You can enable Microsoft Defender for Endpoint Log Collection on both new and existing
Azure subscriptions in Cloud Accounts. Deploying this feature gives you actionable insights into risky or malicious endpoint
activities. Detection models identify behaviors such as malware execution, suspicious
file modifications, lateral movement attempts, and unauthorized access to sensitive
data.
Microsoft Defender for Endpoint Log Collection offers both Cyber Risk Exposure Management
and XDR capabilities:
-
Cyber Risk Exposure Management is automatically enabled when you deploy Microsoft Defender for Endpoint Log Collection in an Azure subscription. Trend Vision One collects
DeviceInfo
andDeviceNetworkInfo
events and sends them to Cyber Risk Exposure Management, where you can view security configuration risk events.Note
Cyber Risk Exposure Management requires credits for each desktop or server assessed as a result of enabling Microsoft Defender for Endpoint Log Collection. For more information, see Credit requirements for Trend Vision One solutions, capabilities, and features. -
Optionally, you can enable XDR data collection for the Azure subscription, which sends detections and log data to the following security operations features:
-
Identity Security
-
Data Security
-
Endpoint Security
-
Cloud Security
-
Network Security
-
Email and Collaboration Security
XDR data collection does not require credits during the pre-release period for Microsoft Defender for Endpoint Log Collection. -
![]() |
NoteBefore enabling Microsoft Defender for Endpoint Log Collection, make note of the following:
|
Procedure
- Enable Microsoft Defender for Endpoint Log Collection for a new or existing Azure
subscription:
- Go to .
- Click the Azure tab.
- Click Add Subscription or select an Azure subscription from the list.
- On the Features and Permissions page (if you are adding a new subscription), or the Resource Update tab (if you are configuring an existing subscription), enable Microsoft Defender for Endpoint Log Collection .
- To enable XDR data collection, click Subscription settings.
- To enable the use of collected data for XDR, select XDR data collection.
- Select a log repository in Trend Vision One from the list. If no log repositories have been added to Trend Vision One, click the link to add a log repository in Third-Party Log Collection. After adding a log repository, click the refresh icon to show the repository in the list and select it.
- Click Save Changes.
- If you are adding a new Azure subscription, complete the steps to add the subscription. For more information, see Adding an Azure subscription. If you are updating an existing Azure subscription, go to the next step.
- Configure Microsoft Defender to export events:
- In Microsoft Defender, go to General ➞ Streaming API.
- Click Add to create a new Streaming API setting.
- Provide a name for the setting.
- Select Forward events to Event Hub.
- In the Event-Hub Resource ID field, enter
/subscriptions/{subscriptionID}/resourceGroups/trendmicro-clm-mde-rg/providers/Microsoft.EventHub/namespaces/clm-eventhub-ns-{first 8 chars of subscriptionID}
.where{subscriptionID}
is your Azure subscription ID. - In the Event-Hub name field, enter
insights-logs-advancedhunting
. - In the Event Types area, select all Alerts & Behaviors and Devices.
- Click Submit.