Announcing Microsoft 365 Defender Streaming API Public Preview

Published Jun 02 2021 06:53 PM 6,392 Views
Microsoft

Announcing Microsoft 365 Defender Streaming API Public Preview

The Microsoft 365 Defender team is happy to announce the Microsoft 365 Defender Streaming API is now available in Public Preview.
Microsoft 365 Defender Streaming API lets you export events to your Azure Event Hubs or your Azure Storage account and from there to your location of choice. This enables you to run custom analytics over that data or ingest into other Security Operations systems, such as SIEM or SOAR products.
If you use the Microsoft Defender for Endpoint Raw data export API to stream device events, the Microsoft 365 Defender Streaming API extends this to include email and alert events.

Event Category

Event Type (Advanced Hunting Event table name)

Alerts New!

AlertInfo, AlertEvidence

Devices

DeviceInfo, DeviceNetworkInfo, DeviceProcessEvents, DeviceFileEvents, DeviceNetworkEvents, DeviceRegistryEvents, DeviceLogonEvents, DeviceImageLoadEvents, Device Events, DeviceFileCertificateInfo

Email New!

EmailEvents, EmailAttachmentInfo, EmailUrlInfo, EmailPostDeliveryEvents


The Streaming API exports the selected event types in the Microsoft 365 Defender Advanced Hunting schema. For more information, see Understand the Advanced Hunting Schema.

If you are using the Streaming API for the first time, you can find step-by-step instructions in the Microsoft 365 Streaming API Guide on configuring the Microsoft 365 Streaming API to stream events to your Azure Event Hubs or to your Azure Storage Account.

If you are familiar with the Microsoft Defender for Endpoint Raw data export API, you can simply go to the Microsoft 365 Defender Portal (https://security.microsoft.com) > Settings > Microsoft 365 Defender > Streaming API, enter your Azure Event Hub or Azure Storage Account information and select the event types you want to export (see below).

 

M365D Settings - Streaming API - choose event types.png

Select the events you want to export in the Microsoft 365 Defender Streaming API settings

 

We’d love to hear your feedback!

 

Microsoft 365 Defender Team

3 Comments
Occasional Contributor

Would love to see MDI raw data also being streamable, including all its tables. For example that would allow to get all DNS events from DCs into 3rd-party SIEMs. Currently this is only possible via Advanced Hunting API and pushing results back (e.g. a simple | IdentityQueryEvents). Please add support for Defender for Identity streaming of all tables.

New Contributor

Nice, is it possible also to enable this also for other columns like 

Apps & identities > 

IdentityLogonEvents
| where Timestamp > ago(7d)
| where FailureReason =="AccountLocked"
| project LogonTime = Timestamp, LogonType, AccountName, AccountDomain, FailureReason, AccountDisplayName, DeviceName

so we can make a powerbi view report to helpdesk , they are not allowed to go in Micosoft Security Center. But it will be handy when they can view where users are locked. 


 

Microsoft

Thank you @BillTheKid  and @quinzy  for your feedback - we'll be sure to update on enrichments and enhancements to the Streaming API as they become available.

%3CLINGO-SUB%20id%3D%22lingo-sub-2410767%22%20slang%3D%22en-US%22%3EAnnouncing%20Microsoft%20365%20Defender%20Streaming%20API%20Public%20Preview%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2410767%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSTRONG%3E%3CFONT%20size%3D%226%22%3EAnnouncing%20Microsoft%20365%20Defender%20Streaming%20API%20Public%20Preview%3C%2FFONT%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EThe%20Microsoft%20365%20Defender%20team%20is%20happy%20to%20announce%20the%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Fdefender%2Fstreaming-api%3Fview%3Do365-worldwide%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EMicrosoft%20365%20Defender%20Streaming%20API%3C%2FA%3E%20is%20now%20available%20in%20Public%20Preview.%20%3CBR%20%2F%3EMicrosoft%20365%20Defender%20Streaming%20API%20lets%20you%20export%20events%20to%20your%20Azure%20Event%20Hubs%20or%20your%20Azure%20Storage%20account%20and%20from%20there%20to%20your%20location%20of%20choice.%20This%20enables%20you%20to%20run%20custom%20analytics%20over%20that%20data%20or%20ingest%20into%20other%20Security%20Operations%20systems%2C%20such%20as%20SIEM%20or%20SOAR%20products.%3CBR%20%2F%3EIf%20you%20use%20the%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Fdefender-endpoint%2Fraw-data-export%3Fview%3Do365-worldwide%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EMicrosoft%20Defender%20for%20Endpoint%20Raw%20data%20export%20API%3C%2FA%3E%20to%20stream%20device%20events%2C%20the%20Microsoft%20365%20Defender%20Streaming%20API%20extends%20this%20to%20include%20email%20and%20alert%20events.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3CTABLE%20style%3D%22width%3A%20740px%3B%22%20width%3D%22760px%22%3E%0A%3CTBODY%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22140px%22%20height%3D%2229px%22%20class%3D%22lia-align-left%22%3E%3CP%3E%3CFONT%20size%3D%223%22%20color%3D%22%230000FF%22%3E%3CSTRONG%3EEvent%20Category%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22600px%22%20height%3D%2229px%22%20class%3D%22lia-align-left%22%3E%3CP%3E%3CFONT%20size%3D%223%22%20color%3D%22%23000000%22%3E%3CSTRONG%3EEvent%20Type%3C%2FSTRONG%3E%20(Advanced%20Hunting%20Event%20table%20name)%3C%2FFONT%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22140px%22%20height%3D%2229px%22%20class%3D%22lia-align-left%22%3E%3CP%3E%3CFONT%20size%3D%223%22%3E%3CFONT%20color%3D%22%230000FF%22%3E%3CSTRONG%3EAlerts%3C%2FSTRONG%3E%3C%2FFONT%3E%20%3CFONT%20color%3D%22%23FF0000%22%3E%3CSTRONG%3E%3CSUP%3ENew!%3C%2FSUP%3E%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22600px%22%20height%3D%2229px%22%20class%3D%22lia-align-left%22%3E%3CP%3E%3CFONT%20size%3D%223%22%3EAlertInfo%2C%20AlertEvidence%3C%2FFONT%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22140px%22%20height%3D%2284px%22%20class%3D%22lia-align-left%22%3E%3CP%3E%3CFONT%20size%3D%223%22%20color%3D%22%230000FF%22%3E%3CSTRONG%3EDevices%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22600px%22%20height%3D%2284px%22%20class%3D%22lia-align-left%22%3E%3CP%3E%3CFONT%20size%3D%223%22%3EDeviceInfo%2C%20DeviceNetworkInfo%2C%20DeviceProcessEvents%2C%20DeviceFileEvents%2C%20DeviceNetworkEvents%2C%20DeviceRegistryEvents%2C%20DeviceLogonEvents%2C%20DeviceImageLoadEvents%2C%20Device%20Events%2C%20DeviceFileCertificateInfo%3C%2FFONT%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22140px%22%20height%3D%2229px%22%20class%3D%22lia-align-left%22%3E%3CP%3E%3CFONT%20size%3D%223%22%3E%3CFONT%20color%3D%22%230000FF%22%3E%3CSTRONG%3EEmail%3C%2FSTRONG%3E%3C%2FFONT%3E%20%3CFONT%20color%3D%22%23FF0000%22%3E%3CSTRONG%3E%3CSUP%3ENew!%3C%2FSUP%3E%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22600px%22%20height%3D%2229px%22%20class%3D%22lia-align-left%22%3E%3CP%3E%3CFONT%20size%3D%223%22%3EEmailEvents%2C%20EmailAttachmentInfo%2C%20EmailUrlInfo%2C%20EmailPostDeliveryEvents%3C%2FFONT%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3C%2FTBODY%3E%0A%3C%2FTABLE%3E%0A%3CP%3E%3CBR%20%2F%3EThe%20Streaming%20API%20exports%20the%20selected%20event%20types%20in%20the%20Microsoft%20365%20Defender%20Advanced%20Hunting%20schema.%20For%20more%20information%2C%20see%20%3CA%20href%3D%22https%3A%2F%2Fgo.microsoft.com%2Ffwlink%2F%3Flinkid%3D2164957%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EUnderstand%20the%20Advanced%20Hunting%20Schema%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3EIf%20you%20are%20using%20the%20Streaming%20API%20for%20the%20first%20time%2C%20you%20can%20find%20step-by-step%20instructions%20in%20the%20%3CA%20href%3D%22https%3A%2F%2Fgo.microsoft.com%2Ffwlink%2F%3Flinkid%3D2165134%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EMicrosoft%20365%20Streaming%20API%20Guide%3C%2FA%3E%20on%20configuring%20the%20Microsoft%20365%20Streaming%20API%20to%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Fdefender%2Fstreaming-api-event-hub%3Fview%3Do365-worldwide%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Estream%20events%20to%20your%20Azure%20Event%20Hubs%3C%2FA%3E%20or%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Fdefender%2Fstreaming-api-storage%3Fview%3Do365-worldwide%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Eto%20your%20Azure%20Storage%20Account%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3EIf%20you%20are%20familiar%20with%20the%20Microsoft%20Defender%20for%20Endpoint%20Raw%20data%20export%20API%2C%20you%20can%20simply%20go%20to%20the%20Microsoft%20365%20Defender%20Portal%20(%3CA%20href%3D%22https%3A%2F%2Fsecurity.microsoft.com%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsecurity.microsoft.com%3C%2FA%3E)%20%26gt%3B%20Settings%20%26gt%3B%20Microsoft%20365%20Defender%20%26gt%3B%20Streaming%20API%2C%20enter%20your%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fevent-hubs%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EAzure%20Event%20Hub%3C%2FA%3E%20or%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fstorage%2Fcommon%2Fstorage-account-overview%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EAzure%20Storage%20Account%3C%2FA%3E%20information%20and%20select%20the%20event%20types%20you%20want%20to%20export%20(see%20below).%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22M365D%20Settings%20-%20Streaming%20API%20-%20choose%20event%20types.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F285811iDA017C5EFA686320%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22M365D%20Settings%20-%20Streaming%20API%20-%20choose%20event%20types.png%22%20alt%3D%22M365D%20Settings%20-%20Streaming%20API%20-%20choose%20event%20types.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20class%3D%22lia-align-center%22%3E%3CFONT%20size%3D%222%22%3E%3CEM%3E%3CFONT%20color%3D%22%230000FF%22%3ESelect%20the%20events%20you%20want%20to%20export%20in%20the%20Microsoft%20365%20Defender%20Streaming%20API%20settings%3C%2FFONT%3E%3C%2FEM%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EWe%E2%80%99d%20love%20to%20hear%20your%20feedback!%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%26nbsp%3B%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EMicrosoft%20365%20Defender%20Team%3C%2FSTRONG%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-2410767%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22M365D%20Streaming%20API%20Settings%20-%20teaser.png%22%20style%3D%22width%3A%20564px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F285800iE6D84121520C80F8%2Fimage-dimensions%2F564x349%3Fv%3Dv2%22%20width%3D%22564%22%20height%3D%22349%22%20role%3D%22button%22%20title%3D%22M365D%20Streaming%20API%20Settings%20-%20teaser.png%22%20alt%3D%22M365D%20Streaming%20API%20Settings%20-%20teaser.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EHave%20you%20ever%20wondered%20how%20to%20export%20security%20events%20from%20Microsoft%20365%20Defender%20to%20your%20Analytics%2C%20SIEM%2C%20or%20SOAR%20systems%3F%20%3CSTRONG%3EMicrosoft%20365%20Defender%20Streaming%20API%3C%2FSTRONG%3E%26nbsp%3Bis%20the%20answer.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2410767%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EMicrosoft%20365%20A5%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2411873%22%20slang%3D%22en-US%22%3ERe%3A%20Announcing%20Microsoft%20365%20Defender%20Streaming%20API%20Public%20Preview%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2411873%22%20slang%3D%22en-US%22%3E%3CP%3EWould%20love%20to%20see%20MDI%20raw%20data%20also%20being%20streamable%2C%20including%20all%20its%20tables.%20For%20example%20that%20would%20allow%20to%20get%20all%20DNS%20events%20from%20DCs%20into%203rd-party%20SIEMs.%20Currently%20this%20is%20only%20possible%20via%20Advanced%20Hunting%20API%20and%20pushing%20results%20back%20(e.g.%20a%20simple%20%7C%20IdentityQueryEvents).%20Please%20add%20support%20for%20Defender%20for%20Identity%20streaming%20of%20all%20tables.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2412218%22%20slang%3D%22en-US%22%3ERe%3A%20Announcing%20Microsoft%20365%20Defender%20Streaming%20API%20Public%20Preview%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2412218%22%20slang%3D%22en-US%22%3E%3CP%3ENice%2C%26nbsp%3Bis%20it%20possible%20also%20to%20enable%20this%20also%20for%20other%20columns%20like%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EApps%20%26amp%3B%20identities%20%26gt%3B%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CDIV%3E%3CDIV%3E%3CSPAN%3EIdentityLogonEvents%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%26nbsp%3Bwhere%26nbsp%3BTimestamp%26nbsp%3B%26gt%3B%26nbsp%3Bago(7d)%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%26nbsp%3Bwhere%26nbsp%3BFailureReason%26nbsp%3B%3D%3D%22AccountLocked%22%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%26nbsp%3Bproject%26nbsp%3BLogonTime%26nbsp%3B%3D%26nbsp%3BTimestamp%2C%26nbsp%3BLogonType%2C%26nbsp%3BAccountName%2C%26nbsp%3BAccountDomain%2C%26nbsp%3BFailureReason%2C%26nbsp%3BAccountDisplayName%2C%26nbsp%3BDeviceName%3CBR%20%2F%3E%3CBR%20%2F%3Eso%20we%20can%20make%20a%20powerbi%20view%20report%20to%20helpdesk%20%2C%20they%20are%20not%20allowed%20to%20go%20in%20Micosoft%20Security%20Center.%20But%20it%20will%20be%20handy%20when%20they%20can%20view%20where%20users%20are%20locked.%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CP%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2431793%22%20slang%3D%22en-US%22%3ERe%3A%20Announcing%20Microsoft%20365%20Defender%20Streaming%20API%20Public%20Preview%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2431793%22%20slang%3D%22en-US%22%3E%3CP%3EThank%20you%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F229526%22%20target%3D%22_blank%22%3E%40BillTheKid%3C%2FA%3E%26nbsp%3B%20and%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F346607%22%20target%3D%22_blank%22%3E%40quinzy%3C%2FA%3E%26nbsp%3B%20for%20your%20feedback%20-%20we'll%20be%20sure%20to%20update%20on%20enrichments%20and%20enhancements%20to%20the%20Streaming%20API%20as%20they%20become%20available.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Co-Authors
Version history
Last update:
‎Jun 02 2021 06:53 PM
Updated by:
www.000webhost.com