You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: defender-endpoint/api/raw-data-export-storage.md
+8-7Lines changed: 8 additions & 7 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -40,9 +40,10 @@ ms.date: 06/28/2024
40
40
41
41
> [!IMPORTANT]
42
42
> Microsoft recommends that you use roles with the fewest permissions. This helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
43
+
43
44
## Enable raw data streaming
44
45
45
-
1. Sign in to the [Microsoft Defender portal](https://security.microsoft.com) as a ***Security Administrator***.
46
+
1. Sign in to the [Microsoft Defender portal](https://security.microsoft.com) as a Security Administrator.
46
47
47
48
2. Go to [Data export settings page](https://security.microsoft.com/settings/mtp_settings/raw_data_export) in Microsoft Defender XDR.
48
49
@@ -77,7 +78,7 @@ ms.date: 06/28/2024
77
78
78
79
- Each blob contains multiple rows.
79
80
80
-
- Each row contains the event name, the time Defender for Endpoint received the event, the tenant it belongs (you get events only from your tenant), and the event in JSON format in a property called "properties".
81
+
- Each row contains the event name, the time Defender for Endpoint received the event, the tenant it belongs (you get events only from your tenant), and the event in JSON format in a property called `properties`.
81
82
82
83
- For more information about the schema of Microsoft Defender for Endpoint events, see [Advanced Hunting overview](/defender-xdr/advanced-hunting-overview).
83
84
@@ -87,9 +88,9 @@ ms.date: 06/28/2024
87
88
88
89
## Data types mapping
89
90
90
-
In order to get the data types for our events properties, do the following:
91
+
In order to get the data types for our events properties, take the following steps:
91
92
92
-
1. Sign in to [Microsoft Defender portal](https://security.microsoft.com) and go to [Advanced Hunting page](https://security.microsoft.com/hunting-package).
93
+
1. Sign in to the [Microsoft Defender portal](https://security.microsoft.com) and go to [Advanced Hunting page](https://security.microsoft.com/hunting-package).
93
94
94
95
2. Run the following query to get the data types mapping for each event:
95
96
@@ -99,16 +100,16 @@ In order to get the data types for our events properties, do the following:
99
100
| project ColumnName, ColumnType
100
101
```
101
102
102
-
- Here's an example for Device Info event:
103
+
Here's an example for Device Info event:
103
104
104
-
:::image type="content" source="../media/data-types-mapping-query.png" alt-text="The Event Hubs with resource ID3" lightbox="../media/data-types-mapping-query.png":::
105
+
:::image type="content" source="../media/data-types-mapping-query.png" alt-text="The Event Hubs with resource ID3" lightbox="../media/data-types-mapping-query.png":::
105
106
106
107
## Related articles
107
108
108
109
-[Stream Microsoft Defender XDR events | Microsoft Learn](/defender-xdr/streaming-api)
109
-
110
110
-[Overview of Advanced Hunting](/defender-xdr/advanced-hunting-overview)
111
111
-[Microsoft Defender for Endpoint Streaming API](raw-data-export.md)
112
112
-[Stream Microsoft Defender for Endpoint events to your Azure storage account](raw-data-export-storage.md)
0 commit comments