Skip to content

Microsoft 365 Defender for Endpoints (formerly MDATP)

Sending data to Hunters

Prerequisites

  1. Ship real time events and alerts directly to Azure storage account by logging in to Microsoft Defender Security Center and adding a data export. For detailed instructions follow this official tutorial of Microsoft explaining how to forward events to Azure storage.
  2. Share your Azure storage with Hunters using this tutorial - Sharing Azure storage with Hunters.

Creating a Dataflow

  1. In the Product box, select Microsoft 365 Defender for Endpoints
  2. In the Source box, select Azure Blob Storage
  3. Paste the Connection string from the prerequisites section.
  4. For each Data Type, fill in the appropriate Blob Prefix, File Format and Container name according to the table below.

Note

Currently, backfilling is NOT supported for Azure storage account based data flows. Hence, the "Start date" field could be ignored.

Data Type File Format Container name
Device Alert Events NDJSON insights-logs-advancedhunting-devicealertevents
Device Info NDJSON insights-logs-advancedhunting-deviceinfo
Device Network Info NDJSON insights-logs-advancedhunting-devicenetworkinfo
Device Process Events NDJSON insights-logs-advancedhunting-deviceprocessevents
Device Network Events NDJSON insights-logs-advancedhunting-devicenetworkevents
Device File Events NDJSON insights-logs-advancedhunting-devicefileevents
Device Registry Events NDJSON insights-logs-advancedhunting-deviceregistryevents
Device Logon Events NDJSON insights-logs-advancedhunting-devicelogonevents
Device Image Load Events NDJSON insights-logs-advancedhunting-deviceimageloadevents
Device Events NDJSON insights-logs-advancedhunting-deviceevents