Copy as Markdown[Open in ChatGPT](https://chatgpt.com/?q=Read%20https%3A%2F%2Fdocs-docusaurus.kinsta.page%2Fintegrations%2Fsecurity%2Fmicrosoft-defender.md%20and%20help%20me%20with%20my%20question%20about%20this%20Coralogix%20documentation%20page.)[Open in Claude](https://claude.ai/new?q=Read%20https%3A%2F%2Fdocs-docusaurus.kinsta.page%2Fintegrations%2Fsecurity%2Fmicrosoft-defender.md%20and%20help%20me%20with%20my%20question%20about%20this%20Coralogix%20documentation%20page.)

# Microsoft defender

Microsoft Defender → Coralogix Via Azure Event Hubs

## At a glance (architecture)[​](#at-a-glance-architecture "Direct link to At a glance (architecture)")

* Microsoft Defender (Defender for Cloud and/or Defender XDR / Endpoint)
* ➜ **Azure Event Hubs** (central streaming bus)
* ➜ **Azure Function (Event Hub trigger)** using Coralogix template
* ➜ **Coralogix** (logs/alerts analytics)

## Prerequisites[​](#prerequisites "Direct link to Prerequisites")

* Azure subscription with permission to:

  <!-- -->

  * Create & configure **Event Hubs** namespace/event hub
  * Configure **Defender** export (Defender for Cloud and/or Defender XDR)
  * Deploy **Azure Functions** from template

## Step 1 — Create Event Hubs namespace & event hub[​](#step-1--create-event-hubs-namespace--event-hub "Direct link to Step 1 — Create Event Hubs namespace & event hub")

1. In Azure Portal → **Event Hubs** → **+ Create** namespace.

   <!-- -->

   * Pricing tier: **Standard** (recommended)
   * Throughput units: start with **1** (scale later)
   * Networking: public or private as per policy

2. Inside the namespace → **+ Event Hub**

   * Name: `defender-stream`
   * Partitions: **2–4** (scale with volume)
   * Message retention: 1–7 days (align to recovery needs)

3. Create a **Shared access policy** with **Listen** rights (for the Function) and copy the connection string.

## Step 2 — Export from Defender for Cloud → Event Hubs[​](#step-2--export-from-defender-for-cloud--event-hubs "Direct link to Step 2 — Export from Defender for Cloud → Event Hubs")

Use **Continuous export** to stream alerts and recommendations.

1. Azure Portal → **Defender for Cloud** → *Environment settings* → choose subscription.

[![Coralogix CSP](/assets/images/microsoft-defender-coralogix-csp-0c9ccc892408d07d29d98ad2a681edbf.webp)](https://docs-docusaurus.kinsta.page/assets/images/microsoft-defender-coralogix-csp-0c9ccc892408d07d29d98ad2a681edbf.webp)

[![Continuous export event hub](/assets/images/microsoft-defender-event-hub-337da0c6cda2e73f2d5726c76c9e8dc7.webp)](https://docs-docusaurus.kinsta.page/assets/images/microsoft-defender-event-hub-337da0c6cda2e73f2d5726c76c9e8dc7.webp)

**Continuous export** → **+ Add export**

1. **Export target**: **Azure Event Hubs**
2. **Data types**: select **Security alerts** and/or **Security recommendations** (add resource state changes if needed)
3. **Event Hub**: choose your namespace and the `defender-stream` hub
4. Save.

**Resulting payloads**: JSON per alert/recommendation with keys such as `alertId`, `severity`, `resourceId`, `description`, `compromisedEntity`, `tactics`, `firstSeen`, `lastSeen`.

## Step 3 — Deploy the Coralogix Azure Function (Event Hub → Coralogix)[​](#step-3--deploy-the-coralogix-azure-function-event-hub--coralogix "Direct link to Step 3 — Deploy the Coralogix Azure Function (Event Hub → Coralogix)")

We’ll use Coralogix’s ARM template to create a Function App that triggers on your Event Hub and forwards events to Coralogix.

1. Open the Coralogix **Azure Functions** deployment link (ARM template).

Learn more about Coralogix ARM in our [documentation](https://docs-docusaurus.kinsta.page/integrations/azure/azure-resource-manager-integration-packages/.md).

1. Fill parameters:

   <!-- -->

   * **EventHub connection string** (with `Endpoint=...;EntityPath=defender-stream` or supply hub name separately if template asks)
   * **Consumer group**: `$Default` or a dedicated `coralogix-cg`
   * **CORALOGIX\_PRIVATE\_KEY**: from Coralogix UI → Data Ingestion
   * **CORALOGIX\_REGION**: e.g., `EU1`, `AP1`, `US1` (exact value per account)
   * **APPLICATION\_NAME**: e.g., `microsoft-defender`
   * **SUBSYSTEM**: e.g., `alerts` or `xdr-events`
   * (optional) **COMPANY\_ID** if required by your region

2. **Plan**: Consumption or Premium (P1 for high throughput). Enable **Always On** if using Premium.

3. **Networking**: if Event Hub is private, integrate the Function with the VNet and grant access.

4. Deploy. Confirm the Function is bound to the Event Hub trigger.

## Step 4 — Validate ingestion in Coralogix[​](#step-4--validate-ingestion-in-coralogix "Direct link to Step 4 — Validate ingestion in Coralogix")

* In Coralogix → **Logs** → filter by `application:microsoft-defender`.
* You should see JSON logs arriving within a minute of new alerts/events.
* Example search (Lucene):
  <!-- -->
  * `severity:High AND (tactics:CredentialAccess OR tactics:DefenseEvasion)`
