Stream your advanced hunting events to your Azure storage account and control your data with Azure storage lifecycle rules
Oftentimes, organizations require better control over their raw data. Typical scenarios where increased control is needed include:
Data retention policies.
Business needs for long term investigations.
Integration with other security\Big-data products.
To answer this need, Microsoft Defender ATP allows you to stream advanced hunting events to Azure Event Hubs or to an Azure storage account.
In this blog, I am going to demonstrate how you can easily stream your advanced hunting events to Azure storage account and set an Azure blob storage lifecycle rule to move old data to low-cost storage.
The following four simple steps will get you up and running with the required configurations:
Step 1: Create a storage account in your Azure tenant.
Step 2: Register to Microsoft.insights provider with your subscription.
Step 3: Enable raw data streaming in Microsoft Defender ATP Portal.
Step 4: Set an Azure blob lifecycle rule.
you can find full documentation for raw data streaming API in this link.
Step 1 - Create a storage account in your Azure tenant:
To create an Azure storage account, follow these steps: