Use the streaming API with Microsoft Defender for Business

If your organization has a Security Operations Center (SOC), the ability to use the Microsoft Defender for Endpoint streaming API is available for Defender for Business and Microsoft 365 Business Premium. The API enables you to stream data, such as device file, registry, network, sign-in events, and more to one of the following services:

  • Microsoft Sentinel, a scalable, cloud-native solution that provides security information and event management (SIEM) and security orchestration, automation, and response (SOAR) capabilities.
  • Azure Event Hubs, a modern big data streaming platform and event ingestion service that can seamlessly integrate with other Azure and Microsoft services, such as Stream Analytics, Power BI, and Event Grid, along with outside services like Apache Spark.
  • Azure Storage, Microsoft's cloud storage solution for modern data storage scenarios, with highly available, massively scalable, durable, and secure storage for a variety of data objects in the cloud.

With the streaming API, you can use advanced hunting and attack detection with Defender for Business and Microsoft 365 Business Premium. The streaming API enables SOCs to view more data about devices, understand better how an attack occurred, and take steps to improve device security.

Use the streaming API with Microsoft Sentinel

Note

Microsoft Sentinel is a paid service. Several plans and pricing options are available. See Microsoft Sentinel pricing.

  1. Make sure that Defender for Business is set up and configured, and that devices are already onboarded. See Set up and configure Microsoft Defender for Business.

  2. Create a Log Analytics workspace that you'll use with Sentinel. See Create a Log Analytics workspace.

  3. Onboard to Microsoft Sentinel. See Quickstart: Onboard Microsoft Sentinel.

  4. Enable the Microsoft Defender XDR connector. See Connect data from Microsoft Defender XDR to Microsoft Sentinel.

Use the streaming API with Event Hubs

Note

Azure Event Hubs requires an Azure subscription. Before you begin, make sure to create an event hub in your tenant. Then, sign in to the Azure portal, go to Subscriptions > Your subscription > Resource Providers > Register to Microsoft.insights.

  1. Go to the Microsoft Defender portal and sign in.

  2. Go to the Data export settings page.

  3. Select Add data export settings.

  4. Choose a name for your new settings.

  5. Choose Forward events to Azure Event Hubs.

  6. Type your Event Hubs name and your Event Hubs ID.

    Note

    Leaving the Event Hubs name field empty creates an event hub for each category in the selected namespace. If you're not using a Dedicated Event Hubs Cluster, keep in mind that there's a limit of 10 Event Hubs namespaces.

    To get your Event Hubs ID, go to your Azure Event Hubs namespace page in the Azure portal. On the Properties tab, copy the text under ID.

  7. Choose the events you want to stream and then select Save.

The schema of events in Azure Event Hubs

Here's what the schema of events in Azure Event Hubs looks like:

{
    "records": [
                    {
                        "time": "<The time WDATP received the event>"
                        "tenantId": "<The Id of the tenant that the event belongs to>"
                        "category": "<The Advanced Hunting table name with 'AdvancedHunting-' prefix>"
                        "properties": { <WDATP Advanced Hunting event as Json> }
                    }
                    ...
                ]
}

Each event hub message in Azure Event Hubs contains a list of records. Each record contains the event name, the time Defender for Business received the event, the tenant to which it belongs (you get events from your tenant only), and the event in JSON format in a property called "properties". For more information about the schema, see Proactively hunt for threats with advanced hunting in Microsoft Defender XDR.

Use the streaming API with Azure Storage

Azure Storage requires an Azure subscription. Before you begin, make sure to create a Storage account in your tenant. Then, sign in to your Azure tenant, and go to Subscriptions > Your subscription > Resource Providers > Register to Microsoft.insights.

Enable raw data streaming

  1. Go to the Microsoft Defender portal and sign in.

  2. Go to Data export settings page in Microsoft Defender XDR.

  3. Select Add data export settings.

  4. Choose a name for your new settings.

  5. Choose Forward events to Azure Storage.

  6. Type your Storage Account Resource ID. In order to get your Storage Account Resource ID, go to your Storage account page in the Azure portal. Then, on the Properties tab, copy the text under Storage account resource ID.

  7. Choose the events you want to stream and then select Save.

The schema of events in Azure Storage account

A blob container is created for each event type. The schema of each row in a blob is the following JSON file:

{
  "time": "<The time WDATP received the event>"
  "tenantId": "<Your tenant ID>"
  "category": "<The Advanced Hunting table name with 'AdvancedHunting-' prefix>"
  "properties": { <WDATP Advanced Hunting event as Json> }
}

Each blob contains multiple rows. Each row contains the event name, the time Defender for Business received the event, the tenant to which it belongs (you get events from your tenant only), and the event in JSON format properties. For more information about the schema of Microsoft Defender for Endpoint events, see Proactively hunt for threats with advanced hunting in Microsoft Defender XDR.

See also