Prerequisites

  1. Ship real time events and alerts directly to Azure storage account by logging in to Microsoft Defender Security Center and adding a data export. For detailed instructions follow this official tutorial of Microsoft explaining how to forward events to Azure storage.

  2. Share your Azure storage with Hunters using this tutorial - Sharing Azure storage with Hunters.

Creating a Data flow

  1. In the Product box, select Microsoft 365 Defender for Endpoints

  2. In the Source box, select Azure Blob Storage

  3. Paste the Connection string from the prerequisites section.

  4. For each Data Type, fill in the appropriate Blob PrefixFile Format and Container name according to the table below.

Currently, backfilling is not supported for Azure storage account based data flows. Hence, the "Start date" field could be ignored.

Data Type

File Format

Container name

Device Alert Events

NDJSON

insights-logs-advancedhunting-devicealertevents

Device Info

NDJSON

insights-logs-advancedhunting-deviceinfo

Device Network Info

NDJSON

insights-logs-advancedhunting-devicenetworkinfo

Device Process Events

NDJSON

insights-logs-advancedhunting-deviceprocessevents

Device Network Events

NDJSON

insights-logs-advancedhunting-devicenetworkevents

Device File Events

NDJSON

insights-logs-advancedhunting-devicefileevents

Device Registry Events

NDJSON

insights-logs-advancedhunting-deviceregistryevents

Device Logon Events

NDJSON

insights-logs-advancedhunting-devicelogonevents

Device Image Load Events

NDJSON

insights-logs-advancedhunting-deviceimageloadevents

Device Events

NDJSON

insights-logs-advancedhunting-deviceevents