Microsoft Defender for Endpoint

This guide walks you through enabling Microsoft Defender API access in ThreatDefence SIEM.

Requirements:
Access to Microsoft 365 services (Microsoft 365 Compliance Center, Azure Active Directory)
Premium P1/P2 Licensing (ThreatDefence will automatically extract available security events based on your license tier)

Step 1: Grant API Permissions in Azure

1. Register an Application

Create an Application ID and secret as described in the Microsoft 365 Guide.

2. Assign Windows Defender ATP Permissions

In your application page for ThreatDefence, go to API Permissions > Add permission > APIs my organization uses.
Search for WindowsDefenderATP and select it.

Select Application Permissions and add the following:

Standard Permissions

Alert.ReadWrite.All
Software.Read.All
Vulnerability.Read.All
SecurityRecommendation.Read.All
BrowserExtensionsInventoryByMachine
Machine.Read.All
runAntiVirusScan

Host Isolation Permissions (Optional, for host isolation via MS Defender endpoint agents)

To enable Host Isolation features, also add:

Machine.Isolate

Click Add Permissions.

Click Grant admin consent for [Your Organization] to grant the permissions you just added.

Step 2: Configure ThreatDefence SIEM

Log in to your ThreatDefence SIEM Portal.
Navigate to Deployments > Integrations.
Click Add and select Microsoft Defender API.

Need Help?

If you have any questions or need further assistance, please contact: support [at] threatdefence.com

PreviousMicrosoft Defender XDR NextNetwork Sensor

Last updated 1 month ago

hashtagStep 1: Grant API Permissions in Azure

hashtag1. Register an Application

hashtag2. Assign Windows Defender ATP Permissions

hashtagStandard Permissions

hashtagHost Isolation Permissions (Optional, for host isolation via MS Defender endpoint agents)

hashtag3. Grant Admin Consent

hashtagStep 2: Configure ThreatDefence SIEM

hashtagNeed Help?