Microsoft Defender

  • Updated on Feb 6, 2025
  • Published on Jul 6, 2023

image

Self Service Ingestion

Connect this data source on your own, using the Hunters platform.

Overview

Microsoft Defender is an antivirus program and security solution developed by Microsoft Corporation. It is designed to protect computers and networks from various forms of malware, including viruses, spyware, ransomware, and other malicious software. Microsoft Defender is available for both consumer and enterprise users and provides real-time protection against threats.

Supported data types

🚧IMPORTANT

The Defender XDR Identity Query logs data type was replaced by the below Defender XDR Advanced Hunting logs.

Defender XDR Advanced Hunting logs

Table name:
microsoft_365_defender_advanced_hunting

Microsoft Defender Advanced Hunting logs provide rich data sets that enable security analysts to proactively search for potential threats across an organization’s environment. These logs contain detailed information about events such as file creation, network connections, and process activities, which can be queried using Kusto Query Language (KQL). Advanced hunting in Defender allows for real-time analysis, pattern detection, and correlation of security incidents, helping teams identify and respond to attacks more efficiently.

Learn more here.

This data source includes the following types:

  • Device Alert Events

  • Device Info

  • Device Network Info

  • Device Process Events

  • Device Network Events

  • Device File Events

  • Device Registry Events

  • Device Logon Events

  • Device Image Load Events

  • Device Events

Send data to Hunters

STEP 1: Set up Azure Event Hub

Before setting up the connection on the Hunters platform, you'll need to set up and create an Azure Event Hub.

Follow this guide to complete the set up.

STEP 2: Route logs to the Event Hub

Follow the steps in this guide from Microsoft to route XDR logs to an Event Hub.

STEP 3: Set up the connection on Hunters

📘 Before you begin

To complete this process you will need the information gathered when following this guide.

To connect logs to Hunters:

  1. Open the Hunters platform and navigate to Data > Data Sources.
    Data sources(1)

  2. Click ADD DATA SOURCES.
    Add data source(4)

  3. Locate the Microsoft Defender panel and click Connect.
    The Add Data Flows window opens.

  4. Fill in the required details, as gathered here under STEP 2.

  5. Under the Data Types section, activate the data types you want to connect.

  6. For each activated data type, fill in the required information, as gathered here:

    1. Under STEP 1 - Subscription ID

    2. Under STEP 3 - Resource group name and Event Hub namespace and

    3. Under STEP 4 - Event Hub name.

  7. OPTIONAL: Under the Consumer group field you can specify a specific Azure Event Hub consumer group, or leave this field empty to use the default consumer group.

  8. Click Test Connection to make sure everything was set up correctly.

  9. Once the connection is established, click Submit.

Expected format

Logs are expected in JSON format.

{
    "_TimeReceivedBySvc": "2024-06-30T09:09:42.2473569Z",
    "category": "AdvancedHunting-IdentityQueryEvents",
    "operationName": "Publish",
    "properties": {
        "AccountDisplayName": null,
        "AccountDomain": null,
        "AccountName": null,
        "AccountObjectId": null,
        "AccountSid": null,
        "AccountUpn": null,
        "ActionType": "DNS query",
        "AdditionalFields": {
            "ACTOR.DEVICE": "",
            "ARG.TASK": "DNS query",
            "Count": "1",
            "DestinationComputerObjectGuid": "493fd1c0-0419-4ad8-ace7-d7de9eddf89d",
            "DestinationComputerOperatingSystem": "windows server 2019 datacenter",
            "DestinationComputerOperatingSystemType": "windows",
            "DestinationComputerOperatingSystemVersion": "10.0 (17763)",
            "FROM.DEVICE": "1.2.3.4",
            "SourceComputerId": "computer 1.2.3.4",
            "SourceComputerOperatingSystemType": "unknown",
            "TO.DEVICE": "test_dc"
        },
        "Application": "Active Directory",
        "DestinationDeviceName": "test_dc.system.local",
        "DestinationIPAddress": "10.152.0.4",
        "DestinationPort": 53,
        "DeviceName": "1.2.3.4",
        "IPAddress": "1.2.3.4",
        "Location": null,
        "Port": 57926,
        "Protocol": "Dns",
        "Query": null,
        "QueryTarget": "_origin._tcp.test.domain",
        "QueryType": "Srv",
        "ReportId": "f76cedf7-3682-436d-9b76-0a87ee183d6a",
        "TargetAccountDisplayName": null,
        "TargetAccountUpn": null,
        "TargetDeviceName": null,
        "Timestamp": "2024-06-30T09:09:00.540511Z"
    },
    "Tenant": "DefaultTenant",
    "tenantId": "asdasdas-awdawf-wqfaawf",
    "time": "2024-06-30T09:10:46.4939189Z"
}