Defender Telemetry data can be persisted in Azure Blob Storage. This results in datetimestamped directories containing JSON files.
So you can easily Splunk, gzip or jq some of your telemetry data
- Copy the primary key from your storage account via Azure Storage Explorer
- Launch an Ubuntu Linux VM in Azure
wget https://packages.microsoft.com/config/ubuntu/20.04/packages-microsoft-prod.deb
sudo dpkg -i packages-microsoft-prod.deb
sudo apt-get update
sudo apt-get install blobfuse
- Run this script as a non-priv user.
#!/bin/bash
LIJST="insights-logs-advancedhunting-devicealertevents insights-logs-advancedhunting-deviceevents insights-logs-advancedhunting-devicefilecertificateinfo insights-logs-advancedhunting-devicefileevents insights-logs-advancedhunting-deviceimageloadevents insights-logs-advancedhunting-deviceinfo insights-logs-advancedhunting-devicelogonevents insights-logs-advancedhunting-devicenetworkevents insights-logs-advancedhunting-devicenetworkinfo insights-logs-advancedhunting-deviceprocessevents insights-logs-advancedhunting-deviceregistryevents"
for i in $LIJST; do
sudo fusermount -u ~/defender_telemetry/${i}
mkdir -p /mnt/resource/blobfusetmp/${i}
cat << EOF > ~/fuse_${i}.cfg
accountName YOURACCOUNTNAME
accountKey YOUR_STORAGE_ACCOUNT_PRIMARY_KEY
containerName $i
EOF
mkdir ~/defender_telemetry/${i}
sudo blobfuse ~/defender_telemetry/${i} --tmp-path=/mnt/resource/blobfusetmp/${i} --config-file=~/fuse_${i}.cfg -o attr_timeout=240 -o entry_timeout=240 -o negative_timeout=120 -o allow_other
done
- Optionally, gzip all the JSON files:
nohup find -type f -name \*json -exec gzip -v {} \; &