The Defender streaming API Public has the functionality for exporting specific events to your storage account/ event hub. From the Azure Storage or Event Hub it is possible to export data into other SIEM solutions. The Streaming API exports the selected event types in the Microsoft 365 Defender Advanced Hunting schema.
Configure a storage account
- In the Azure console, search for Storage accounts.
2. Click Create.
3. Select the Subscription, Resource Group, region, performance (recommend Standard), and Redundancy (recommend GRS or LRS) needed for the account, enter a name for the new Storage Account.
4. Click Review + Create, review the overview of the account and click Create.
5. On the Storage Account Overview page, select Access keys from the left navigation of the window.
6. Click Show keys and make a note of the shared key for the storage account.
7. Select Endpoints from the left navigation of the window.
8. Make a note of the Blob service endpoint.
Configure raw data streaming
- Log in to Microsoft 365 Defender as a Global Administrator or Security Administrator.
- Go to Data Export settings page in Microsoft 365 Defender.
- Click Add data export settings.
- Choose a name for your new settings.
- Choose Forward events to Azure Storage.
- Type your Storage Account Resource ID. To get your Storage Account Resource ID, go to your Storage account page on Azure portal > properties tab > copy the text under Storage account resource ID:
7. Choose the events you want to stream and click Save.
Configure a feed in Chronicle
Complete the following steps to configure a feed in Chronicle to ingest the Azure logs:
- Go to Chronicle settings and click Feeds.
- Click Add New.
3. Select Microsoft Azure Blob Storage for Source Type.
4. Select Microsoft Defender for Identity for Log Type.
5. Click Next.
6. Under Azure URI, enter the Blob Service endpoint value you recorded earlier, suffixed with insights-activity-log
(For example, https://acme-azure-chronicle.blob.core.windows.net/insights-activity-log)
7. Under URI Source Type, select Directories including subdirectories.
8. Under Shared key, enter the shared key value you captured earlier.
9. Click Next and Finish