AQUILA - Microsoft Defender for Endpoint

Overview

This guide walks through the full process of integrating Microsoft Defender for Endpoint (MDE) with the Elastic Stack to centralize security telemetry, enrich alerts, and enable unified threat hunting across your environment.

TheThis integration worksis byfor streamingMicrosoft MDEDefender alerts,for events,Endpoint andlogs.

device data into Elasticsearch using the Elastic Agent's

Microsoft Defender for Endpoint integration package. Oncecollects data isfor flowing,Alert, youMachine, canMachine build dashboards, detection rules,Action, and correlationVulnerability querieslogs using ElasticREST Security'sAPI.

built-in

This tooling.integration collects the following logs:

• Alert - Retrieves alerts generated by Microsoft Defender for Endpoint.
• Machine - Retrieves machines that have communicated with Microsoft Defender for Endpoint.
• Machine Action - Retrieves logs of actions carried out on machines.
• Vulnerability - Retrieves logs of Vulnerability.

Prerequisites

Before you begin, ensure the following are in place:

• An active Microsoft Defender for Endpoint license (Plan 1 or Plan 2, or Microsoft 365 Defender)

• Access to the Microsoft Entra ID (formerly Azure AD) portal to register an application

• Permissions to grant API permissions within your tenant (typically a Global Administrator or Security Administrator role)

Azure App Registration

TheThis Elastic Agentintegration authenticates to the MDE API using OAuth 2.0 client credentials. You need to register an application in Microsoft Entra ID and grant it the appropriate API permissions.

Step 1: Register a New Application

• Navigate to portal.azure.com and sign in with an account that has sufficient privileges.
• Go to Microsoft Entra ID > App registrations > New registration.registration.
• Provide a descriptive name such as elastic-mde-integration.name.
• Under Supported account types, select Accounts in this organizational directory only (Single tenant).
• Leave the Redirect URI blank. Click Register.
• Copy and save the Application (client) ID and Directory (tenant) ID from the overview page. You will need these later.

Step 2: Create a Client Secret

• In your newly created app registration, navigate to Certificates & secrets > Client secrets > New client secret.secret.

• Add a description (e.g., elastic-fleet-secret) and choose an expiry period appropriate for your organization.

• Click Add, then immediately copy the secret Value.Value. This is the only time it is shown in full.

Step 3: 

• In the app registration, go to API permissions > Add a permission.permission.

• Select APIs my organization uses, then search for and select WindowsDefenderATP.

• Choose Application permissions and grant the following minimum required scopes:

Step 4: 

• Click Add permissions, then click Grant admin consent for [Your Tenant]. Confirm when prompted.

• Verify the Status column shows Granted for [tenant] for all added permissions.

Elastic Fleet Configuration

With the Azure application registered, the next step is to configure Elastic Fleet to deploy the MDE integration.

Collect Microsoft Defender for Endpoint logs via API

Please

saved
• Collectand Microsoftprovide Defenderthis forvalues:
  Endpoint logs from API
  1. ClientDirectory (tenant) ID 
  2. ClientApplication Secret(client) ID
  3. TenantClient IDSecret Value