Enable Microsoft Defender for Endpoint Log Collection

Procedure

1. Enable Microsoft Defender for Endpoint Log Collection for a new or existing Azure subscription:
   1. Go to Cloud Security → Cloud Accounts.
   2. Click the Azure tab.
   3. Click Add Subscription or select an Azure subscription from the list.
   4. On the Features and permissions page (if you are adding a new subscription), or the Resource update tab (if you are configuring an existing subscription), enable Microsoft Defender for Endpoint Log Collection .
   5. By default Microsoft Defender for Endpoint Log Collection deploys to all regions. To remove regions, click the Deployment list and clear the checkbox beside each region you want to remove.
2. Specify which log repository in which to save log data:
   1. Click Scanner settings.
   2. Select a log repository from the list. If no log repositories exist, click the link to add a log repository in Data Source and Log Management. After adding a log repository, click the refresh icon to show the repository in the list and select it.
3. Save your changes. If you are adding a new Azure subscription, complete the steps to add the subscription. For more information, see Adding an Azure subscription.
4. Configure Microsoft Defender to export events:
   1. In Microsoft Defender, go to General > Streaming API.
   2. Click Add to create a new Streaming API setting.
   3. Provide a name for the setting.
   4. Select Forward events to Event Hub.
   5. In the Event-Hub Resource ID field, enter /subscriptions/{subscriptionID}/resourceGroups/trendmicro-clm-mde-rg/providers/Microsoft.EventHub/namespaces/clm-eventhub-ns-{first 8 chars of subscriptionID}.
   6. In the Event-Hub name field, enter insights-logs-advancedhunting.
   7. In the Event Types area, select all Alerts & Behaviors and Devices.
   8. Click Submit.