To integrate Microsoft 365 Defender, you must do the following:
Create an event hub namespace and event hub entity in Microsoft Azure
An event hub is temporary storage intended for multiple producers/consumers to write/read events from.
The cost of your event hub subscription depends on the pricing tier you choose and the throughput unit. You may need to increate the throughput unit based on the number of events generated by Defender 365. For more information, see the Capacity section at the end of this document.
To create an event hub namespace and event hub entity in Microsoft Azure
Log into the Microsoft Azure Portal and select the tenant (directory) of the customer to be monitored.
Navigate to Event Hubs.
Click +Create.
Provide the following information:
Your subscription
Your resource group
The namespace
NOTE We suggest using the following naming convention: <acme-inc>-xdr-events where <acme-inc> is the name of the customerLocation: US East
Pricing Tier: Basic
Throughput Units: 1
Networking: Public Access.
Click Review/Create.
Navigate to the namespace that was created.
From the Overview screen, click +Event Hub and complete the form:
Name: m365
NOTE This is the name of your event_hub.
Click Review/Create.
From the event hub click Settings > Shared access policies.
NOTE Make sure you are adding the SAS policy on the event hub, not the namespace. The namespace has its own SAS policy called RootManageSharedAccessKey.Click +Add
Enter the following information:
Name
NOTE We suggest using the value barracuda-xdr.Listen/Send: Enabled
Click on the new SAS policy and copy the Connection string–primary key.
NOTE This is your event_hub_connection_string.
For example:Endpoint=sb://acme-inc-xdr-events.servicebus.windows.net/;SharedAccessKeyName=barracuda-xdr;SharedAccessKey=123;EntityPath=m365
12. From the namespace, click Settings > Properties.
13. Copy the namespace id.
NOTE This is your namespace_resource_id.
For example: /subscriptions/10bd4af8-2e42-4550-a424-e565c8a047f4/resourceGroups/acme-inc/providers/Microsoft.EventHub/namespaces/acme-inc-xdr-events
Creating a storage account
The storage account allows event hub consumers to keep track of which events have been ingested. It's a checkpoint file which multiple consumers can write to and does not increase cost significantly.
To create a Microsoft Azure storage account
Log into the Microsoft Azure Portal https://portal.azure.com and select the tenant (directory) of the customer to be monitored
Navigate to Storage Accounts.
Click + Create.
For example:
Storage account name
NOTE We recommend using the the following naming convention:<acmeinc>m365
where<acmeinc>
is the name of the customer.
Region: US East
Performance: StandardRedundancy: GRS
Read Access checked: YesClick Review/Create.
Navigate to the storage account.
Click Security + Networking > Access Keys.
Click Show next to one of the Keys.
Copy the value. This is your storage_account_access_key.
Setting up log streaming
Log in to the Microsoft Defender portal as a Global Admin or Security Administrator.
Go to System >Settings > Microsoft 365 Defender XDR.
Click Streaming API.
Click + Add.
Choose a name for your new settings.
Select Forward events to Azure Event Hubs.
Enter your Event-Hub name (event_hub) and Event-Hub Resource ID (namespace_resource_id).
For example:
Name: m365-event-hub
Event-Hub Resource ID: /subscriptions/10bd4af8-2e42-4550-a424-e565c8a047f4/resourceGroups/acme-inc/providers/Microsoft.EventHub/namespaces/acme-inc-xdr-events
Event-Hub name: m365
Event Types: Select AllClick Submit.
Creating an app key for incidents/alerts api
Sign in to the Microsoft Entra admin center.
If you have access to multiple tenants, use the Settings icon in the top menu to switch to the tenant in which you want to register the application from the Directories + subscriptions menu.
Click Identity > Applications > App registrations.
Select New registration.
Type a display Name for your application. Specify who can use the application in the Supported account types section.
For example:
Display Name: m365api
Supported account types: Users within the current tenantFrom the app registration overview screen obtain the client_id and tenant_id.
For example:
Client id: 1290db81-e444-4619-a87b-1d88365959a5
Tenant id: 1286cb4f-9975-4e91-a711-6bfd1e2a049dClick Certificates & secrets.
Add a new secret.
For example:
Name: xdr-m365-apiCopy the secret value, also known as the client_secret.
WARNING Ensure you copy the secret value, not the secret id.
Granting permissions to the application
The Microsoft Entra tenant administrator MUST explicitly grant the permissions to the application. This must be done per tenant and must be performed every time the application permissions are changed in the application registration portal.
Sign in to the Microsoft Entra admin center.
If you have access to multiple tenants, use the Settings icon in the top menu to switch to the tenant in which you want to register the application from the Directories + subscriptions menu.
Click the app you created in the previous procedure.
Go to the app's API permissions page.
Select Add a permission and then choose Microsoft Graph.
Click What type of permissions does your application require > Select Application permissions.
Use the search box to find and select the required permissions: SecurityIncident.Read.All.
Click Add permissions.
Grant Admin Consent.
Enable Microsoft 365 Defender
In Barracuda XDR Dashboard, navigate to Administration > Integrations.
On the Microsoft 365 Defender Collector card, click Setup.
Select the Enabled check box.
Fill out the following information:
Event Hub
Connection String
Storage Account
Access Key
Tenant ID
Client ID
Client Secret
Optional: Click Test to test the connection. When the connection is functioning, proceed to the next step.
Click Save.
Capacity
The event hub tier determines its capacity. For more information, see https://learn.microsoft.com/en-us/azure/event-hubs/compare-tiers
The basic tier has the following quotas:
Number of consumer groups per event hub | 1 |
Maximum retention period of event data | 1 day |
Throughput per unit | Ingress: 1 MB/sec or 1000 events per second |
To help determine the required event hub settings you canrun the following query.
Log into security.microsoft.com
Navigate to Hunting > Advanced hunting
Create a new query, then copy and paste the following:
let bytes_ = 1000;
union withsource=MDTables *
| where Timestamp > startofday(ago(7d))
| summarize count() by bin(Timestamp, 1m), MDTables
| extend EPS = count_ /60
| summarize avg(EPS), estimatedMBPerSec = avg(EPS) * bytes_ / (1024*1024) by MDTables, bin(Timestamp, 3h)
| summarize avg_EPS=max(avg_EPS), estimatedMBPerSec = max(estimatedMBPerSec) by MDTables
| sort by toint(estimatedMBPerSec) desc
| project MDTables, avg_EPS, estimatedMBPerSec
Example output
MDTables | avg_EPS | estimatedMBPerSec |
AlertEvidence | 0 | 0 |
DeviceNetworkInfo | 0.323529412 | 0.000308542 |
DeviceProcessEvents | 0.246575342 | 0.000235153 |
DeviceRegistryEvents | 0.44047619 | 0.000420071 |
DeviceNetworkEvents | 2.2 | 0.002098083 |
DeviceLogonEvents | 0 | 0 |
IdentityInfo | 9 | 0.008583069 |
DeviceFileCertificateInfo | 1.556521739 | 0.001484415 |
AlertInfo | 0 | 0 |
DeviceFileEvents | 1.598360656 | 0.001524316 |
CloudAuditEvents | 0 | 0 |
EmailPostDeliveryEvents | 0 | 0 |
UrlClickEvents | 0 | 0 |
EmailUrlInfo | 0.043478261 | 4.15E-05 |
EmailEvents | 0 | 0 |
EmailAttachmentInfo | 0.0625 | 5.96E-05 |
DeviceTvmSecureConfigurationAssessment | 3.5 | 0.00333786 |
DeviceTvmInfoGathering | 0 | 0 |
DeviceInfo | 0 | 0 |
DeviceImageLoadEvents | 6.333333333 | 0.006039937 |
CloudAppEvents | 11.30167598 | 0.010778118 |
AADSpnSignInEventsBeta | 0.057142857 | 5.45E-05 |
AADSignInEventsBeta | 0.176470588 | 0.000168295 |
DeviceEvents | 2.081632653 | 0.0019852 |
IdentityLogonEvents | 0 | 0 |
Total | 38.92169701 | 0.037118623 |
|
|
|
If total avg_EPS > 1000, or estimateMBPerSec > 1, you may need to increase the throughput units or optionally disable streaming of some event types. Microsoft supports autoscaling, but this should be monitored.