Quick Links

Integrating with Microsoft Defender for Endpoint

Microsoft Defender for Endpoint was formerly known as Advanced Threat Protection. Defender for Endpoint allows organizations to create policies to protect users, email attachment sandboxing, advanced threat block capabilities, and more.

Note: The procedure on this page is the same as the procedure in Integrating with Defender for Identity. If you have completed that integration already, you do not need to repeat it.

Before you begin

To receive Microsoft Defender for Endpoint logs in Blumira, you must first integrate Azure Event Hubs with Blumira by completing the steps in Integrating with Microsoft Azure Event Hubs

Next, gather the Event Hub Name and the Resource ID of the Azure event hub namespace that you created for Blumira, which are in your Azure Event Hubs Namespace page > Properties menu. 

Forwarding Microsoft Defender events to Blumira

To forward Microsoft Defender Endpoint logs to your Blumira event hub, do the following:

  1. Log in to security.microsoft.com as a Global Admin.
  2. Navigate to Settings.
  3. Click Microsoft Defender XDR.
  4. Click Streaming API.
  5. Click Add.
  6. Type a name for your new settings.
  7. Click Forward events to Azure Event Hubs.
  8. Type your Blumira Event Hub Namespace Resource ID and Event Hub Name.
    Tip: Find your Namespace Resource ID within your Azure Event Hub Namespace configuration. Starting from the Settings > Properties menu, it is the first item in the “Essentials” section and is simply named “id.”
  9. Under Event Types, select all of the available event type options.
  10. Click Save.