You can enable Microsoft Defender for Endpoint Log Collection on both new and existing Azure subscriptions in Cloud Accounts. Trend Vision One collects the data from Microsoft Defender and saves it in a log repository that you specify, which you then can view in Data Source and Log Management. After enabling the feature in Trend Vision One you must configure Microsoft Defender to export events to Trend Vision One.

Procedure

  2. Enable Microsoft Defender for Endpoint Log Collection for a new or existingAzure subscription:
    1. Go to Cloud SecurityCloud Accounts.
    2. Click the Azure tab.
    3. Click Add Subscription or select an Azure subscription from the list.
    4. On the Features and permissions page (if you are adding a new subscription), or the Resource update tab (if you are configuring an existing subscription), enable Microsoft Defender for Endpoint Log Collection .
    5. By default Microsoft Defender for Endpoint Log Collection deploys to all regions. To remove regions, click the Deployment list and clear the checkbox beside each region you want to remove.
  3. Specify which log repository in which to save log data:
    1. Click Scanner settings.
    2. Select a log repository from the list. If no log repisories exist, click the link to add a log repository in Data Source and Log Management. After adding a log repository, click the refresh icon to show the repository in the list and select it.
  4. Save your changes. If you are adding a new Azure subscription, complete the steps to add the subscription. For more information, see Adding an Azure subscription.
  5. Configure Microsoft Defender to export events:
    1. In Microsoft Defender, go to General > Streaming API.
    2. Click Add to create a new Streaming API setting.
    3. Provide a name for the setting.
    4. Select Forward events to Event Hub.
    5. In the Event-Hub Resource ID field, enter /subscriptions/{subscriptionID}/resourceGroups/trendmicro-clm-mde-rg/providers/Microsoft.EventHub/namespaces/clm-eventhub-ns-{first 8 chars of subscriptionID}.
    6. In the Event-Hub name field, enter insights-logs-advancedhunting.
    7. In the Event Types area, select all Alerts & Behaviors and Devices.
    8. Click Submit.

What to do next

To ensure that Trend Vision One retains the Microsoft Defender data for an adequate period, you can configure the retention period for the log repository. The default retention period is 30 days. For more information see Log repositories.