# Microsoft Defender for Endpoint

This guide walks you through enabling Microsoft Defender API access in ThreatDefence SIEM.

> **Requirements:**
>
> * Access to Microsoft 365 services (Microsoft 365 Compliance Center, Azure Active Directory)
> * **Premium P1/P2 Licensing** (ThreatDefence will automatically extract available security events based on your license tier)

***

## Step 1: Grant API Permissions in Azure

### 1. Register an Application

* Create an Application ID and secret as described in the [Microsoft 365 Guide](/microsoft-365/microsoft-365.md).

![Create Application](/files/sTOJcew2TTI2gQV3hEGV)

### 2. Assign Windows Defender ATP Permissions

* In your application page for ThreatDefence, go to **API Permissions** > **Add permission** > **APIs my organization uses**.
* Search for **WindowsDefenderATP** and select it.

![Windows Defender ATP Permissions](/files/9Gd2RkNwgEGzBPnaw8Q1)

* Select **Application Permissions** and add the following:

#### Standard Permissions

```
Alert.ReadWrite.All
Software.Read.All
Vulnerability.Read.All
SecurityRecommendation.Read.All
BrowserExtensionsInventoryByMachine
Machine.Read.All
runAntiVirusScan
```

#### Host Isolation Permissions (Optional, for host isolation via MS Defender endpoint agents)

To enable Host Isolation features, also add:

```
Machine.Isolate
```

* Click **Add Permissions**.

### 3. Grant Admin Consent

* Click **Grant admin consent for \[Your Organization]** to grant the permissions you just added.

![Grant Admin Consent](/files/sUIreG8Eqqqa4xg3CGqj)

***

## Step 2: Configure ThreatDefence SIEM

1. Log in to your [ThreatDefence SIEM Portal](https://portal.threatdefence.io).
2. Navigate to **Deployments** > **Integrations**.
3. Click **Add** and select **Microsoft Defender API**.

***

## Need Help?

If you have any questions or need further assistance, please contact: **support \[at] threatdefence.com**

***


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.threatdefence.com/microsoft-365/microsoft-defender-for-endpoint.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.