It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda XDR

Integrating Microsoft 365 Defender

  • Last updated on

This integration is in Beta and is not currently available to all users.

If you have already integrated Microsoft Defender for Endpoint (Through this process: Integrating Microsoft Defender ), and follow the process below, you may receive duplicate alerts.

BEST PRACTICE If you have already integrated Microsoft Defender for Endpoint and want to integrate Microsoft 365 Defender, we recommend following the process below to integrate Microsoft 365 Defender. After integrating Microsoft 365 Defender, we recommend allowing both integrations to communicate for 3-5 days, then disabling the Microsoft Defender integration.

To integrate Microsoft 365 Defender, you must do the following:

Create an event hub namespace and event hub entity in Microsoft Azure

 An event hub is temporary storage that Microsoft 365 Defender writes to and XDR reads from.

The cost of your event hub subscription depends on the pricing tier you choose and the throughput unit. You may need to increase the throughput unit based on the number of events generated by Defender 365. For more information, see the Capacity section at the end of this document.

 To create an event hub namespace and event hub entity in Microsoft Azure
  1. Log into the Microsoft Azure Portal and select the tenant (directory) of the customer to be monitored.

  2. Navigate to Event Hubs.

  3. Click +Create.

  4. Provide the following information:

    • Your subscription

    • Your resource group

    • The namespace
      NOTE We suggest using the following naming convention: <acme-inc>-xdr-events where <acme-inc> is the name of the customer.

    • Location: US East

    • Pricing Tier: Basic

    • Throughput Units: See the Capacity section at the end of this document.

    • Networking: Public Access

  5. Click Review/Create.

  6. Navigate to the namespace that was created.

  7. From the Overview screen, click +Event Hub and complete the form:

    • Name: m365
      NOTE This is the name of your event_hub.

    • Partition count: 1

    • Cleanup Policy: Delete

    • Retention time: 24 hours

  8. Click Review/Create.

  9. From the event hub click Settings > Shared access policies.
    NOTE Make sure you are adding the SAS policy on the event hub, not the namespace. The namespace has its own SAS policy called RootManageSharedAccessKey.

  10. Click +Add

  11. Enter the following information:

    • Name
      NOTE We suggest using the value barracuda-xdr.

    • Listen: Enabled

  12. Click on the new SAS policy and copy the Connection string–primary key.
    NOTE This is your event_hub_connection_string.
    For example: Endpoint=sb://<acme-inc>-xdr-events.servicebus.windows.net/;SharedAccessKeyName=barracuda-xdr;SharedAccessKey=123;EntityPath=m365
    where <acme-inc> is the name of the customer.

12. From the namespace, click Settings > Properties.

13. Copy the namespace id.
NOTE This is your namespace_resource_id.
For example: /subscriptions/10bd4af8-2e42-4550-a424-e565c8a047f4/resourceGroups/<acme-inc>/providers/Microsoft.EventHub/namespaces/<acme-inc>-xdr-events
where <acme-inc> is the name of the customer.

Event Hub Monitoring (optional)

You can configure event hub alerts and monitoring from the Event hub namespace.

If you did not enable autoscaling for your event hub, we recommend adding an alert for Quota Exceeded Error. If the quota is exceeded, it results in log loss.

We recommend adding alerts for ingress and egress limits so you are notified before the quota is exceeded:

  • Each throughput unit has the following capacities:

    • Ingress: 1 MB/sec or 1000 events per second

    • Egress: 2 MB/sec or 4,096 events per second

For a single throughput unit, the alerts may be configured as follows (you may adjust the values depending on your use case):

  • Ingress:

    • Signal Name: Incoming Bytes

      • Threshold: Static

      • Aggregation type: Maximum

      • Operator: Greater than

      • Unit: MB

      • Threshold: 0.85

    • Signal Name: Incoming Messages

      • Threshold: Static

      • Aggregation type: Total

      • Operator: Greater than

      • Unit: Count

      • Threshold: 850

  • Egress:

    • Signal Name: Outgoing Bytes

      • Threshold: Static

      • Aggregation type: Maximum

      • Operator: Greater than

      • Unit: MB

      • Threshold: 0.85

    • Signal Name: Outgoing Messages

      • Threshold: Static

      • Aggregation type: Total

      • Operator: Greater than

      • Unit: Count

      • Threshold: 850

Creating a storage account

The storage account allows event hub consumers to keep track of which events have been ingested.  It's a checkpoint file which multiple consumers can write to and does not increase cost significantly.

 To create a Microsoft Azure storage account
  1. Log into the Microsoft Azure Portal https://portal.azure.com and select the tenant (directory) of the customer to be monitored

  2. Navigate to Storage Accounts.

  3. Click + Create.

    For example:
    Storage account name
    NOTE We recommend using the following naming convention: <acme-inc>m365 where <acme-inc> is the name of the customer.
    Region: US East
    Performance: Standard

    Redundancy: GRS
    Read Access checked: Yes

  4. Click Review/Create.

  5. Navigate to the storage account.

  6. Click Security + Networking > Access Keys.

  7. Click Show next to one of the Keys.

  8. Copy the value.
    NOTE This is your storage_account_access_key.

Storage account monitoring (optional)

The storage account is expected to contain a single small file. We recommend adding an alert to make sure the storage account does not exceed a certain threshold.

  • Storage Account alerts

    • Signal Name: Used capacity

      • Threshold: Static

      • Aggregation type: Average

      • Unit: MiB

      • Threshold: 100

Setting up log streaming

  1. Log in to the Microsoft Defender portal as a Global Admin or Security Administrator.

  2. Go to System >Settings > Microsoft 365 Defender XDR.

  3. Click Streaming API.

  4. Click + Add.

  5. Choose a name for your new settings.

  6. Select Forward events to Azure Event Hubs.

  7. Enter your Event-Hub name (event_hub) and Event-Hub Resource ID (namespace_resource_id).
    For example:
    Name: m365-event-hub
    Event-Hub Resource ID: /subscriptions/10bd4af8-2e42-4550-a424-e565c8a047f4/resourceGroups/<acme-inc>/providers/Microsoft.EventHub/namespaces/<acme-inc>-xdr-events
    where <acme-inc> is the name of the customer.
    Event-Hub name: m365
    Event Types: Select all event types except for “Identity Info”

    IntegratingDefender365.png

  8. Click Submit.

Creating an app key for incidents/alerts api

  1. Sign in to the Microsoft Entra admin center.

  2. If you have access to multiple tenants, use the Settings icon in the top menu to switch to the tenant in which you want to register the application from the Directories + subscriptions menu.

  3. Click Identity > Applications > App registrations.

  4. Select New registration.

  5. Type a display Name for your application. Specify who can use the application in the Supported account types section.
    For example:
    Display Name: m365api
    Supported account types: Users within the current tenant

  6. From the app registration overview screen obtain the client_id and tenant_id.
    For example:
    Client id: 1290db81-e444-4619-a87b-1d88365959a5
    Tenant id: 1286cb4f-9975-4e91-a711-6bfd1e2a049d

  7. Click Certificates & secrets.

  8. Add a new secret.
    For example:
    Name: xdr-m365-api

  9. Copy the secret value, also known as the client_secret.
    WARNING Ensure you copy the secret value, not the secret id.

Granting permissions to the application

The Microsoft Entra tenant administrator MUST explicitly grant the permissions to the application. This must be done per tenant and must be performed every time the application permissions are changed in the application registration portal.

  1. Sign in to the Microsoft Entra admin center.

  2. If you have access to multiple tenants, use the Settings icon in the top menu to switch to the tenant in which you want to register the application from the Directories + subscriptions menu.

  3. Click the app you created in the previous procedure.

  4. Go to the app's API permissions page.

  5. Select Add a permission and then choose Microsoft Graph.

  6. Click What type of permissions does your application require > Select Application permissions.

  7. Use the search box to find and select the required permissions: SecurityIncident.Read.All.

  8. Click Add permissions.

  9. Grant Admin Consent.

Enable Microsoft 365 Defender

  1. In Barracuda XDR Dashboard, navigate to Administration Integrations.

  2. On the Microsoft 365 Defender Collector card, click Setup.

    Microsoft365DefenderCard.png

  3. Select the Enabled check box.

  4. Fill out the following information:

    • Event Hub

    • Connection String

    • Storage Account

    • Access Key

    • Tenant ID

    • Client ID

    • Client Secret

      Microsoft365DefenderEdit.png

  5. Optional: Click Test to test the connection. When the connection is successful

  6. , proceed to the next step.

  7. Click Save.


Capacity

The event hub throughput unit determines its capacity. For more information, see https://learn.microsoft.com/en-us/azure/event-hubs/compare-tiers .

The basic tier has the following quotas:

Number of consumer groups per event hub

1

Maximum retention period of event data

1 day

Throughput per unit

Ingress: 1 MB/sec or 1000 events per second
Egress: 2 MB/sec or 4,096 events per second

 To help determine the required event hub throughput unit, you can run the following query.

  1. Log into security.microsoft.com

  2. Navigate to Hunting > Advanced hunting.

  3. Ensure Last 7 days is selected.

  4. Create a new query, then copy and paste the following, then run the query:

let bytes_ = 1000;
union withsource=MDTables *
| where MDTables in ('AlertEvidence', 'AlertInfo', 'DeviceEvents', 'DeviceFileCertificateInfo', 'DeviceFileEvents', 'DeviceImageLoadEvents', 'DeviceInfo', 'DeviceLogonEvents', 'DeviceNetworkEvents', 'DeviceNetworkInfo', 'DeviceProcessEvents', 'DeviceRegistryEvents', 'EmailAttachmentInfo', 'EmailEvents', 'EmailPostDeliveryEvents', 'EmailUrlInfo', 'IdentityLogonEvents', 'IdentityQueryEvents', 'IdentityDirectoryEvents', 'CloudAppEvents', 'UrlClickEvent')
| where Timestamp > startofday(ago(7d))
| summarize count() by bin(Timestamp, 1m), MDTables
| extend EPS = count_ / 60
| summarize avg(EPS), estimatedMBPerSec = avg(EPS) * bytes_ / (1024*1024) by MDTables, bin(Timestamp, 3h)
| summarize avg_EPS = max(avg_EPS), estimatedMBPerSec = max(estimatedMBPerSec) by MDTables
| sort by toint(estimatedMBPerSec) desc
| project MDTables, avg_EPS, estimatedMBPerSec
| as IndividualTableMetrics
| union (
    IndividualTableMetrics
    | summarize avg_EPS = sum(avg_EPS), estimatedMBPerSec = sum(estimatedMBPerSec)
    | extend MDTables = "Total"
)

If the total avg_EPS > 1000, or estimateMBPerSec > 1, you may need to increase the throughput unit for your event hub.  Configure the throughput unit so that it is able to handle the peak ingress.  You may also choose to enable autoscaling of your event hub. If you choose this option, we recommend that you monitor the usage details and create alerts to ensure there are no unexpected costs. 

Example Output
MDTables 
avg_EPS 
estimatedMBPerSec 

Total 

1400 

0.4 

For this event hub, a throughput unit of 2 is adequate to handle the peak ingress of 1400 EPS.