Skip to content

Microsoft 365 Defender Alerts

Introduction

This data source holds all of Microsoft 365 Defender's alerts information and details, from all supported products - such as EDR, Identity, Office, Cloud Applications, etc.

Once integrated, this data will be ingested and leveraged for alerting on Microsoft's alerts in the Hunters' portal, as well as correlated to other related threats.

For more details on the product and supported data, see here.

Sending data to Hunters

Prerequisites

  1. Ship real time events and alerts directly to Azure storage account by logging in to Microsoft Defender Security Center and adding a data export. For detailed instructions follow this official tutorial of Microsoft explaining how to forward events to Azure storage.
  2. Share your Azure storage with Hunters using this tutorial - Sharing Azure storage with Hunters.
  3. Export the 2 following data types to the corresponding Blob container:
Data Type File Format Container name
Alert Info NDJSON insights-logs-advancedhunting-alertinfo
Alert Evidence NDJSON insights-logs-advancedhunting-alertevidence

Ones done, supply Hunters with the Azure Blob Connection ID for these Blob Storage.