A Microsoft Sentinel custom data connector that ingests Microsoft Defender XDR portal-only telemetry — configuration, compliance, drift, exposure, governance — that public Microsoft APIs (Graph Security, Microsoft 365 Defender, MDE) don't expose.
| Platform | Azure Functions (PowerShell 7.4), Log Analytics, Sentinel |
|---|---|
| Auth | Two unattended auto-refreshing methods: Credentials+TOTP, Software Passkey. DirectCookies for diagnostic / one-shot use. |
| Scope | Microsoft Defender XDR portal (security.microsoft.com) — telemetry streams across 10 functional categories (Endpoint Device Management, Endpoint Configuration, Vulnerability Management, Identity Protection, Configuration & Settings, Exposure Management, Threat Analytics, Action Center, Multi-Tenant Operations, Streaming API). Every stream documented + live-captured. Some streams activate only when the tenant provisions the underlying feature (MDI / TVM / MCAS / Intune / MDO / Custom Collection). |
| Prerequisite | Existing Sentinel-enabled Log Analytics workspace (any RG / subscription in the same tenant). This template does NOT create a workspace. |
| Deployment | One-click Deploy to Azure + one ./tools/Initialize-XdrLogRaiderAuth.ps1 run post-deploy. Cross-RG / cross-region workspace supported. |
| Content | 8 workbooks · 20 analytic rules (14 detection + 6 XdrOps incl. RowVolumeSpike cost-budget gate) · 9 hunting queries · 4 KQL drift parsers + 11 consolidated LA tables (10 Defender_<Category>_CL + 1 XdrConnectorHealth_CL) · 390 sample queries (5 per active stream) — all auto-deployed via nested ARM. Every parser / rule / query / workbook column reference verified against live fix |
Happy Hunting 🥳 🎉
u/akefallonitis — 6 days ago