Logging

Defender generates log trails of every potentially relevant event in the system.

Log Forwarding

Generated logs can be forwarded to Datadog and Splunk or any other service that supports API Key authentication.

This is a premium feature, if you are interested in it let us know by filling in this form.

Setup Log Forwarding Destination

To set up a log forwarding destination, open the User Menu at the top right corner of Defender or click here.

Add Forwarding Destination

You can access the log destination configuration page by pressing the Add Forwarding Destination button.

Add Log Destination

Form fields:

  • URL field is a required field. All logs are forwarded to this URL address using HTTP POSTs.

  • API Header Name is optional. This is the name of the request header that contains the API Key value. Most log management services require it. Please refer to your log management service documentation to determine if you need it.

  • API Key is an optional field. API Key is sent with every request for authentication purposes. Most log management services require it. Please refer to your log management service documentation to determine if you need it.

  • Log Types lets you specify which subset of Defender generated logs you want to have forwarded.

In the next section we will cover how to setup Log Forwarding with Splunk and Datadog but it is worth noting that Log Forwarding works with any other service that supports API Key authentication.

Splunk

Forwarding logs to Splunk is done by using Splunk HEC(HTTP Event Collector). Documentation for setting up logging with Splunk HEC can be found here.

Log Forwarding does not work with Splunk trial accounts because of Splunk internals.

Example:

  • URL: https://username.splunkcloud.com/services/collector/raw

  • API Header Name: Authorization

  • API Key: Splunk xxxxxxxxxxxxxxxxxxxxxxxxxxx

URL value is dynamic as URL includes account username.
API Key should contain Splunk prefix.

Datadog

Documentation for setting up logging on Datadog can be found here.

Example:

  • URL: https://http-intake.logs.datadoghq.com/api/v2/logs

  • API Header Name: DD-API-KEY

  • API Key: xxxxxxxxxxxxxxxxxxxxxxxxxxx

Datadog uses different sites around the world. For example, if you are relying on an EU server the URL field value should be https://http-intake.logs.datadoghq.eu/api/v2/logs
API Key value can be obtained from Datadog site by opening Logs section from the left menu. Go to Cloud section and select AWS provider. After following those steps, the 'API Key` value is displayed in the bottom section of the page.