Microsoft 365 Defender

  • Updated on Jan 2, 2025
  • Published on Jan 2, 2025
Prev Next

image

Self Service Ingestion

Connect this data source on your own, using the Hunters platform.

Overview

Microsoft 365 Defender is an antivirus program and security solution developed by Microsoft Corporation. It is designed to protect computers and networks from various forms of malware, including viruses, spyware, ransomware, and other malicious software. Microsoft Defender is available for both consumer and enterprise users and provides real-time protection against threats.

Supported data types

Defender for Endpoint

Table name:
microsoft_365_defender_alert_evidence
microsoft_365_defender_alert_info

Integrating Microsoft Defender for Endpoint events to Hunters will allow exploring the related data, as well as triaging Defender alerts and correlating to other related threats.

🚧 Note

For this data type to work properly, make sure that mdatp-device-info is also connected in addition to the actual event, as the device info table is used for adding essential device information as part of the lead.

Expected format

The file format for all data types should be NDJSON.

📘 Note

Currently, backfilling is not supported for Azure storage account-based data flows. Hence, the "Start date" field could be ignored.

Defender for Identity

Table name:
microsoft_365_defender_alert_evidence
microsoft_365_defender_alert_info

Microsoft 365 Defender for Identity is Microsoft’s Identity detection engine, which aggregates alerts from Microsoft’s identity services. See more details on the alerts here.

Integrating the alerts to Hunters will allow triaging the alerts and correlating to other related threats.

Expected format

DefaultEndpointsProtocol=https;AccountName=defenderlogs;AccountKey=g6DbhGsQ4u890mngU7szCxq/jUioeWTd/gFHyhgde46gvDs3EuKNfSfVcUPQWazMlopLl6if5e7JKdGYtrvdfj==;EndpointSuffix=core.windows.net

Defender for Office365

Table name:
microsoft_365_defender_alert_evidence
microsoft_365_defender_alert_info

Microsoft Defender for Office 365 is Microsoft’s Office 365 detection engine, which aggregates alerts from Microsoft’s Office 365 services. See more details on the alerts here.

Integrating the alerts to Hunters will allow triaging the alerts and correlating to other related threats.

Expected format

DefaultEndpointsProtocol=https;AccountName=defenderlogs;AccountKey=g6DbhGsQ4u890mngU7szCxq/jUioeWTd/gFHyhgde46gvDs3EuKNfSfVcUPQWazMlopLl6if5e7JKdGYtrvdfj==;EndpointSuffix=core.windows.net

Send data to Hunters

Microsoft Defender events are exported by Microsoft to Azure Blob Storage and consumed by Hunters from your storage. Follow the steps below to allow the export of events:

  1. Ship real-time events and alerts directly to Azure storage account by logging in to Microsoft Defender Security Center and adding a data export. For detailed instructions follow the official tutorial from Microsoft explaining how to forward events to Azure storage.

  2. Enable the collection of Alert Evidence and Alert Info to the storage. You should see corresponding container names being created with data - insights-logs-advancedhunting-alertevidence, insights-logs-advancedhunting-alertinfo.

  3. Share your Azure storage Azure connection string with Hunters Support.

📘Learn more

Learn more about the Azure connection string here.