Microsoft 365 Defender for Endpoints (formerly MDATP)
Sending data to Hunters
- Ship real time events and alerts directly to Azure storage account by logging in to Microsoft Defender Security Center and adding a data export. For detailed instructions follow this official tutorial of Microsoft explaining how to forward events to Azure storage.
- Share your Azure storage with Hunters using this tutorial - Sharing Azure storage with Hunters.
Creating a Dataflow
- In the Product box, select Microsoft 365 Defender for Endpoints
- In the Source box, select Azure Blob Storage
- Paste the Connection string from the prerequisites section.
- For each Data Type, fill in the appropriate Blob Prefix, File Format and Container name according to the table below.
Currently, backfilling is NOT supported for Azure storage account based data flows. Hence, the "Start date" field could be ignored.
|Data Type||File Format||Container name|
|Device Alert Events||NDJSON||insights-logs-advancedhunting-devicealertevents|
|Device Network Info||NDJSON||insights-logs-advancedhunting-devicenetworkinfo|
|Device Process Events||NDJSON||insights-logs-advancedhunting-deviceprocessevents|
|Device Network Events||NDJSON||insights-logs-advancedhunting-devicenetworkevents|
|Device File Events||NDJSON||insights-logs-advancedhunting-devicefileevents|
|Device Registry Events||NDJSON||insights-logs-advancedhunting-deviceregistryevents|
|Device Logon Events||NDJSON||insights-logs-advancedhunting-devicelogonevents|
|Device Image Load Events||NDJSON||insights-logs-advancedhunting-deviceimageloadevents|