Mounting Defender for Endpoint Telemetry Azure Blob Storage in Linux using blobfuse

mounting-azure-blob-storage-defender-telemetry-blobfuse.md

Mounting Defender for Endpoint Telemetry data on Linux

Defender Telemetry data can be persisted in Azure Blob Storage. This results in datetimestamped directories containing JSON files.

Why?

So you can easily Splunk, gzip or jq some of your telemetry data

How?

1. Copy the primary key from your storage account via Azure Storage Explorer
2. Launch an Ubuntu Linux VM in Azure
3. wget https://packages.microsoft.com/config/ubuntu/20.04/packages-microsoft-prod.deb
4. sudo dpkg -i packages-microsoft-prod.deb
5. sudo apt-get update
6. sudo apt-get install blobfuse
7. Run this script as a non-priv user.

#!/bin/bash
LIJST="insights-logs-advancedhunting-devicealertevents insights-logs-advancedhunting-deviceevents insights-logs-advancedhunting-devicefilecertificateinfo insights-logs-advancedhunting-devicefileevents insights-logs-advancedhunting-deviceimageloadevents insights-logs-advancedhunting-deviceinfo insights-logs-advancedhunting-devicelogonevents insights-logs-advancedhunting-devicenetworkevents insights-logs-advancedhunting-devicenetworkinfo insights-logs-advancedhunting-deviceprocessevents insights-logs-advancedhunting-deviceregistryevents"
for i in $LIJST; do
	sudo fusermount -u ~/defender_telemetry/${i}
	mkdir -p /mnt/resource/blobfusetmp/${i}
	cat << EOF > ~/fuse_${i}.cfg
accountName YOURACCOUNTNAME
accountKey YOUR_STORAGE_ACCOUNT_PRIMARY_KEY
containerName $i
EOF
	mkdir ~/defender_telemetry/${i}
	sudo blobfuse ~/defender_telemetry/${i} --tmp-path=/mnt/resource/blobfusetmp/${i} --config-file=~/fuse_${i}.cfg -o attr_timeout=240 -o entry_timeout=240 -o negative_timeout=120 -o allow_other
done

4. Optionally, gzip all the JSON files: nohup find -type f -name \*json -exec gzip -v {} \; &