Ingest raw EDR event data from Microsoft Defender for Endpoint Events into Cortex XSIAM.
Cortex XSIAM enables ingestion of raw EDR event data from Microsoft Defender for Endpoint Events, streamed to Azure Event Hubs. In addition to all standard SIEM capabilities, this integration unlocks some advanced Cortex XSIAM features, enabling comprehensive analysis of data from all sources, enhanced detection and response, and deeper visibility into Microsoft Defender for Endpoint data.
Key benefits include:
Querying all raw event data received from Microsoft Defender for Endpoint using XQL.
Querying critical modeled and unified EDR data via the
xdr_data
dataset.Enriching incident and alert investigations with relevant context.
Grouping alerts with alerts from other sources to accelerate the scoping process of incidents, and to cut investigation time.
Leveraging the data for analytics-based detection.
Utilizing the data for rule-based detection, including correlation rules, BIOC, and IOC.
Leveraging the data within playbooks for incident response.
When Cortex XSIAM begins receiving EDR events from Microsoft Defender for Endpoint Events, it automatically creates a new dataset labeled msft_defender_raw
, allowing you to query all Microsoft Defender for Endpoint Events using XQL. For example XQL queries, refer to the in-app XQL Library.
In addition, Cortex XSIAM parses and maps critical data into the xdr_data
dataset and XDM data model, enabling unified querying and investigation across all supported EDR vendors' data, and unlocking key benefits like stitching and advanced analytics. While mapped data from all supported EDR vendors, including Microsoft Defender for Endpoint Events, will be available in the xdr_data
dataset, it's important to note that third-party EDR data present some limitations.
Third-party agents, including Microsoft Defender for Endpoint Events, typically provide less data compared to our native agents, and do not include the same level of optimization for causality analysis and cloud-based analytics. Furthermore, external EDR rate limits and filters might restrict the availability of critical data required for comprehensive analytics. As a result, only a subset of our analytics-based detectors will function with third-party EDR data.
We are continuously enhancing our support and using advanced techniques to enrich missing third-party data, while somehow replicating some proprietary functionalities available with our agents. This approach maximizes value for our customers using third-party EDRs within existing constraints. However, it’s important to recognize that the level of comprehensiveness achieved with our native agents cannot be matched, as much of the logic happens on the agent itself. These capabilities are unique, and are not found in typical SIEMs. Many of them, along with their underlying logic, are patented by Palo Alto Networks. Therefore, they should be regarded as added value beyond standard SIEM functionalities for customers who are not using our agents.
Note
The generic Cortex XSIAM Azure Event Hub collector does not offer full functionality for EDR data (such as stitching), and is therefore not suitable for EDR data ingestion.