Microsoft Defender for Endpoint

Overview

Microsoft Defender for Endpoint is Microsoft’s EDR, collecting various logs from endpoints with MDATP agents - Devices Info, Process Info, Network Events, etc. Integrating MDATP events to Hunters will allow exploring the related data, as well as triaging alerts by MDATP and correlating to other related threats.

Prerequisites

MDATP events are exported by Microsoft to Azure Blob Storage and consumed by Hunters from your storage. Follow the next steps to allow the export of events:

1. Ship real time events and alerts directly to Azure storage account by logging in to Microsoft Defender Security Center and adding a data export. For detailed instructions follow this official tutorial of Microsoft explaining how to forward events to Azure storage.

2. Share your Azure storage with Hunters using this tutorial - Sharing Azure storage with Hunters.

Creating a Data flow in the Hunters portal

1. In the Product box, select Microsoft MDATP

2. In the Source box, select Azure Blob Storage

3. Paste the Connection string from the prerequisites section (see connection string example below)

   DefaultEndpointsProtocol=https;AccountName=defenderlogs;AccountKey=g6DbhGsQ4u890mngU7szCxq/jUioeWTd/gFHyhgde46gvDs3EuKNfSfVcUPQWazMlopLl6if5e7JKdGYtrvdfj==;EndpointSuffix=core.windows.net

   CODE

4. For each Data Type, fill in the appropriate File Format and Container name according to the table below.

5. Blob Prefix should remain empty

6. The file format for all data types should be NDJSON

Example