Share via

Streaming Microsoft Defender XDR (MDE + MDO) Alerts to Internal Environment

C Alatis 0 Reputation points
2026-03-24T11:12:11.5633333+00:00

Hello community,

I am currently designing a solution to stream and security alerts from Microsoft Defender XDR, specifically:

Microsoft Defender for Endpoint (MDE)

Microsoft Defender for Office 365 (MDO)

My goal is to deliver alerts and relevant security events into my internal environment in real-time for further processing and integration with internal systems.

The question is, what is the recommended approach to export MDE and MDO alerts/events into an internal environment? I would like to avoid event hub or components that increases the cost. I just only need to transfer alerts from MDO and MDE into my internal environment.

During my investigation i found a lot of possible solutions but not sure which is best for my case and the cheaper one. Some solutions are the below but there are more:

  1. Defender XDR --> Streaming API --> Event Hub --> Collector Service (internal environment)
  2. Defender XDR --> Streaming API --> Azure Storage Queue --> Azure BLOB Storage --> Event Grid --> Collector Service (internal environment)
  3. Defender XDR --> Logic App / Azure Function --> Azure Storage Queue --> Collector Service (internal environment)

Requirements

  • Real-time delivery of security alerts and events
  • Coverage of both endpoint and email-related detections
  • Secure integration with our internal (on-premises) environment
  • Outbound-only connectivity from our internal network (no inbound exposure)
  • Ability to process and optionally store events for later analysis

Thank you!

Microsoft Security | Microsoft Defender | Microsoft Defender for Office 365
0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.