Defender for Cloud is sending empty messages to Event Hub

Question

Defender for Cloud is sending empty messages to Event Hub

Yasen Trichkov 0

Hello guys,

We are encountering an unusual issue while configuring Microsoft Defender for Cloud to export its security events to an Azure Event Hub, which we then forward to our SIEM solution for further analysis. We have enabled the Continuous Export feature to facilitate this process. However, despite the configuration appearing correct, when we inspect the logs within the designated Event Hub and its associated Azure Storage account, we find them to be completely empty. There are no incoming events, which suggests that something might be preventing the export from functioning correctly. Could we be missing a critical configuration step or permission setting that is blocking the data flow?

J N S S Kasyap 1,715 Reputation points Microsoft External Staff

2025-03-21T17:16:43.7333333+00:00

Hi @Yasen Trichkov

Verify that the correct Event Hub namespace and Event Hub name are configured in the Defender for Cloud continuous export settings. Ensure that the Event Hub is properly created and not constrained by limitations, such as insufficient throughput units, which could prevent event ingestion. Additionally, check the Event Hub's shared access policy (SAS) to confirm it includes the necessary send permissions, allowing Defender for Cloud to successfully export events to the Event Hub.

Double-check the Continuous Export settings in Defender for Cloud to ensure that the appropriate event categories, such as Security Alerts and Recommendations, are selected for export. Confirm that the correct Event Hub is chosen as the export destination and verify that the export scope is accurately defined, whether for the entire subscription or specific resources. This will ensure that the correct events are being sent to the intended Event Hub.

Ensure that Defender for Cloud has the necessary permissions to send data to Event Hub, such as the Contributor role or specific permissions on the Event Hub resource. The Event Hub must also have the appropriate access policies, like the Azure Event Hubs Data Sender role, to allow Defender for Cloud to send events. Check for any network restrictions, such as firewalls or virtual networks, that might be blocking communication between Defender for Cloud and Event Hub

Ensure that the SIEM solution is properly configured to receive events from Event Hub, as some SIEMs may require specific configurations or custom parsers to interpret incoming Event Hub messages correctly.Check for any delays or misconfigurations in how the SIEM processes and receives the events from Event Hub. This will help ensure that the data is correctly ingested and analyzed by the SIEM.

Enable diagnostic logging for Defender for Cloud to capture any potential issues with the export process. Enable monitoring for your Event Hub using Azure Monitor to verify whether events are being ingested into the Event Hub, or if the data is not being exported at all. This will help identify where the issue lies in the event flow.

I hope this information helps. Please do let us know if you have any further queries.

Kindly consider upvoting the comment if the information provided is helpful. This can assist other community members in resolving similar issues.

Thank you.
J N S S Kasyap 1,715 Reputation points Microsoft External Staff

2025-03-24T18:52:16.3266667+00:00

@Yasen Trichkov
We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.

1 answer

Your answer

J N S S Kasyap 1,715 Reputation points Microsoft External Staff

2025-03-24T18:52:16.3266667+00:00

@Yasen Trichkov
We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.

Answer 1

Yasen Trichkov 0

Hello,

Thank you for the provided information!

I'm attaching the configuration of the Continious Export. Screenshot 2025-03-25 at 11.54.03

Screenshot 2025-03-25 at 11.53.53

I don't know why but I'm not sure whether Defender for Cloud is generating events at all. Is there a way to browse and view those events in order to confirm that anything to export exists?

Could you guide me which permission to check both sides? Just to mention - we are exporting logs from Monitor and Entra ID again to Event Hubs and there everything works fine without additional permissions.

J N S S Kasyap 1,715 Reputation points Microsoft External Staff

2025-03-25T20:42:44.28+00:00
@Yasen Trichkov

Since you've already configured continuous export settings in Microsoft Defender for Cloud to send security alerts and recommendations to Azure Event Hubs, and you're observing empty messages, it's essential to verify both the generation of events and the proper configuration of permissions.

Check Security Alerts and Recommendations:

In the Azure portal, navigate to Microsoft Defender for Cloud.

Under Overview, review the Security alerts and Recommendations sections to confirm the presence of any active alerts or recommendations.

Ensure that diagnostic settings are configured to send logs to a Event Hub. This setup allows for monitoring and analyzing security data.

Verify that the Event Hub's Shared Access Policies include the necessary permissions to allow Defender for Cloud to send data.
Defender for Cloud requires appropriate role permissions to send data to Event Hubs. Ensure it has at least the Contributor or Azure Event Hubs Data Sender role assigned on the Event Hub. Additionally, verify that the Event Hub’s access policy permits external services to send events.

If your Event Hub is secured behind a firewall, ensure it's configured to accept data from trusted services, including Defender for Cloud.

Given that services like Azure Monitor and Entra ID are successfully exporting logs to Event Hubs without additional permissions, it's crucial to ensure that Defender for Cloud has similar configurations. Verify that the necessary roles and permissions are assigned as outlined above.

Please refer the below Microsoft docs
https://learn.microsoft.com/en-us/azure/defender-for-cloud/continuous-export
https://learn.microsoft.com/en-us/azure/defender-for-cloud/review-security-recommendations
https://learn.microsoft.com/en-us/azure/defender-for-cloud/managing-and-responding-alerts

I hope this information helps. Please do let us know if you have any further queries.
J N S S Kasyap 1,715 Reputation points Microsoft External Staff

2025-03-26T17:30:38.4166667+00:00

@Yasen Trichkov
We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
Yasen Trichkov 0 Reputation points

2025-03-28T15:11:54.66+00:00

Hello,

Thank you for your replay!

I'm attaching how the events look like in Defender for Cloud screen:

I'm able to see several events there.

Following I'm attaching the SAS Policy for the Event Namespace:

You can see attached the Roles assigned to the Event namespace which are inherited by all of the Event Hubs:

Do you have any other ideas what might be the reason?
J N S S Kasyap 1,715 Reputation points Microsoft External Staff

2025-03-28T22:02:21.49+00:00

@Yasen Trichkov

Regenerate the primary or secondary key for the Event Hub’s Shared Access Policy (hub-03-sas-policy) and update the continuous export settings in Defender for Cloud with the new key. Ensure the correct policy is selected to allow Defender for Cloud to send events.

Use Azure Monitor to check the "Incoming Messages" metric for the Event Hub (fib-az-euw-eh-hub-03). If no messages are being received, the issue lies with Defender for Cloud’s export process. Enable diagnostic logs for both Defender for Cloud and the Event Hub to identify any errors.

Identify the exact identity Defender for Cloud uses for continuous export (via activity logs) and ensure it has the “Azure Event Hubs Data Sender” role on the Event Hub. If unsure, explicitly assign this role to the Windows Azure Security R... service principal at the Event Hub level.

Check the Event Hub namespace’s networking settings for firewall or VNet rules that might block Defender for Cloud. Ensure the "Allow trusted Microsoft services to bypass this firewall" option is enabled, as the export is configured to use a trusted service.

Confirm that the continuous export scope includes the subscription (fib-az-01-hub) and resources generating the events (e.g., those with the 32 security alerts). Ensure all relevant event categories (security alerts, recommendations, etc.) are selected for export.

Verify that the SIEM is reading from the correct consumer group (e.g., $Default) on the Event Hub. Test by manually sending a test event to the Event Hub and checking if the SIEM picks it up, to rule out ingestion issues on the SIEM side.

These steps should help identify whether the issue lies in the export configuration, permissions, network settings, or SIEM ingestion process.

I hope this information helps. Please do let us know if you have any further queries.
J N S S Kasyap 1,715 Reputation points Microsoft External Staff

2025-03-31T00:49:31.21+00:00

@Yasen Trichkov
We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
Yasen Trichkov 0 Reputation points

2025-04-01T06:33:17.6+00:00

Hello,

I've regenerated the primary and secondary keys. However it is strange that policy choice in Continious Export configuration is greyed out:

I tried using Azure Monitor to gather if incoming messages are presented but cannot choose fib-az-euw-eh-hub-03 since it is not in the list for some reason.

I've enabled diagnostic logs for the whole event namespace and they are being send to Log Analytics. Could you guide me how to do that for Defender for Cloud as well because I cannot find the option?

All of the events are chosen under Continious Export configuration just in case to not miss one, so everything is in scope.

We have Public access disabled on Event Namespaces but "Allow trusted Microsoft services to bypass this firewall" is enabled as well as private endpoint is configured:
J N S S Kasyap 1,715 Reputation points Microsoft External Staff

2025-04-01T08:44:54.1233333+00:00

@Yasen Trichkov

We are likely missing a networking or connectivity issue related to the private endpoint configuration (fib-az-euw-eh-pep-01) and Defender for Cloud’s trusted service export mechanism.
Specifically, Defender for Cloud might not be routing its traffic through the private endpoint, and the Event Hub namespace’s strict networking rules (public access disabled) might be blocking Defender for Cloud’s traffic.
You should verify the subnet configuration for the private endpoint (checking for NSG rules, UDRs, or firewall rules) and test whether temporarily enabling public access on the Event Hub namespace allows events to flow.

I hope this information helps. Please do let us know if you have any further queries.
Yasen Trichkov 0 Reputation points

2025-04-01T11:22:06.87+00:00

Hello,

I've allowed public access to the whole event namespace. Successfully can generate test event which is recored in the container part of the storage account but still that is not being received by the SIEM. I think there are two issues - one that Defender for Cloud is not exporting events to the event hub->container and two SIEM cannot gather them from there (even test events). For the second one we will work with support of the SIEM vendor.
J N S S Kasyap 1,715 Reputation points Microsoft External Staff

2025-04-02T03:29:40.1233333+00:00

@Yasen Trichkov

The private endpoint is a likely culprit because Defender for Cloud’s trusted service export might not be routing traffic correctly through the private endpoint, even with public access enabled. Temporarily disabling the private endpoint will confirm if this is the issue. This step addresses a common networking issue that the has not yet tried.

While the Azure Event Hubs Data Sender role is inherited, explicitly assigning it at the Event Hub level ensures there are no inheritance-related issues (e.g., deny assignments or resource-level restrictions).

If these steps do not resolve your problem, I will reach out to the internal team to find the best possible solution. Thank you for your patience while we resolve this issue.

Share via

Defender for Cloud is sending empty messages to Event Hub

1 answer

Your answer