Microsoft Defender for Endpoint Microsoft Defender for Endpoint

Integrate Microsoft Defender alerts, incidents and vulnerabilities

The Microsoft Defender for Endpoint connector allows you to integrate your security data into OverSOC for centralized visibility of detected incidents and vulnerabilities.

Overview

The Microsoft Defender for Endpoint connector enables you to collect the following information:

  • Machine inventory
  • Security alerts and incidents
  • Vulnerabilities (Threat & Vulnerability Management)

Prerequisites

  • Microsoft 365 tenant with Microsoft Defender for Endpoint enabled
  • Azure AD application configured with appropriate permissions
  • Access to Azure portal to create/manage applications

Information to provide in OverSOC

FieldDescription
API URL*Microsoft Defender API URL (e.g., https://api.security.microsoft.com)
Token URL*Azure AD token endpoint URL (e.g., https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/token)
Tenant ID*Azure AD tenant ID
Application (Client) ID*Client ID of the Azure AD application
Client Secret*Client secret of the Azure AD application

Configuration

Register an application in Microsoft Entra ID

  1. Navigate to the Microsoft Entra admin center.
  2. Go to Microsoft Entra ID > App registrations > New registration.
  3. Fill in the application details:
    • Name: OverSOC Microsoft Defender Connector
    • Supported account types: Accounts in this organizational directory only
  4. Click Register.
  5. From the app overview page, note the Application (Client) ID and Directory (Tenant) ID.

Add Microsoft Defender API permissions

  1. In your app registration, go to API permissions > Add a permission.
  2. Select APIs my organization uses and search for WindowsDefenderATP.
  3. Click WindowsDefenderATP.
  4. Select Application permissions and add the following:
    • Machine.Read.All
    • Alert.Read.All
    • Vulnerability.Read.All
    • SecurityRecommendation.Read.All
  5. Click Add permissions.
  6. Click Grant admin consent for Organization and confirm.

Generate a client secret

  1. In your app registration, go to Certificates & secrets > New client secret.
  2. Add a description (e.g., "OverSOC Connector").
  3. Select an expiration period.
  4. Click Add.
  5. Immediately copy the Value (it will only be displayed once).

Configure the connector in OverSOC

  1. In OverSOC, go to Data Sources Settings > Sources.
  2. Select Microsoft Defender for Endpoint and click Configure.
  3. Fill in the required fields:
  4. Click Save Configuration.

Reference: Microsoft Defender for Endpoint API - Create an app

Required Permissions

The Azure AD application must have the following minimum permissions:

  • Machine.Read.All: Read machine inventory
  • Alert.Read.All: Read alerts and incidents
  • Vulnerability.Read.All: Vulnerability data access
  • SecurityRecommendation.Read.All: Security recommendations access
Previous← HarfangLabNextSentinelOne →