Microsoft Defender for Endpoint
Prerequisites
Ship real time events and alerts directly to Azure storage account by logging in to Microsoft Defender Security Center and adding a data export. For detailed instructions follow this official tutorial of Microsoft explaining how to forward events to Azure storage.
Share your Azure storage with Hunters using this tutorial - Sharing Azure storage with Hunters.
Creating a Data flow
In the Product box, select Microsoft 365 Defender for Endpoints
In the Source box, select Azure Blob Storage
Paste the Connection string from the prerequisites section.
For each Data Type, fill in the appropriate Blob Prefix, File Format and Container name according to the table below.
Currently, backfilling is not supported for Azure storage account based data flows. Hence, the "Start date" field could be ignored.
Data Type | File Format | Container name |
|---|---|---|
Device Alert Events | NDJSON | insights-logs-advancedhunting-devicealertevents |
Device Info | NDJSON | insights-logs-advancedhunting-deviceinfo |
Device Network Info | NDJSON | insights-logs-advancedhunting-devicenetworkinfo |
Device Process Events | NDJSON | insights-logs-advancedhunting-deviceprocessevents |
Device Network Events | NDJSON | insights-logs-advancedhunting-devicenetworkevents |
Device File Events | NDJSON | insights-logs-advancedhunting-devicefileevents |
Device Registry Events | NDJSON | insights-logs-advancedhunting-deviceregistryevents |
Device Logon Events | NDJSON | insights-logs-advancedhunting-devicelogonevents |
Device Image Load Events | NDJSON | insights-logs-advancedhunting-deviceimageloadevents |
Device Events | NDJSON | insights-logs-advancedhunting-deviceevents |