Configure Microsoft Defender Logs in the Event Hub

Stream Microsoft Defender Events to Azure Event Hubs

You can configure Microsoft Defender Logs into your Azure portal using your Azure Event Hubs Beat.

Verify Your Event Hub

1. Log in to your Azure Portal with admin credentials.
2. Click All Services, then click Event Hubs.

3. Verify you have an event hub in the list. If not, you will need to create an event hub.

   

   To create an event hub, see Create Resource Group, Event Hub Namespace and Event Hub.

Verify microsoft.insights is Registered as a Resource Provider

1. In your Azure Portal under Navigate, click Subscriptions.

2. Select your subscription, then click Resource providers.

3. If microsoft.insights does not have the Registered status, click Register.

Microsoft Defender Log Streaming

1. Log in to Microsoft Defender portal with Global Admin user credentials.
2. In the Microsoft Defender Security Center, click Settings, then click Microsoft 365 Defender.
3. Click Streaming API. 
4. Click Add data export settings.
5. Choose a name for your new settings.
6. Choose Forward events to Azure Event Hubs

7. Type in your Event Hubs name and your Event Hubs resource ID. 

   

   To obtain your Event Hubs resource ID log in to your Azure Portal. In the Properties tab, you can copy the text under Resource ID.
8. Choose the events you want to stream and click Save.

References

For more information, see the following Microsoft documentation:

• • Create Resource Group, Event Hub Namespace and Event Hub
  • Steps to onboard machines to the MS Defender
  • Defender Streaming API Documentation

To verify MS Defender detects a threat, you can download the following virus zip file:

• • http://www.eicar.org/download/eicar_com.zip 
  • Upon opening the zip file, you should immediately receive a notification in your system that a virus has been found.