# Defender for Endpoint via Event Hub

In this guide, you will configure Microsoft Defender for Endpoint to send events and alerts to Radiant Security using an Event Hub. This setup requires establishing a trusted connection between your Microsoft tenant and Radiant.

At the end of this configuration, you will provide Radiant Security with these values:

* **Application (client) ID**
* **Directory (tenant) ID**
* **Client Secret Value**
* **Event Hub name**
* **Event Hub namespace (URL)**

### Prerequisites

* [ ] Admin access in your Azure Tenant

### Register the application with Microsoft Entra ID

{% hint style="info" %}
**Note:** You might already have an application configure for other radiant Integrations, it’s okay to reuse it.
{% endhint %}

In this step, you’ll register a new application with **Microsoft Entra ID**.

1. Log in to the [Microsoft Azure Portal](https://portal.azure.com/#home).
2. From the left side menu, navigate to **Microsoft Entra ID.**
3. From the left menu, navigate to **App Registrations.**
4. Click **+ New Registration.**

<figure><img src="https://2439665791-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FPsFulb2ZOtSPcRSc2rXE%2Fuploads%2Fteg5nOQNkJNFzWFYBXFU%2FDefender_for_Endpoint_via_Event_Hub_01.webp?alt=media&#x26;token=9d658a9e-5dde-4b8d-88bb-282004d1b432" alt=""><figcaption></figcaption></figure>

5. Update the application **Name** to `radiantsecurity-connector` and leave all default settings unchanged.

<div align="left"><figure><img src="https://2439665791-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FPsFulb2ZOtSPcRSc2rXE%2Fuploads%2FFCJUEBwnGOeBypORWxgK%2FDefender_for_Endpoint_via_Event_Hub_02.webp?alt=media&#x26;token=8338aef0-01d6-4e01-a886-02017fdbd3c1" alt="" width="375"><figcaption></figcaption></figure></div>

6. Click **Register** to save the changes.
7. On the newly registered application page, copy the following values:
   * **Application (client) ID**
   * **Directory (tenant) ID**

<div align="left"><figure><img src="https://2439665791-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FPsFulb2ZOtSPcRSc2rXE%2Fuploads%2Fk42cmmdBy3RCoeTLYAJj%2FDefender_for_Endpoint_via_Event_Hub_03.webp?alt=media&#x26;token=9b688041-257c-4fac-b459-948d8fce6e3f" alt="" width="375"><figcaption></figcaption></figure></div>

8. On the same page, click the link for **Add a certificate or secret.**

<div align="left"><figure><img src="https://2439665791-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FPsFulb2ZOtSPcRSc2rXE%2Fuploads%2FKosTB0EVHs1Q0tdx3o1c%2FDefender_for_Endpoint_via_Event_Hub_04.webp?alt=media&#x26;token=3fae3d06-5d61-4ed8-a354-30a96f5b89a2" alt="" width="368"><figcaption></figcaption></figure></div>

9. In the **Add a client** window, click **+ New Client Secret.**
10. Set the client secret as:
    * **Description**: `Radiant Security Connector`
    * **Expires**: `12 months`

<div align="left"><figure><img src="https://2439665791-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FPsFulb2ZOtSPcRSc2rXE%2Fuploads%2FfWXuWUbiRMQ5afmXjg9p%2FDefender_for_Endpoint_via_Event_Hub_05.webp?alt=media&#x26;token=1ec610cb-7404-40ec-a61f-b45a1aa773c0" alt="" width="375"><figcaption></figcaption></figure></div>

11. Click **Add.**
12. The client secrets page will automatically open.
13. Copy the **Value** (not the **Secret ID** field).

<figure><img src="https://2439665791-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FPsFulb2ZOtSPcRSc2rXE%2Fuploads%2F3rpJmJJMmIVap5Q0jKq6%2FDefender_for_Endpoint_via_Event_Hub_06.webp?alt=media&#x26;token=93185850-5366-4f97-9710-b9b52b7765e3" alt=""><figcaption></figcaption></figure>

{% hint style="warning" %}
**Important note:** Ensure you copy the **Client secret** value now as you won't be able to look it up again later. You will need to provide it to Radiant Security at the end of the configuration.
{% endhint %}

### Create an Event Hub

1. Log in to **Azure Portal.**
2. Navigate to the **Event Hubs** service.

<div align="left"><figure><img src="https://2439665791-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FPsFulb2ZOtSPcRSc2rXE%2Fuploads%2FT0INkneR3bvtn74gRCBY%2FDefender_for_Endpoint_via_Event_Hub_07.webp?alt=media&#x26;token=a311e0c0-1e79-4518-9837-967388e5431e" alt="" width="375"><figcaption></figcaption></figure></div>

3. Click **Create.**
4. Select the subscription and resource group where the **Event Hubs Namespace** must be created.
5. Enter a unique name for the **Namespace.**

<div align="left"><figure><img src="https://2439665791-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FPsFulb2ZOtSPcRSc2rXE%2Fuploads%2FqRhTFERnQsG8256Tf1Hu%2FDefender_for_Endpoint_via_Event_Hub_08.webp?alt=media&#x26;token=a34be64f-90a3-4a32-9de8-22c79f6e1ed3" alt="" width="375"><figcaption></figcaption></figure></div>

6. Select the **region.**
7. Click **Next.**
8. Choose **Basic** for the pricing tier.
9. Leave the **throughput units** or **processing units** as default.
10. Click **Review**
11. After the deployment is complete, click on **Go to resource.**
12. On the **Overview** page, get the Host Name value, as it will be used on the next section.

<div align="left"><figure><img src="https://2439665791-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FPsFulb2ZOtSPcRSc2rXE%2Fuploads%2FNdrjRnT5QZ5PyJV3mYQW%2FDefender_for_Endpoint_via_Event_Hub_09.webp?alt=media&#x26;token=71025e41-0930-493b-a93e-70b8cd3f02d7" alt="" width="351"><figcaption></figcaption></figure></div>

13. Click on **+ Event Hub** to create a new Event Hub on the newly created **Namespace.**
14. Enter a name for your event hub, then click **Review + Create.**
15. In the EventHub page, go to **Access Control (IAM)** and click **Add + → Add role assignment.**

<div align="left"><figure><img src="https://2439665791-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FPsFulb2ZOtSPcRSc2rXE%2Fuploads%2FpNDmo0SHs6zjDRUwovLu%2FDefender_for_Endpoint_via_Event_Hub_10.webp?alt=media&#x26;token=666c6f55-0cd9-4b2c-90dc-375002bebb44" alt="" width="375"><figcaption></figcaption></figure></div>

16. Select the role **Azure Event Hubs Data Receiver.**
17. Click **Next** and on **Members**, click **+ Select Members.**
18. Select the Azure Application created in the previous section and click **Review + assign.**

### Configure Azure Streaming API on Microsoft Defender

1. Log in to **Microsoft Defender Portal.**
2. Navigate to **Settings > Microsoft Defender XDR > Streaming API** and select **Forward events to Event Hub.**
3. Enter the **Event Hub Resource ID** and the **Event Hub** name obtained previously.
4. Select all **Event Types** within the **Device** and **Alerts & behaviors** categories.

<div align="left"><figure><img src="https://2439665791-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FPsFulb2ZOtSPcRSc2rXE%2Fuploads%2FOaYiAsjcYwitp5XnbWGG%2FDefender_for_Endpoint_via_Event_Hub_11.webp?alt=media&#x26;token=89888628-f50d-4008-8c92-a4cd5c84574d" alt="" width="323"><figcaption></figcaption></figure></div>

5. Click **Submit.**

### Add the connector in Radiant Security

1. Log in to [Radiant Security](https://app.radiantsecurity.ai/).
2. From the navigation menu, click **Settings** > **Data Connectors** and click **+ Add Connector**.
3. Search for From the list of connectors, select **Microsoft Defender for Endpoint via Event Hub**.
4. Add the following values you saved from the previous steps:
   * Application (client) ID
   * Directory (tenant) ID
   * Client Secret Value
   * Event Hub name
   * Event Hub namespace URL
5. Click **Add Connector** to save the connector configuration.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://help.radiantsecurity.ai/radiant-connectors/data-connectors/defender-for-endpoint-via-event-hub.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.