Defender

Microsoft Defender offers protection, detection, investigation, and response to threats. Defender comes in multiple editions, Defender for Office 365, Defender for Endpoint, Defender for IoT, Defender for Identity, and Defender for Cloud. All Defender products can stream events in real time to Tenzir using Azure Event Hubs.

For Microsoft Defender and Microsoft 365 data that is exposed as Microsoft Graph collections, use Microsoft Graph with from_microsoft_graph. Use Azure Event Hubs for real-time Defender streaming. For the Microsoft API surface, see the Microsoft Graph Security API reference and the Microsoft Defender XDR API reference.

Microsoft Defender Setup

The following example assumes that you have already set up Microsoft Defender and Microsoft Defender XDR, for example, by following the official documentation.

Setup

Configure Streaming API

In Microsoft Security Center, configure Streaming under System -> Settings -> Microsoft Defender XDR -> General -> Streaming API. Add a new Streaming API for the target Event Hub and enable all event types that you want to collect.

For detailed instructions on setting up Azure Event Hubs and consuming events with Tenzir, see the Azure Event Hubs integration documentation.

See Also

• from_microsoft_graph
• Microsoft Graph
• Azure Event Hubs