Gather event hub information
Before configuring Microsoft 365 Defender, you’ll need this information about your event hub:
- Name
- Resource ID.
To get this information:
- In Azure Portal, click on All resources in the side navigation bar.
- Click the event hub namespace in which the event hub is located.
- Scroll down to the list of event hubs in the namespace and copy the name of the event hub you want to stream to.
The name of each event hub is displayed in the first column of the event hub list. - Paste the event hub instance name into a text file.
- Click JSON View.
- Click the button next to the resource ID.
- Paste the event hub namespace resource ID into the text file.
Configure Microsoft 365 Defender to stream events
To set up Microsoft 365 Defender to export data to your event hub:
- Log in to Microsoft 365 Defender portal as a Global Administrator or Security Administrator.
- Click Settings in the side navigation menu.
- Click Microsoft 365 Defender.
- Click Streaming API in the side menu.
- Click +Add.
- Enter a descriptive name for the data export.
- Tick Forward events to Event Hub.
- Paste in your event hub namespace resource ID and event hub instance name.
Microsoft 365 Defender will list event types that are available for you to export. These are dependent on the functionality you’re currently using in Defender. - To export basic alerts to the event hub, tick Alerts and expand its listing to check that its sub-items are also ticked.
- If you have Defender for Endpoint set up, to export data about endpoint security events to your event hub, tick Devices and check that its sub-items are also ticked.
- If you have Defender for Identity set up, to export identity events like authentications and authorisations, tick these sub-items under Apps & Identities:
- To export data about emails sent through Exchange Server to your event hub, tick Emails and check that its sub-items are also ticked.
- Click Submit.
- Click Save.