To integrate Microsoft 365 Defender, you must do the following:

Create an event hub namespace and event hub entity in Microsoft Azure

 An event hub is temporary storage intended for multiple producers/consumers to write/read events from.

The cost of your event hub subscription depends on the pricing tier you choose and the throughput unit. You may need to increate the throughput unit based on the number of events generated by Defender 365. For more information, see the Capacity section at the end of this document.

 To create an event hub namespace and event hub entity in Microsoft Azure

1. Log into the Microsoft Azure Portal and select the tenant (directory) of the customer to be monitored.

2. Navigate to Event Hubs.

3. Click +Create.

4. Provide the following information:

   • Your subscription

   • Your resource group

   • The namespace
     NOTE We suggest using the following naming convention: <acme-inc>-xdr-events where <acme-inc> is the name of the customer

   • Location: US East

   • Pricing Tier: Basic

   • Throughput Units: 1

   • Networking: Public Access.

5. Click Review/Create.

6. Navigate to the namespace that was created.

7. From the Overview screen, click +Event Hub and complete the form:

   • Name: m365
     NOTE This is the name of your event_hub.

8. Click Review/Create.

9. From the event hub click Settings > Shared access policies.
   NOTE Make sure you are adding the SAS policy on the event hub, not the namespace. The namespace has its own SAS policy called RootManageSharedAccessKey.

10. Click +Add

11. Enter the following information:

    • Name
      NOTE We suggest using the value barracuda-xdr.

    • Listen/Send: Enabled

12. Click on the new SAS policy and copy the Connection string–primary key.
    NOTE This is your event_hub_connection_string.
    For example: Endpoint=sb://acme-inc-xdr-events.servicebus.windows.net/;SharedAccessKeyName=barracuda-xdr;SharedAccessKey=123;EntityPath=m365

12. From the namespace, click Settings > Properties.

13. Copy the namespace id.
NOTE This is your namespace_resource_id.
For example: /subscriptions/10bd4af8-2e42-4550-a424-e565c8a047f4/resourceGroups/acme-inc/providers/Microsoft.EventHub/namespaces/acme-inc-xdr-events

Creating a storage account

The storage account allows event hub consumers to keep track of which events have been ingested.  It's a checkpoint file which multiple consumers can write to and does not increase cost significantly.

 To create a Microsoft Azure storage account

1. Log into the Microsoft Azure Portal https://portal.azure.com and select the tenant (directory) of the customer to be monitored

2. Navigate to Storage Accounts.

3. Click + Create.

4. For example:
   Storage account name
   NOTE We recommend using the the following naming convention: <acmeinc>m365 where <acmeinc> is the name of the customer.
   Region: US East
   Performance: Standard

   Redundancy: GRS
   Read Access checked: Yes

5. Click Review/Create.

6. Navigate to the storage account.

7. Click Security + Networking > Access Keys.

8. Click Show next to one of the Keys.

9. Copy the value. This is your storage_account_access_key.

Setting up log streaming

1. Log in to the Microsoft Defender portal as a Global Admin or Security Administrator.

2. Go to System >Settings > Microsoft 365 Defender XDR.

3. Click Streaming API.

4. Click + Add.

5. Choose a name for your new settings.

6. Select Forward events to Azure Event Hubs.

7. Enter your Event-Hub name (event_hub) and Event-Hub Resource ID (namespace_resource_id).
   For example:
   Name: m365-event-hub
   Event-Hub Resource ID: /subscriptions/10bd4af8-2e42-4550-a424-e565c8a047f4/resourceGroups/acme-inc/providers/Microsoft.EventHub/namespaces/acme-inc-xdr-events
   Event-Hub name: m365
   Event Types: Select All

8. Click Submit.

Creating an app key for incidents/alerts api

1. Sign in to the Microsoft Entra admin center.

2. If you have access to multiple tenants, use the Settings icon in the top menu to switch to the tenant in which you want to register the application from the Directories + subscriptions menu.

3. Click Identity > Applications > App registrations.

4. Select New registration.

5. Type a display Name for your application. Specify who can use the application in the Supported account types section.
   For example:
   Display Name: m365api
   Supported account types: Users within the current tenant

6. From the app registration overview screen obtain the client_id and tenant_id.
   For example:
   Client id: 1290db81-e444-4619-a87b-1d88365959a5
   Tenant id: 1286cb4f-9975-4e91-a711-6bfd1e2a049d

7. Click Certificates & secrets.

8. Add a new secret.
   For example:
   Name: xdr-m365-api

9. Copy the secret value, also known as the client_secret.
   WARNING Ensure you copy the secret value, not the secret id.

Granting permissions to the application

The Microsoft Entra tenant administrator MUST explicitly grant the permissions to the application. This must be done per tenant and must be performed every time the application permissions are changed in the application registration portal.

1. Sign in to the Microsoft Entra admin center.

2. If you have access to multiple tenants, use the Settings icon in the top menu to switch to the tenant in which you want to register the application from the Directories + subscriptions menu.

3. Click the app you created in the previous procedure.

4. Go to the app's API permissions page.

5. Select Add a permission and then choose Microsoft Graph.

6. Click What type of permissions does your application require > Select Application permissions.

7. Use the search box to find and select the required permissions: SecurityIncident.Read.All.

8. Click Add permissions.

9. Grant Admin Consent.

Enable Microsoft 365 Defender

1. In Barracuda XDR Dashboard, navigate to Administration >  Integrations.

2. On the Microsoft 365 Defender Collector card, click Setup.

   

3. Select the Enabled check box.

4. Fill out the following information:

   • Event Hub

   • Connection String

   • Storage Account

   • Access Key

   • Tenant ID

   • Client ID

   • Client Secret

     

5. Optional: Click Test to test the connection. When the connection is functioning, proceed to the next step.

6. Click Save.

Capacity

The event hub tier determines its capacity. For more information, see  https://learn.microsoft.com/en-us/azure/event-hubs/compare-tiers  

The basic tier has the following quotas:

 To help determine the required event hub settings you canrun the following query.

1. Log into security.microsoft.com

2. Navigate to Hunting > Advanced hunting

3. Create a new query, then copy and paste the following:

let bytes_ = 1000;

union withsource=MDTables *

| where Timestamp > startofday(ago(7d))

| summarize count() by bin(Timestamp, 1m), MDTables

| extend EPS = count_ /60

| summarize avg(EPS), estimatedMBPerSec = avg(EPS) * bytes_ / (1024*1024) by MDTables, bin(Timestamp, 3h)

| summarize avg_EPS=max(avg_EPS), estimatedMBPerSec = max(estimatedMBPerSec) by MDTables

| sort by toint(estimatedMBPerSec) desc

| project MDTables, avg_EPS, estimatedMBPerSec

Example output

If total avg_EPS > 1000, or estimateMBPerSec > 1, you may need to increase the throughput units or optionally disable streaming of some event types.  Microsoft supports autoscaling, but this should be monitored.