2C%26nbsp%3BAccountDisplayName%2C%26nbsp%3BDeviceName%3CBR%20%2F%3E%3CBR%20%2F%3Eso%20we%20can%20make%20a%20powerbi%20view%20report%20to%20helpdesk%20%2C%20they%20are%20not%20allowed%20to%20go%20in%20Micosoft%20Security%20Center.%20But%20it%20will%20be%20handy%20when%20they%20can%20view%20where%20users%20are%20locked.%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CP%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2431793%22%20slang%3D%22en-US%22%3ERe%3A%20Announcing%20Microsoft%20365%20Defender%20Streaming%20API%20Public%20Preview%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2431793%22%20slang%3D%22en-US%22%3E%3CP%3EThank%20you%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F229526%22%20target%3D%22_blank%22%3E%40BillTheKid%3C%2FA%3E%26nbsp%3B%20and%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F346607%22%20target%3D%22_blank%22%3E%40quinzy%3C%2FA%3E%26nbsp%3B%20for%20your%20feedback%20-%20we'll%20be%20sure%20to%20update%20on%20enrichments%20and%20enhancements%20to%20the%20Streaming%20API%20as%20they%20become%20available.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Co-Authors
Version history
Last update:
‎Dec 23 2021 10:42 AM
Updated by: