Skip to main content

NG SIEM - Microsoft Defender for Endpoint

Overview

This guide walks through the full process of integrating Microsoft Defender for Endpoint (MDE) with the Elastic Stack to centralize security telemetry, enrich alerts, and enable unified threat hunting across your environment.

The integration works by streaming MDE alerts, events, and device data into Elasticsearch using the Elastic Agent's Microsoft Defender for Endpoint integration package. Once data is flowing, you can build dashboards, detection rules, and correlation queries using Elastic Security's built-in tooling.

Prerequisites

Before you begin, ensure the following are in place:

  • An active Microsoft Defender for Endpoint license (Plan 1 or Plan 2, or Microsoft 365 Defender)

  • Access to the Microsoft Entra ID (formerly Azure AD) portal to register an application

  • Permissions to grant API permissions within your tenant (typically a Global Administrator or Security Administrator role)

Azure App Registration

The Elastic Agent authenticates to the MDE API using OAuth 2.0 client credentials. You need to register an application in Microsoft Entra ID and grant it the appropriate API permissions.

Step 1: Register a New Application

  • Navigate to portal.azure.com and sign in with an account that has sufficient privileges.
  • Go to Microsoft Entra ID > App registrations > New registration.
  • Provide a descriptive name such as elastic-mde-integration.
  • Under Supported account types, select Accounts in this organizational directory only (Single tenant).
  • Leave the Redirect URI blank. Click Register.
  • Copy and save the Application (client) ID and Directory (tenant) ID from the overview page. You will need these later.

Step 2: Create a Client Secret

  • In your newly created app registration, navigate to Certificates & secrets > Client secrets > New client secret.

  • Add a description (e.g., elastic-fleet-secret) and choose an expiry period appropriate for your organization.

  • Click Add, then immediately copy the secret Value. This is the only time it is shown in full.

Step 3: 

  • In the app registration, go to API permissions > Add a permission.

  • Select APIs my organization uses, then search for and select WindowsDefenderATP.

  • Choose Application permissions and grant the following minimum required scopes:

Permission

Purpose

Alert.Read.All

Read all MDE alerts and incidents

Machine.Read.All

Read device inventory and health state

Vulnerability.Read.All

Read vulnerability and software inventory

AdvancedQuery.Read.All

Execute advanced hunting queries (optional)

Step 4: 

  • Click Add permissions, then click Grant admin consent for [Your Tenant]. Confirm when prompted.

  • Verify the Status column shows Granted for [tenant] for all added permissions.

Elastic Fleet Configuration

With the Azure application registered, the next step is to configure Elastic Fleet to deploy the MDE integration.

Collect Microsoft Defender for Endpoint logs via API
Microsoft Defender for Endpoint logs
  • Collect Microsoft Defender for Endpoint logs from API
    • Client ID 
    • Client Secret
    • Tenant ID
Collect Microsoft Defender for Endpoint logs via file

Microsoft Defender for Endpoint logs

  • Collect Microsoft Defender for Endpoint logs from a file
    • Paths

Conclusion

Integrating Microsoft Defender for Endpoint with Elastic brings together the best of both platforms — MDE's deep endpoint telemetry and EDR capabilities paired with Elastic's powerful log aggregation, search, and SIEM workflows. By following the steps in this guide, from registering the Azure application and configuring Elastic Fleet, to verifying data ingestion and setting up detection rules, your team will have a unified, centralized view of endpoint security across your environment. With pre-built dashboards, threat hunting queries, and Elastic's correlation engine at your disposal, you'll be well-positioned to detect, investigate, and respond to threats faster and more effectively.

No comments to display

Back to top