This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(131.20000000000002, 35%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3E1%3C/text%3E%3C/svg%3E)
we have followed the docs to collect data from Microsoft Azure Event Hub, for Microsoft Defender integration on elastic stack. for some reason we're not receiving the data?
I wanted to check in and see if you had any other questions or if you were able to resolve this issue?
If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.
If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.
I wanted to check in and see if you had any other questions or if you were able to resolve this issue?
If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.
If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.
Hi 12980401,
I appreciate the challenge in getting Azure Event Hub working with 3rd party collection tools like Elastic Stack.
A common thing to forget is to point your data at the event hub.
The documentation often explains how to configure the event hub but it may forget to mention that you need to point one or more data sources at the event hub.
Here's a link that shows how to validate you have data in your event hub.
If this is working then your issue is more likely with the event hub connector so please reply back with more details if that is the case.
https://learn.microsoft.com/en-us/azure/event-hubs/process-data-azure-stream-analytics
I wanted to check in and see if you had any other questions or if you were able to resolve this issue?
If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.
If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.
Hi, we're still not getting the logs, we're trying to collect logs using defender APi and not from azure event hub
Thank you for your post and I apologize for the delayed response!
When looking more into your issue, I understand that you're having troubles collecting data from Microsoft Azure Event Hub after integrating it with Microsoft Defender. Please keep in mind that after integration, the data collection could take some time (~1hr) and if you're still having issues after waiting, you should be able to verify that the events are being exported to the Event Hubs by running the Advanced Hunting query below.
Select Hunting > Advanced Hunting > Query and enter the following query:
//This query will show you how many emails were received in the last hour joined across all the other tables.
EmailEvents
|join kind=fullouter EmailAttachmentInfo on NetworkMessageId
|join kind=fullouter EmailUrlInfo on NetworkMessageId
|join kind=fullouter EmailPostDeliveryEvents on NetworkMessageId
|where Timestamp > ago(1h)
|count
For more info: Verify that the events are being exported to the Event Hubs
Additional Links:
I hope this helps!
If you're still having issues and would like to work closely with our support team, please let me know.
Thank you for your time and patience throughout this issue.
If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.
I wanted to check in and see if you had any other questions or if you were able to resolve this issue?
If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.
If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.