Defender for Endpoint via Event Hub

Add the Microsoft Defender via EventHub data connector.

In this guide, you will configure Microsoft Defender for Endpoint to send events and alerts to Radiant Security using an Event Hub. This setup requires establishing a trusted connection between your Microsoft tenant and Radiant.

At the end of this configuration, you will provide Radiant Security with these values:

  • Application (client) ID

  • Directory (tenant) ID

  • Client Secret Value

  • Event Hub name

  • Event Hub namespace (URL)

Prerequisites

Register the application with Microsoft Entra ID

Note: You might already have an application configure for other radiant Integrations, it’s okay to reuse it.

In this step, you’ll register a new application with Microsoft Entra ID.

  1. Log in to the Microsoft Azure Portal.

  2. From the left side menu, navigate to Microsoft Entra ID.

  3. From the left menu, navigate to App Registrations.

  4. Click + New Registration.

  1. Update the application Name to radiantsecurity-connector and leave all default settings unchanged.

  1. Click Register to save the changes.

  2. On the newly registered application page, copy the following values:

    • Application (client) ID

    • Directory (tenant) ID

  1. On the same page, click the link for Add a certificate or secret.

  1. In the Add a client window, click + New Client Secret.

  2. Set the client secret as:

    • Description: Radiant Security Connector

    • Expires: 12 months

  1. Click Add.

  2. The client secrets page will automatically open.

  3. Copy the Value (not the Secret ID field).

Important note: Ensure you copy the Client secret value now as you won't be able to look it up again later. You will need to provide it to Radiant Security at the end of the configuration.

Create an Event Hub

  1. Log in to Azure Portal.

  2. Navigate to the Event Hubs service.

  1. Click Create.

  2. Select the subscription and resource group where the Event Hubs Namespace must be created.

  3. Enter a unique name for the Namespace.

  1. Select the region.

  2. Click Next.

  3. Choose Basic for the pricing tier.

  4. Leave the throughput units or processing units as default.

  5. Click Review

  6. After the deployment is complete, click on Go to resource.

  7. On the Overview page, get the Host Name value, as it will be used on the next section.

  1. Click on + Event Hub to create a new Event Hub on the newly created Namespace.

  2. Enter a name for your event hub, then click Review + Create.

  3. In the EventHub page, go to Access Control (IAM) and click Add + → Add role assignment.

  1. Select the role Azure Event Hubs Data Receiver.

  2. Click Next and on Members, click + Select Members.

  3. Select the Azure Application created in the previous section and click Review + assign.

Configure Azure Streaming API on Microsoft Defender

  1. Log in to Microsoft Defender Portal.

  2. Navigate to Settings > Microsoft Defender XDR > Streaming API and select Forward events to Event Hub.

  3. Enter the Event Hub Resource ID and the Event Hub name obtained previously.

  4. Select all Event Types within the Device and Alerts & behaviors categories.

  1. Click Submit.

Add the connector in Radiant Security

  1. Log in to Radiant Security.

  2. From the navigation menu, click Settings > Data Connectors and click + Add Connector.

  3. Search for From the list of connectors, select Microsoft Defender for Endpoint via Event Hub.

  4. Add the following values you saved from the previous steps:

    • Application (client) ID

    • Directory (tenant) ID

    • Client Secret Value

    • Event Hub name

    • Event Hub namespace URL

  5. Click Add Connector to save the connector configuration.

PreviousDarktrace NDRNextAdd Microsoft Defender Permissions

Last updated