Quick Links

Integrating with Microsoft Defender for Identity

Overview

Blumira integrates with Defender for Identity (formerly Azure ATP) to receive alert notifications. Follow the instructions below to get your Defender for Identity logs forwarded to Blumira.

Note: The procedure on this page is the same as the procedure in Integrating with Defender for Endpoint. If you have completed that integration already, you do not need to repeat it.

Before you begin

To receive Microsoft Defender for Identity logs in Blumira, you must first integrate Azure Event Hubs with Blumira by completing the steps in Integrating with Microsoft Azure Event Hubs

Next, gather the Event Hub Name and the Resource ID of the Azure event hub namespace that you created for Blumira, which are in your Azure Event Hubs Namespace page > Properties menu. 

Forwarding events to Blumira

To forward Microsoft Defender for Identity logs to your Blumira event hub, do the following:

  1. Log in to security.microsoft.com as a Global Admin.
  2. Navigate to Settings.
  3. Click Microsoft Defender XDR.
  4. Click Streaming API.
  5. Click Add.
  6. Type a name for your new settings.
  7. Click Forward events to Azure Event Hubs.
  8. Type your Blumira Event Hub Namespace Resource ID and Event Hub Name.
    Tip: Find your Namespace Resource ID within your Azure Event Hub Namespace configuration. Starting from the Settings > Properties menu, it is the first item in the “Essentials” section and is simply named “id.”
  9. Under Event Types, select all of the available event type options.
  10. Click Save.

Note: Within 20 minutes, you will see the new data source ‘Azure ATP’ show up in Report Builder when the test message is processed. Use this data source to query your Defender for Identity logs.

Additional Reference