Microsoft Defender ATP Telemetry: Azure Log Analytics Workspace



In my last post, Microsoft Defender ATP Telemetry: Viewing MITRE ATT&CK Context, I discussed how an analyst can use Defender ATP to visualize MITRE ATT&CK and Technique information from Advanced Hunting queries. There are some limitations with Advanced Hunting queries: reports need to manually run and we are limited to 30 days of data. To overcome those limitations this post will demonstrate a way to pull DATP data into an Azure Log Analytics workspace using an Azure Logic App.


azure atp 1


In my Azure portal, I will search for and select the Log Analytics icon to create a new Log Analytics workspace as seen in the image below.


azure img 1


Figure 1: Azure Log Analytics workspace creation Basics


Choose your pricing tier.


azure img 2


Figure 2: Azure Log Analytics workspace creation Pricing


Add any tags.


azure img 3


Figure 3: Azure Log Analytics workspace creation Tags


Review and create.


azure img 4


Figure 4: Azure Log Analytics workspace creation Review


Once the workspace is created click Go to resource.


azure img 00


The Overview section of the newly created workspace will show the Subscription ID, Workspace Name and ID.


azure img 4a


Figure 4a: Azure Log Analytics workspace creation Review


Next click Advanced settings on the left-hand side and note the Workspace ID and Primary Key when they appear.


azure img 5


Figure 5: New Azure Log Analytics workspace advanced settings


Create a new Logic App using the same Resource group used in the Log Analytic workspace.


azure img 5a


Figure 5a: Azure portal Logic Apps selection


Add any necessary parameters, including the Subscription, Resource group, and Logic App Name.


azure img 6


Figure 6: New Azure Log Apps Basics


Add any needed tags if necessary and Create.


azure img 7


Figure 7: New Azure Log Apps Review


Once created, click Go to resource.


azure img 000


Create a Blank Logic App.


azure img 0000


Search for schedule and add a recurrence. In this example, I am going to perform an action, once daily starting today.


azure img 8


Figure 8: New Azure Log Apps Review


The scheduled recurrence will trigger once daily, starting on 5-13-2020.


azure img 9


Figure 9: Schedule/Recurrence settings


Next, the recurrence needs to do perform some sort of action at this time. I want the app to perform an Advanced Hunting query from Microsoft Defender ATP.


Choose New step.


azure img 00000


Search for Microsoft Defender.


azure img 10


Figure 10: Logic Apps Microsoft Defender Action


You may be prompted to sign into Defender to create the connection.


azure img 11

Figure 11: Logic Apps Microsoft Defender connection prompt


Select Action and choose Advanced Hunting.


azure img 12

Figure 12: Logic Apps Microsoft Defender Action – Advanced Hunting


Now we will add the same query used in DATP, only we will add a where statement to select all events that happened in the last 24 hours to coincide with our daily reoccurrence.


azure img 13


Figure 13: Logic Apps Microsoft Defender Action -Advanced Hunting query


| where Timestamp> ago(24h)
| where Category == "InitialAccess"
or Category == "Execution"
or Category == "Persistence"
or Category == "PrivilegeEscalation"
or Category == "DefenseEvasion"
or Category == "CredentialAccess"
or Category == "Discovery"
or Category == "LateralMovement"
or Category == "Collection"
or Category == "CommandAndControl"
or Category == "Exfiltration"
or Category == "Impact"


Next we need to do something with the results that the Advance Hunting query produces. Search for “Control” and then select “For each” under Actions.


azure img 14


Figure 14: Next Step –> Control –> For Each


Next define the what the “For each” is. In this case, it will be the results of the query.


azure img 15


Figure 15: Control –> For Each -> Results


Within the same frame, we need to add an action.


azure img 000000


Search for “Azure Analytics” and select “Azure Log Analytics Data Collector.”


azure img 16


Figure 16: Control –> Next Action -> Azure Log Analytics


Under the Action tab select “Send Data.”


azure img 17


Figure 17: Azure Log Analytics -> Action -> Send Data


The JSON Request body will be the “Current item.” The Custom Log Name will be the name of the new log table that we can search for with KQL.


azure img 18


Figure 18: Send Data Settings


I now get a prompt to create a name for the connection, the Workspace ID and Workspace (Primary) Key will be the information noted in the earlier steps.


azure img 19


Figure 19: Azure Log Analytics Data Collector Settings


After the connection is made, we need to add one additional parameter in the “Time-generated-field.” I choose to use UTC. The “For each” step should look like the one in the picture below. There are no additional steps in creating the Logic App and we can run a test.


azure img 20


Figure 20: Logic App overview


The Logic App that was created can be tested by clicking “Run.”


azure img 0000000


Note: I choose to change the Timestamp window for this test to (30d), which produces 30 days of data. This was only used to produce more data for later sections. After the initial test, I changed it back to (24h) and saved the app.


azure img 21


Figure 21: Logic Apps Microsoft Defender Advanced Hunting query date change


If all goes well, you will see green checkmarks on the right side of each step.


azure img 21a


Figure 21a: Logic Apps initial run


If we move back to the Log Analytics workspace and take a look at the logs, we should see the name of our newly defined custom logs.


azure img 22


Figure 22: Azure Log Analytics workspace with new custom logs


azure img 23


Figure 23: Limit search on custom logs


Running a limit search on the Custom Logs shows that data is being collected. Now once a day the workspace will ingest new log data filtered to include Defender ATP alerts containing MITRE Tactic and Technique information. In the next and last post in this series we will walkthrough creating a workbook to create chats to visualize the data from the log workspace.


Read more from this 3 part series.
Microsoft Defender ATP Telemetry: Viewing MITRE ATT&CK Context (Part 1)
Microsoft Defender ATP Telemetry: Workbook Visualizations (Part 3)

Dan Kiraly
Senior Research Scientist | Optiv
Dan Kiraly is senior research scientist on Optiv’s R&D team. In this role he's responsible for use case development and the vetting of security products for Optiv.