Integrating Microsoft 365 Defender - Additional information and best practices
The following is additional information to help you integrate Microsoft 365 Defender:
About Azure event hub requirements and cost
How Microsoft 365 Defender sources are identified
About configuring event hub monitoring
About event hub capacity
About Azure event hub requirements and cost
Azure Event Hubs are required by Microsoft's architecture to export logs from Microsoft to Barracuda XDR. Event Hubs function as a secure and scalable streaming platform, enabling real-time transmission of logs from Microsoft services to external platforms such as Barracuda XDR.The cost depends entirely on your environment — specifically the volume of events generated. This varies by user activity, alert volume, and policies, so Barracuda cannot provide a cost estimate of Microsoft Storage. To minimize cost:
Use the Basic tier
Set retention to 1 day
An event hub is temporary storage that Microsoft 365 Defender writes to and XDR reads from.
The cost of your event hub subscription depends on the pricing tier you choose and the throughput unit. You may need to increase the throughput unit based on the number of events generated by Defender 365. For more information, see the Capacity section at the end of this document.
How Microsoft 365 Defender sources are identified
If you see m365_defender.event on the Home page, your Event Hub is sending additional logs that are not used by the integration. You can remove this datasource once you have corrected the event streaming to align with this document.
Event Hub-based events are categorized by event type and use the azure-eventhub instance. A correctly configured integration includes one or more of these:
m365_defender.cloudm365_defender.endpointm365_defender.email
The m365.defender datasource has an instance of httpjson. These events are not related to the event hub and are ingested via API. These events are less frequent than others.
About configuring event hub monitoring
You can configure event hub alerts and monitoring from the Event hub namespace.
If you did not enable autoscaling for your event hub, we recommend adding an alert for Quota Exceeded Error. If the quota is exceeded, it results in log loss.
We recommend adding alerts for ingress and egress limits so you are notified before the quota is exceeded:
Each throughput unit has the following capacities:
Ingress: 1 MB/sec or 1000 events per second
Egress: 2 MB/sec or 4,096 events per second
For a single throughput unit, the alerts may be configured as follows (you may adjust the values depending on your use case):
Ingress:
Signal Name: Incoming Bytes
Threshold: Static
Aggregation type: Maximum
Operator: Greater than
Unit: MB
Threshold: 0.85
Signal Name: Incoming Messages
Threshold: Static
Aggregation type: Total
Operator: Greater than
Unit: Count
Threshold: 850
Egress:
Signal Name: Outgoing Bytes
Threshold: Static
Aggregation type: Maximum
Operator: Greater than
Unit: MB
Threshold: 0.85
Signal Name: Outgoing Messages
Threshold: Static
Aggregation type: Total
Operator: Greater than
Unit: Count
Threshold: 850
About storage account monitoring
The storage account is expected to contain a single small file. We recommend adding an alert to make sure the storage account does not exceed a certain threshold.
Storage Account alerts
Signal Name: Used capacity
Threshold: Static
Aggregation type: Average
Unit: MiB
Threshold: 100
About event hub capacity
The event hub throughput unit determines its capacity. For more information, see https://learn.microsoft.com/en-us/azure/event-hubs/compare-tiers.
The basic tier has the following quotas:
Number of consumer groups per event hub | 1 |
|---|---|
Maximum retention period of event data | 1 day |
Throughput per unit | Ingress: 1 MB/sec or 1000 events per second |
gress: 2 MB/sec or 4,096 events per second | |
|
To help determine the required event hub throughput unit, you can run the following query.
Log into security.microsoft.com
Select Hunting > Advanced hunting.
Ensure Last 7 days is selected.
Create a new query, then copy and paste the following, then run the query:
let bytes_ = 1000; union withsource=MDTables * | where MDTables in ('AlertEvidence', 'AlertInfo', 'DeviceEvents', 'DeviceFileCertificateInfo', 'DeviceFileEvents', 'DeviceImageLoadEvents', 'DeviceInfo', 'DeviceLogonEvents', 'DeviceNetworkEvents', 'DeviceNetworkInfo', 'DeviceProcessEvents', 'DeviceRegistryEvents', 'EmailAttachmentInfo', 'EmailEvents', 'EmailPostDeliveryEvents', 'EmailUrlInfo', 'IdentityLogonEvents', 'IdentityQueryEvents', 'IdentityDirectoryEvents', 'CloudAppEvents', 'UrlClickEvent') | where Timestamp > startofday(ago(7d)) | summarize count() by bin(Timestamp, 1m), MDTables | extend EPS = count_ / 60 | summarize avg(EPS), estimatedMBPerSec = avg(EPS) * bytes_ / (1024*1024) by MDTables, bin(Timestamp, 3h) | summarize avg_EPS = max(avg_EPS), estimatedMBPerSec = max(estimatedMBPerSec) by MDTables | sort by toint(estimatedMBPerSec) desc | project MDTables, avg_EPS, estimatedMBPerSec | as IndividualTableMetrics | union ( IndividualTableMetrics | summarize avg_EPS = sum(avg_EPS), estimatedMBPerSec = sum(estimatedMBPerSec) | extend MDTables = "Total" )
If the total avg_EPS > 1000, or estimateMBPerSec > 1, you may need to increase the throughput unit for your event hub. Configure the throughput unit so that it is able to handle the peak ingress. You may also choose to enable autoscaling of your event hub. If you choose this option, we recommend that you monitor the usage details and create alerts to ensure there are no unexpected costs.
Example Output
MDTables | avg_EPS | estimatedMBPerSec |
|---|---|---|
Total | 1400 | 0.4 |
For this event hub, a throughput unit of 2 is adequate to handle the peak ingress of 1400 EPS.