Hi @gm2025 ,
Right now, there isn’t a built-in Power BI connector that lets you pull Defender for Endpoint Audit Mode logs directly, live, from all your machines. But you can still achieve what you’re after, here are the proven approaches most security and compliance teams use:
1. Export Defender Logs to Log Analytics or Event Hub: In Microsoft Defender, set up a scheduled export (either from Advanced Hunting or via the audit logs API) to Azure Log Analytics or Event Hub. In Power BI, use the Azure Monitor Logs connector to connect directly to Log Analytics for reporting and dashboards. This method is scalable and gives you close to real-time insights, covering all endpoints that forward logs.
2. Use Microsoft Sentinel (if available): Forward your Defender logs to Sentinel. Query them centrally with KQL, and connect Power BI using the built-in Kusto connector. This is especially powerful if you need to correlate audit activity with other security events.
3. Manual or Automated Export If you just need periodic reporting, run your KQL queries in Defender’s Advanced Hunting, export results as CSV/JSON, and import them into Power BI. For more automation, use a script or Logic App to regularly push results to Azure Storage, then connect Power BI to that.
At the moment, Microsoft doesn’t offer a direct live connector for Defender Audit logs in Power BI, likely due to scale, security, and data privacy considerations. The above routes (especially via Log Analytics/Sentinel) are the enterprise-standard workarounds.
Did it work? ✔ Give a Kudo • Mark as Solution – help others too!
