1. Sign in to Microsoft Azure portal with administrator permissions.
2. In the search field, search for and click Event Hubs.
3. Click + Create.
4. On the Create Namespace page, on the Basics tab, configure these settings:
   • Subscription — Select your Azure subscription.
   • Resource group — Select an existing resource group or create a new one.

     To create a new resource group, see Create a resource group.

   • Namespace name — Enter a unique and descriptive name for your Event Hubs namespace. This will form part of your host name, for example namespace_name.servicebus.windows.net.
   • Region — Select your Azure region.
   • Pricing tier — Select Standard or higher.
   • Throughput Units — Select 1.

     The throughput capacity of Event Hubs is controlled by throughput units and affects Event Hubs pricing. For more information, see Event Hubs pricing and Scaling with Event Hubs.

5. On the Create Namespace page, on the Networking tab, configure these settings:
   • Connectivity method — Select Public access.
6. Click Review + create, and then click Create.
   Deployment is in progress.
7. After deployment is complete, click Go to resource.
8. Copy the Host name field value in the format namespace_name.servicebus.windows.net, and then save it in a safe, encrypted location.

   You will provide this value to Arctic Wolf later.

1. Sign in to the Microsoft Azure portal with administrator permissions.
2. In the search field, search for and click Event Hubs.
3. Click the Event Hubs namespace that you created in Create an Azure Event Hubs namespace.
4. Click the Overview tab.
5. Click + Event Hub.
6. On the Create Event Hub page, on the Basics tab, configure these settings:
   • Name — Enter a unique and descriptive name for the Event Hub. For example, defender-xdr-events. This name must start and end with a letter or number and can only contain letters, numbers, periods, hyphens, and underscores.
   • Partition count — Enter 32 or the required number of partitions.

     For more information, see Features and terminology in Azure Event Hubs.

   • Cleanup policy — Select Delete.
   • Retention time (hrs) — Enter 168.
7. Click Review + create, and then click Create.
8. Copy the event hub name to a safe, encrypted location to provide to Arctic Wolf later.

In the rare event of a system outage that prevents the successful ingestion of logs, Arctic Wolf can implement a replay function that ingests logs from a specific time window. In order to prevent conflicts with the ongoing ingestion of new logs, you must create a second consumer group that can be used for the replay functionality.

1. Sign in to the Microsoft Azure portal with administrator permissions.
2. In the search field, search for and click Event Hubs.
3. Click the Event Hubs namespace that you created in Create an Azure Event Hubs namespace.
4. Click the Overview tab.
5. Click the event hub that you created in Create an event hub for Microsoft Defender XDR.
6. In the navigation menu, click Entities, and then click Consumer groups.
7. Click + Consumer group.
8. In the Create consumer group window, enter a unique and descriptive name for the replay group. For example, defender-xdr-replay. The name must start and end with a letter or number and can only contain letters, numbers, periods, hyphens, and underscores.
9. Click Create.
10. Copy the consumer group name to a safe, encrypted location to provide to Arctic Wolf later.

1. Sign in to one of these Microsoft Entra admin center URLs. If you have:
   • Microsoft 365 — https://entra.microsoft.com/
   • Microsoft 365 GCC — https://entra.microsoft.com/
   • Microsoft 365 GCC High — https://entra.microsoft.us/
2. Click Entra ID > App registrations.
3. Click + New registration.
4. Configure these settings:
   • Name — Enter a name for the application.
   • Supported account types — From the list, select Single tenant only - <your_organization_name>.
   • For all other fields, keep the default values.
5. Click Register.
   The page for the newly registered application opens.
6. Copy the Application (client) ID and Directory (tenant) ID values, and then save them in a safe, encrypted location.
   You will provide them to Arctic Wolf later.
7. In the navigation menu, in the Manage section, click Certificates & secrets.
8. In the Client secrets section, click + New client secret, and then configure these settings:
   • Description — Enter a description for the client secret.
   • Expires — Select an expiration date for the client secret.
9. Click Add.
10. On the Client secrets tab, verify that your new client secret appears.
11. Copy the Value value to a safe, encrypted location.
    You will provide it to Arctic Wolf later.

    Note:

    • The Value value is only available immediately after creation. Do not exit the Certificates & Secrets page until the value is saved in a safe, encrypted location.
    • The Value value is the Client Secret Value that you must provide to Arctic Wolf later. It is not necessary to copy the Secret ID field.
    • You must provide the updated client secret credentials to Arctic Wolf before the credentials expire.

1. Sign in to the Microsoft Azure portal with administrator permissions.
2. In the search field, search for and click Event Hubs.
3. Click the Event Hubs namespace that you created in Create an Azure Event Hubs namespace.
4. Click the Overview tab.
5. Click the event hub that you created in Create an event hub for Microsoft Defender XDR.
6. In the navigation menu, click Access control (IAM).
7. Click + Add, and then click Add role assignment.
8. On the Role tab, select Azure Event Hubs Data Receiver.
9. Click Next.
10. On the Members tab, configure these settings:
    • Assign access to — Select User, group, or service principal.
    • Members — Click + Select members, search for and select the application that you created in Register the application, and then click Select.
11. Click Review + assign, and then review the settings.
12. Click Review + assign.

1. Sign in to the Microsoft Defender portal with administrator permissions.
2. In the navigation menu, click Settings > Microsoft Defender XDR > System > Settings > Streaming API.
3. Click + Add.
4. On the Add new Streaming API settings page, configure these settings:
   • Name — Enter a unique and descriptive name.
   • Forward events to Event Hub — Select the checkbox.
   • Event-Hub Resource ID — Enter the full resource ID of your Event Hub namespace. You can find this in the Azure portal in your Event Hubs namespace > Properties > Resource ID. For example, /subscriptions/subscription_id/resourceGroups/resource_group/providers/Microsoft.EventHub/namespaces/namespace_name.
   • Event-Hub name — Enter the namespace name from Create an Azure Event Hubs namespace without the .servicebus.windows.net suffix.
   • Event Types — Select all available event types.
5. Click Submit.

1. Sign in to the Arctic Wolf Unified Portal.
2. In the navigation menu, click Data Collection > Cloud Sensors.
3. Click Add Account +.
4. On the Add Account page, click Microsoft Defender XDR (Event Hubs).
5. Configure these settings:

   • Account Name — Enter a unique and descriptive name for the account.

   • Defender XDR Event Hubs Name — Enter the event hub name from Create an event hub for Microsoft Defender XDR.
   • Azure Event Hub Hostname — Enter the host name from Create an Azure Event Hubs namespace with the format namespace.servicebus.windows.net.
   • Azure Event Hub Resource Group — Enter the resource group name that you used in Create an Azure Event Hubs namespace.
   • Azure Subscription ID — Enter the Azure subscription ID that you used in Create an Azure Event Hubs namespace.
   • Replay Consumer Group Name — Enter the name of the replay consumer group that you created in Create a replay consumer group.
   • Application (client) ID — Enter the Application (client) ID from Register the application.
   • Directory (tenant) ID — Enter the Directory (tenant) ID from Register the application.
   • Client Secret Value — Enter the client secret value from Register the application.
   • Microsoft Cloud — Select global.

   • Credential Expiry — (Optional) Enter the credential expiration date, if applicable.

6. Click Test and submit credentials.