• Install & Activate
  • Troubleshooting
BEST Antivirus KBS : Largest Anti-Malware Knowlegde Base and Support
  • Install & Activate
  • Troubleshooting

Configure your Event Hub (Microsoft)

/Download, Install & Active / Microsoft / Download, Install & Active / Microsoft / Microsoft Business / Download, Install & Active / Microsoft / Microsoft Home / Configure your Event Hub (Microsoft)
  • December 26, 2021
  • BEST Antivirus Staff 2
  • Microsoft / Microsoft Business / Microsoft Home

Contents

  1. Set up the required Resource Provider in the Event Hub subscription
  2. Set up Azure Active Directory App Registration
  3. Set up Event Hub namespace
  4. Set up Event Hub
  5. Configure Microsoft 365 Defender to send email tables
    1. Set up Microsoft 365 Defender send Email tables to Splunk via Event Hub
    2. Verify that the events are being exported to the Event Hub
    3. Source : Official Microsoft Brand Editor by : BEST Antivirus KBS Team
0
(0)

Learn how to configure your Event Hub so that it can ingest events from Microsoft 365 Defender.

Set up the required Resource Provider in the Event Hub subscription

  1. Sign in to the Azure portal.
  2. Select Subscriptions > { Select the subscription the event hub will be deployed to } > Resource providers.
  3. Verify that the Microsoft.Insights Provider is wp-signup.phped. Otherwise, wp-signup.php it.

Image of resource providers in Microsoft Azure.

Set up Azure Active Directory App Registration

![NOTE] You must have Administrator role or Azure Active Directory (AAD) must be set to allow non-Administrators to wp-signup.php apps. You must also have an Owner or User Access Administrator role to assign the service principal a role. For more information, see Create an Azure AD app & service principal in the portal – Microsoft identity platform | Microsoft Docs.

  1. Create a new registration (which inherently creates a service principal) in Azure Active Directory > App registrations > New registration.
  2. Fill out the form with just the Name (no Redirect URI is required).

    Image of wp-signup.php an application.

    Image of Overview information.

  3. Create a secret by clicking on Certificates & secrets > New client secret:

    Image of certificates and secrets.

 Warning

You won’t be able to access the client secret again so make sure to save it.

Set up Event Hub namespace

  1. Create an Event Hub Namespace:

    Go to Event Hubs > Add and select the pricing tier, throughput units and Auto-Inflate (requires standard pricing and under features) appropriate for the load you are expecting. For more information, see Pricing – Event Hubs | Microsoft Azure

     Note

    You can use an existing event hub, but the throughput and scaling are set at the namespace level so it is recommended to place an event hub in itsown namespace.

    Image of Event Hub name space.

  2. You will also need the Resource ID of this Event Hub Namespace. Go to your Azure Event Hubs namespace page > Properties. Copy the text under Resource ID and record it for use during the Microsoft 365 Configuration section below.

    Image of properties.

  3. Once the Event Hub Namespace is created, you will need to add the App Registration Service Principal as Reader, Azure Event Hubs Data Receiver, and the user who will be logging into Microsoft 365 Defender as Contributor (you can also do this at Resource Group or Subscription level).

    You do this step at Event Hubs Namespace > Access Control (IAM) > Add and verify under Role assignments:

    Image of access control.

Set up Event Hub

Option 1:

You can create an Event Hub within your Namespace and all the Event Types (Tables) you select to export will be written into this one Event Hub.

Option 2:

Instead of exporting all the Event Types (Tables) into one Event Hub, you can export each table into a different Event Hub inside your Event Hub Namespace (one Event Hub per Event Type).

In this option, Microsoft 365 Defender will create Event Hubs for you.

 Note

If you are using an Event Hub Namespace that is not part of an Event Hub Cluster, you will only be able to choose up to 10 Event Types (Tables) to export in each Export Settings you define, due to an Azure limitation of 10 Event Hubs per Event Hub Namespace.

For example:

Image of example Event Hub.

If you choose this option, you can skip to the Configure Microsoft 365 Defender to send email tables section.

Create an Event Hub within your Namespace by selecting Event Hubs > + Event Hub.

The Partition Count allows for more throughput via parallelism, so it is recommended to increase this number based on the load you are expecting. Default Message Retention and Capture values of 1 and Off are recommended.

Image of create Event Hub.

For this Event Hub (not namespace) you will need to configure a Shared Access Policy with Send, Listen Claims. Click on your Event Hub > Shared access policies > + Add and then give it a Policy name (not used elsewhere) and check Send and Listen.

Image of shared access policies.

Configure Microsoft 365 Defender to send email tables

Set up Microsoft 365 Defender send Email tables to Splunk via Event Hub

  1. Log in to Microsoft 365 Defender with an account that meets all the following role requirements:
    • Contributor role at the Event Hub Namespace Resource level or higher for the Event Hub that you will be exporting to. Without this permission, you will get an export error when you try to save the settings.
    • Global Admin or Security Admin Role on the tenant tied to Microsoft 365 Defender and Azure.

    Image of security portal.

  2. Click on Raw Data Export > +Add.

    You will now use the data that you recorded above.

    Name: This value is local and should be whatever works in your environment.

    Forward events to event hub: Select this checkbox.

    Event-Hub Resource ID: This value is the Event Hub Namespace Resource ID you recorded when you setup the Event Hub.

    Event-Hub name: If you created an Event Hub inside your Event Hub Namespace, paste the Event Hub sname you recorded above.

    If you choose to let Microsoft 365 Defender to create Event Hubs per Event Types (Tables) for you, leave this field empty.

    Event Types: Select the Advanced Hunting tables that you want to forward to the Event Hub and then on to your custom app. Alert tables are from Microsoft 365 Defender, Devices tables are from Microsoft Defender for Endpoint (EDR), and Email tables are from Microsoft Defender for Office 365. Email Events records all Email Transactions. The URL (Safe Links), Attachment (Safe Attachments), and Post Delivery Events (ZAP) are also recorded and can be joined to the Email Events on the NetworkMessageId field.

    Image of streaming API settings.

  3. Make sure to click Submit.

Verify that the events are being exported to the Event Hub

You can verify that events are being sent to the Event Hub by running a basic Advanced Hunting query. Select Hunting > Advanced Hunting > Query and enter the following query:

Console

EmailEvents
|joinkind=fullouterEmailAttachmentInfoonNetworkMessageId
|joinkind=fullouterEmailUrlInfoonNetworkMessageId
|joinkind=fullouterEmailPostDeliveryEventsonNetworkMessageId
|whereTimestamp\>ago(1h)
|count

This will show you how many emails were received in the last hour joined across all the other tables. It will also show you if you are seeing events that could be exported to the event hub. If this count shows 0, then you won’t see any data going out to the Event Hub.

Image of advanced hunting.

Once you have verified there is data to export, you can view the Event Hub to verify that messages are incoming. This can take up to one hour.

  1. In Azure, go to Event Hubs > Click on the Namespace > Event Hubs > Click on the Event Hub.
  2. Under Overview, scroll down and in the Messages graph you should see Incoming Messages. If you don’t see any results, then there will be no messages for your custom app to ingest.

    Image of the overview tab with messages.

Source : Official Microsoft Brand
Editor by : BEST Antivirus KBS Team

How useful was this post?

Click on a star to rate it!

Average rating 0 / 5. Vote count: 0

No votes so far! Be the first to rate this post.

(Visited 17 times, 1 visits today)
Tagged: MicrosoftMicrosoft for BusinessMicrosoft for home

Related Articles

  • All about Microsoft

  • Overview of Microsoft 365 Lighthouse

  • Microsoft Defender for Business (preview) – Frequently asked questions and answers

  • Get help and support for Microsoft Defender for Business (preview)

  • Manage your custom rules for firewall policies in Microsoft Defender for Business (preview)

  • Firewall in Microsoft Defender for Business (preview)

ask or enter a search term

Top Rated Posts

5 (1)

Activate code Avast on Windows PC

5 (1)

[KB5699] Set the PIN in ESET Parental Control for Android

5 (2)

Getting started (app) (ESET)

5 (1)

[KB3239] How do I uninstall or reinstall ESET Cyber Security or ESET Cyber Security Pro?

5 (2)

[KB6842] Upgrade to ESET Cyber Security and ESET Cyber Security Pro version 6.6 fails on previous versions of macOS (10.6 – 10.8)

About

We are BEST Antivirus , Trusted Comparison and Cheap Antivirus Software 2020. KBS is Knowledge Base and Support : This page was created to guide customers through the installation and to resolve all the common errors of anti-virus software.

Partners

› Avast
› AVG
› BitDefender
› ESET
› Trend Micro
› All Partners

Resources

› Store
› Advertise
› Brand Reviews
› Review Platforms
› Contact Page
› Knowledge Base

  • Install & Activate
  • Troubleshooting
© Copyright by BEST Antivirus by SSG Limited