Analyzing your Microsoft Defender ATP data in real-time in ELK using the new streaming API
Microsoft Defender ATP has a ton of information about users, their endpoints, their applications and processes, and network events that threat hunters can use in their investigations. There is Advanced Hunting functionality in MDATP that they can leverage to find information.
This is great, but often threat hunters are searching through multiple sources and combining information from all of them to aggregate signals and ‘paint a picture’ of what is going on. Microsoft already provides support for Jupyter notebooks today, where threat hunters can work with KQL, Microsoft’s new query language, to dig up data.
Interested in more technical details? Select the dark button on the right
But what if you are using Elasticsearch, Logstash and Kibana (ELK)? Is there a way to source information from Microsoft Defender ATP to ELK and work with the data there? The MDATP team just released (a preview of) the Streaming API which allows you to do just that. The dark button on the right hand side of the screen will take you to the technical details.
How can I learn to hunt?
It's hard. It's years of experience. Knowing the platforms, knowing what to look for. But you also need the basic skills: working with Elastic, Logstash and Kibana. You need to master KQL queries and learn how to combine signals.
— Maarten Goet, MVP & RD