Microsoft Defender for Endpoint is Microsoft’s EDR, collecting various logs from endpoints with MDATP agents - Devices Info, Process Info, Network Events, etc. Integrating MDATP events to Hunters will allow exploring the related data, as well as triaging alerts by MDATP and correlating to other related threats.
MDATP events are exported by Microsoft to Azure Blob Storage and consumed by Hunters from your storage. Follow the next steps to allow the export of events:
Ship real time events and alerts directly to Azure storage account by logging in to Microsoft Defender Security Center and adding a data export. For detailed instructions follow this official tutorial of Microsoft explaining how to forward events to Azure storage.
Share your Azure storage with Hunters using this tutorial - Sharing Azure storage with Hunters.
Creating a Data flow in the Hunters portal
🔑 Key points to remember:
Blob Prefix field should always remain empty
File Format should always be NDJSON
Note: In the bottom of this page see an example of what a data type input should look like.
In the Product box, select Microsoft MDATP
In the Source box, select Azure Blob Storage
Paste the Connection string from the prerequisites section (see connection string example below)
For each Data Type, fill in the appropriate File Format and Container name according to the table below.
Blob Prefix should remain empty
The file format for all data types should be NDJSON
Currently, backfilling is not supported for Azure storage account based data flows. Hence, the "Start date" field could be ignored.
Device Alert Events
Device Network Info
Device Process Events
Device Network Events
Device File Events
Device Registry Events
Device Logon Events
Device Image Load Events