AQUILA - Microsoft Defender for Endpoint

Overview 

 This guide walks through the full process of integrating Microsoft Defender for Endpoint (MDE) to centralize security telemetry, enrich alerts, and enable unified threat hunting across your environment. 

 This integration is for  Microsoft Defender for Endpoint  logs. 

 Microsoft Defender for Endpoint integration collects data for Alert, Machine, Machine Action, and Vulnerability logs using REST API. 

 This integration collects the following logs: 

 

 Alert   - Retrieves alerts generated by Microsoft Defender for Endpoint. 

 Machine  - Retrieves machines that have communicated with Microsoft Defender for Endpoint. 

 Machine Action  - Retrieves logs of actions carried out on machines. 

 Vulnerability - Retrieves logs of Vulnerability. 

 

 Prerequisites 

 Before you begin, ensure the following are in place: 

 

 

 An active Microsoft Defender for Endpoint license (Plan 1 or Plan 2, or Microsoft 365 Defender) 

 

 

 Access to the Microsoft Entra ID (formerly Azure AD) portal to register an application 

 

 

 Permissions to grant API permissions within your tenant (typically a Global Administrator or Security Administrator role) 

 

 

 Azure App Registration 

 This integration authenticates to the MDE API using OAuth 2.0 client credentials. You need to register an application in Microsoft Entra ID and grant it the appropriate API permissions. 

 Step 1: Register a New Application 

 

 Navigate to portal.azure.com and sign in with an account that has sufficient privileges. 

 Go to Microsoft Entra ID > App registrations > New registration . 

 Provide a descriptive name. 

 Under Supported account types, select Accounts in this organizational directory only (Single tenant). 

 Leave the Redirect URI blank. Click Register. 

 Copy and save the Application (client) ID and Directory (tenant) ID from the overview page. You will need these later. 

 

 Step 2 : Create a Client Secret 

 

 

 In your newly created app registration, navigate to Certificates & secrets > Client secrets > New client secret . 

 

 

 Add a description and choose an expiry period appropriate for your organization. 

 

 

 Click Add, then immediately copy the secret Value . This is the only time it is shown in full. 

 

 

 Step 3:  

 

 

 In the app registration, go to API permissions > Add a permission . 

 

 

 Select APIs my organization uses, then search for and select WindowsDefenderATP. 

 

 

 Choose Application permissions and grant the following minimum required scopes: 

 

 

 

 

 

 

 

 Permission 

 

 

 Purpose 

 

 

 

 

 

 

 Alert.Read.All 

 

 

 Read all MDE alerts and incidents 

 

 

 

 

 Machine.Read.All 

 

 

 Read device inventory and health state 

 

 

 

 

 Vulnerability.Read.All 

 

 

 Read vulnerability and software inventory 

 

 

 

 

 AdvancedQuery.Read.All 

 

 

 Execute advanced hunting queries (optional) 

 

 

 

 

 

 Step 4:  

 

 

 Click Add permissions, then click Grant admin consent for [Your Tenant]. Confirm when prompted. 

 

 

 Verify the Status column shows Granted for [tenant] for all added permissions. 

 

 

 

 

 

 Please saved and provide this values: 

 

 Directory (tenant) ID 

 Application (client) ID 

 

 Client Secret Value 

 

 

 

 

 If you need further assistance, kindly contact our support at   support@cytechint.com  for prompt assistance and guidance.