Use the streaming API with Microsoft Defender for Business

If your organization has a Security Operations Center (SOC), the ability to use the Microsoft Defender for Endpoint streaming API is available for Defender for Business and Microsoft 365 Business Premium. The Microsoft Defender for Endpoint streaming API enables you to stream data, such as device file, registry, network, sign-in events, and more to one of the following services:

• Microsoft Sentinel: A scalable, cloud-native solution that provides security information and event management (SIEM) and security orchestration, automation, and response (SOAR) capabilities.
• Azure Event Hubs: A modern, big data streaming platform and event ingestion service that can seamlessly integrate with other Azure and Microsoft services. For example, Stream Analytics, Power BI, and Event Grid, along with outside services like Apache Spark.
• Azure Storage: Microsoft's cloud storage solution for modern data storage scenarios, with highly available, massively scalable, durable, and secure storage for a variety of data objects in the cloud.

With the Microsoft Defender for Endpoint streaming API, you can use advanced hunting and attack detection with Defender for Business and Microsoft 365 Business Premium. The streaming API enables security operations centers to view more data about devices, understand better how an attack occurred, and take steps to improve device security.

Use the streaming API with Microsoft Sentinel

To stream Defender for Business data to Microsoft Sentinel, complete the following steps.

1. Make sure that Defender for Business is set up and configured, and that devices are already onboarded. See Set up and configure Microsoft Defender for Business.

2. Create a Log Analytics workspace to use with Microsoft Sentinel. See Create a Log Analytics workspace.

3. Onboard to Microsoft Sentinel. See Quickstart: Onboard Microsoft Sentinel.

4. Enable the Microsoft Defender connector. See Connect data from Microsoft Defender to Microsoft Sentinel.

Use the streaming API with Event Hubs

To configure streaming to Azure Event Hubs, complete the following steps.

1. Go to the Microsoft Defender portal and sign in.

2. Go to the Data export settings page.

3. Select Add data export settings.

4. Choose a name for your new settings.

5. Choose Forward events to Azure Event Hubs.

6. Type your Event Hubs name and your Event Hubs ID.

   Note

   Leaving the Event Hubs name field empty creates an event hub for each category in the selected namespace. If you're not using a Dedicated Event Hubs Cluster (a single-tenant deployment with dedicated capacity), keep in mind that there's a limit of 10 Event Hubs namespaces.

   To get your Event Hubs ID, go to your Azure Event Hubs namespace page in the Azure portal. On the Properties tab, copy the text under ID.

7. Choose the events you want to stream and then select Save.

View the event schema in Azure Event Hubs

The following JSON sample shows the format of each event hub message that Azure Event Hubs receives when event forwarding is enabled. Each message contains a records array with one or more event entries:

{
    "records": [
                    {
                        "time": "<The time WDATP received the event>"
                        "tenantId": "<The Id of the organization that the event belongs to>"
                        "category": "<The Advanced Hunting table name with 'AdvancedHunting-' prefix>"
                        "properties": { <WDATP Advanced Hunting event as Json> }
                    }
                    ...
                ]
}

Each event hub message in Azure Event Hubs contains a list of records. Each record contains the event name, the time Defender for Business received the event, the organization to which it belongs (you get events from your organization only), and the event in JSON format in a property called "properties". For more information about the schema, see Proactively hunt for threats with advanced hunting in Microsoft Defender.

Use the streaming API with Azure Storage

Azure Storage requires an Azure subscription. Before you begin, make sure to create a Storage account in your organization. Then, sign in to your Azure organization, and go to Subscriptions > Your subscription > Resource Providers > Register to Microsoft.insights.

Enable raw data streaming

To enable raw data streaming to Azure Storage, complete the following steps.

1. Go to the Microsoft Defender portal and sign in.

2. Go to Data export settings page in Microsoft Defender XDR.

3. Select Add data export settings.

4. Choose a name for your new settings.

5. Choose Forward events to Azure Storage.

6. Type your Storage Account Resource ID. In order to get your Storage Account Resource ID, go to your Storage account page in the Azure portal. Then, on the Properties tab, copy the text under Storage account resource ID.

7. Choose the events you want to stream and then select Save.

View the event schema in Azure Storage

A blob container is created for each event type. The following JSON sample shows the schema of a single event row written to Azure Storage. Each row includes the event timestamp, your tenant identifier, the Advanced Hunting category, and the event data in JSON format:

{
  "time": "<The time WDATP received the event>"
  "tenantId": "<Your tenant ID>"
  "category": "<The Advanced Hunting table name with 'AdvancedHunting-' prefix>"
  "properties": { <WDATP Advanced Hunting event as Json> }
}

Each blob contains multiple rows. Each row contains the event name, the time Defender for Business received the event, the organization to which it belongs (you get events from your organization only), and the event in JSON format properties. For more information about the schema of Microsoft Defender for Endpoint events, see Proactively hunt for threats with advanced hunting in Microsoft Defender.

See also

• Raw Data Streaming API in Defender for Endpoint
• Overview of management and APIs