/
Integrating Microsoft 365 Defender

Integrating Microsoft 365 Defender

If you have already integrated Microsoft Defender for Endpoint (Through this process: Integrating Microsoft Defender for Endpoint), and follow the process below, you may receive duplicate alerts.

BEST PRACTICE
If you have already integrated Microsoft Defender for Endpoint and want to integrate Microsoft 365 Defender, we recommend following the process below to integrate Microsoft 365 Defender. After integrating Microsoft 365 Defender, we recommend allowing both integrations to communicate for 3-5 days, then disabling the Microsoft Defender integration.

To integrate Microsoft 365 Defender, you must do the following:

  • To set up the required resource provider in the event hubs subscription

  • To create an event hub namespace and event hub entity in Microsoft Azure

  • To create a Microsoft Azure storage account

  • To set up event hub streaming

  • To create an app key for incidents/alerts API

  • To grant permissions to the application

  • To enable Microsoft 365 Defender

Enabling Microsoft 365 Defender in the XDR Dashboard requires certain information, which you collect as you set up Microsoft Azure. Make sure you keep this information in a safe place where you can access it for the final step:

  • Event hub

  • Connection string

  • Storage account

  • Access key

  • Tenant ID

  • Client ID

  • Client secret

Creating an event hub namespace and event hub entity in Microsoft Azure

For information about event hub costs, see Integrating Microsoft 365 Defender - Additional information and best practices.

To set up the required resource provider in the event hubs subscription

  1. Log in to the Microsoft Azure Portal.

  2. Click Subscriptions, then click the name of the event hub subscription the event hubs will be deployed to.

  3. Click Resource providers.

  4. If Microsoft.Insights Provider isn't registered, register it.

    1365Defender.png
To create an event hub namespace and event hub entity in Microsoft Azure

  1. Log in to the Microsoft Azure Portal and select the tenant (directory) of the customer to be monitored.

  2. Select Event Hubs.

  3. Click +Create.

  4. Provide the following information:

    • Your subscription

    • Your resource group

    • The namespace
      Example <customer-name>-xdr-events

    • Location: Select your location.

    • Pricing Tier: Basic

    • Throughput Units: See the Capacity section at the end of this document.

    • Networking: Public Access

  5. Click Review/Create.

  6. Select the namespace that was created.

  7. From the Overview screen, click +Event Hub and complete the form:

    • Name: m365
      NOTE This is the name of your event_hub.

    • Partition count: 1

    • Cleanup Policy: Delete

    • Retention time: 24 hours

  8. Click Review/Create.

  9. From the event hub click Settings > Shared access policies.
    NOTE Make sure you are adding the SAS policy on the event hub, not the namespace. The namespace has its own SAS policy called RootManageSharedAccessKey.

  10. Click +Add

  11. Enter the following information:

    • Name
      NOTES
      - We suggest using the value barracuda-xdr.
      - Copy the Name and store it in an accessible place for the To enable Microsoft 365 Defender procedure.

    • Listen: Enabled

  12. Click the new SAS policy and copy the Connection string–primary key.
    NOTES
    - This is your event_hub_connection_string.
    Example Endpoint=sb://<customer-name>-xdr-events.servicebus.windows.net/;SharedAccessKeyName=barracuda-xdr;SharedAccessKey=123;EntityPath=m365
    - Copy the event_hub_connection_string and store it in an accessible place for the To enable Microsoft 365 Defender procedure.

  13. From the namespace, click Settings > Properties.

  14. Copy the namespace id.
    NOTES
    - This is your namespace_resource_id.
    Example /subscriptions/10bd4af8-2e42-4550-a424-e565c8a047f4/resourceGroups/<customer-name>/providers/Microsoft.EventHub/namespaces/<customer-name>-xdr-events
    - Copy the namespace_resource_id and store it in an accessible place for the To set up event hub streaming procedure.

Creating a storage account

The storage account allows event hub consumers to keep track of which events have been ingested. It's a checkpoint file which multiple consumers can write to and does not increase cost significantly.

Preferred Storage Type: Azure Blob Storage or Azure Data Lake Storage Gen 2

To create a Microsoft Azure storage account

  1. In the Microsoft Azure Portal, with the directory of the customer to be monitored selected, select Storage Accounts.

  2. Click + Create.

    For example:
    Storage account name
    Example <customer-name>m365
    Region: Select your region.
    Performance: Standard

    Redundancy: GRS
    Read Access checked: Yes

  3. Click Review/Create.

  4. Select the storage account.

  5. Click Security + Networking > Access Keys.
    NOTE Copy the storage_account_access_key and store it in an accessible place for the To enable Microsoft 365 Defender procedure.

Setting up event hub streaming

The event types you must configure depend on your version of Defender. See the procedure below.

To set up event hub streaming

NOTE In step 6 below, in Event-Hub Resource ID, submit your namespace resource id, in the format displayed below.

  1. In the Microsoft Azure Portal, with the directory of the customer to be monitored selected, System > Settings > Microsoft 365 Defender XDR.
    NOTE Global Admin or Security Administrator is required.

  2. Click Streaming API.

  3. Click + Add.

  4. Choose a name for your new settings.

  5. Select Forward events to Azure Event Hubs.

  6. Enter your Event-Hub name (event_hub) and Event-Hub Resource ID (namespace_resource_id).
    For example:
    Name: m365-event-hub
    Event-Hub Resource ID: The namespace_resource_id from step 14 of the To create an event hub namespace and event hub entity in Microsoft Azure procedure above.
    Example /subscriptions/10bd4af8-2e42-4550-a424-e565c8a047f4/resourceGroups/<customer-name>/providers/Microsoft.EventHub/namespaces/<customer-name>-xdr-events
    Event-Hub name: m365

  7. In Event Types, select the event types for the hub streaming depending on your version of Defender.

    • For Email, under the Email & Collaboration section, select:

      • EmailAttachmentInfo

      • EmailEvents

      • EmailPostDeliveryEvents

      • EmailUrlInfo

      • UrlClickEvent

      • The Home page displays the data source as m365_defender.email.

    • For Defender for Endpoint, under the Endpoint section, select:

      • DeviceEvents

      • DeviceFileCertificateInfo

      • DeviceFileEvents

      • DeviceImageLoadEvents

      • DeviceInfo

      • DeviceLogonEvents

      • DeviceNetworkEvents

      • DeviceNetworkInfo

      • DeviceProcessEvents

      • DeviceRegistryEvents

      • The Home page displays the data source as m365_defender.endpoint.

    • For Cloud, under the Apps & Identities section, select:

      • CloudAppEvents

      • IdentityInfo

      • IdentityLogonEvents

      • IdentityQueryEvents

      • IdentityDirectoryEvents

      • The Home page displays the data source as m365_defender.cloud.

  8. Click Save.

Creating an app key

You must create an app key for the incidents/alerts API.

To create an app key

  1. Log in to the Microsoft Entra admin center.
    NOTE If you have access to multiple tenants, use the Settings icon in the top menu to select the tenant in which you want to register the application from the Directories + subscriptions menu.

  2. Click Identity > Applications > App registrations.

  3. Select New registration.

  4. Type a display Name for your application. Specify who can use the application in the Supported account types section.
    For example:
    Display Name: m365api
    Supported account types: Users within the current tenant

  5. From the app registration overview screen copy the tenant_id and client_id.
    For example:
    Tenant id: 1286cb4f-9975-4e91-a711-6bfd1e2a049d

    Client id: 1290db81-e444-4619-a87b-1d88365959a5
    NOTE Copy the tenant_id and client_id and store it in an accessible place for the To enable Microsoft 365 Defender procedure.

  6. Click Certificates & secrets.

  7. Add a new secret. We recommend an expiration of 24 months.
    For example:
    Name: xdr-m365-api

  8. Copy the secret value, also known as the client_secret.
    NOTE Copy the client_secret and store it in an accessible place for the To enable Microsoft 365 Defender procedure.

Ensure you copy the client_secret value, not the secret id.

Granting permissions to the application

The Microsoft Entra tenant administrator MUST explicitly grant the permissions to the application. This must be done per tenant and must be performed every time the application permissions are changed in the application registration portal.

To grant permissions to the application

  1. Sign in to the Microsoft Entra admin center.
    NOTE If you have access to multiple tenants, use the Settings icon in the top menu to select the tenant in which you want to register the application from the Directories + subscriptions menu.

  2. Click the app you created in the previous procedure.

  3. Go to the app's API permissions page.

  4. Select Add a permission and then choose Microsoft Graph.

  5. Click What type of permissions does your application require > Select Application permissions.

  6. Use the search box to find and select the required permissions: SecurityIncident.Read.All.

  7. Click Add permissions.

  8. Grant Admin Consent.

Enabling Microsoft 365 Defender in XDR Dashboard

Completing this final step requires the following information which you collected as you set up Microsoft Azure. If you don’t have this information available, make sure you collect it before proceeding:

  • Event hub

  • Connection string

  • Storage account

  • Access key

  • Tenant ID

  • Client ID

  • Client secret

To enable Microsoft 365 Defender

  1. In Barracuda XDR Dashboard, select Integrations Integrations.png.

  2. On the Microsoft 365 Defender card, click Setup.

  3. Select the Enabled check box.

  4. Select the sliders of the event hub log types you want to collect.

  5. Fill out the following information:

    • Event Hub

    • Connection String - Remove the following from the end of the string: ;EntityPath=m365.

    • Storage Account

    • Access Key

    • Tenant ID

    • Client ID

    • Client Secret

  6. Optional: Click Test to test the connection.
    When the connection is successful, proceed to the next step.

  7. Click Save.

We value your feedback.
If you have questions, suggestions, or feedback on our documentation, contact the Campus Product Documentation team.
For general product inquiries or technical support, please contact the global Barracuda Support team.