Microsoft Defender for Endpoint Input
The following article exclusively pertains to a Graylog Enterprise feature or functionality. To learn more about obtaining an Enterprise license, please contact the Graylog Sales team.
Microsoft Defender for Endpoint is a cloud-based endpoint security solution that provides protection for enterprise devices with a range of security features, such as asset management, security baselines, vulnerability assessment, and advanced threat protection.
Prerequisites
To use the Microsoft Defender for Endpoint plugin, create and authorize a client application through your organization’s Microsoft Azure portal. Your Graylog installation will then poll your Microsoft Defender data and ingest new logs into Graylog at specified intervals.
Azure Configuration
-
Log in to Microsoft Azure.
-
Select Microsoft Entra ID from the left-hand menu.
-
Select App Registrations under the Manage heading from the left-hand menu.
-
Select New Registration from the top of the right-hand pane.
-
Register a new application with the following actions:
- Provide a name for the application (e.g. “Graylog Log Access”).
- Select the appropriate account type. This should be either
Single Tenant
orMultitenant
depending on whether your organization has a single or multiple Active Directory instance(s). - Do not add a
Redirect URI
. - Click the
Register
button.
-
Once the application is created, the following fields are automatically generated:
Application (client) ID
Directory (tenant) ID
-
For the newly created application, navigate to Certificates & Secrets.
-
Click on New Client Secret.
-
Add a description for the new secret, select an expiration time, and then click Add.
-
Make a note of the Application (client) ID, Directory (tenant) ID, and Client Secret, as these will be required to configure the input.
Client Application Permissions in Azure
-
For the newly created application, navigate to API Permissions.
-
Click on Add a permission.
-
Select APIs my organization uses.
-
Search for
WindowsDefenderATP
. -
Select WindowsDefenderATP.
-
Select these permissions and click Add permissions:
Alert.Read.All
Alert.ReadWrite.All
User.Read.All
Vulnerability.Read.All
Machine.Read.All
-
Click on Grant admin consent for...
-
Click Yes in the pop-up dialog to confirm.
Plugin Configuration
Client ID
, Tenant ID
, and Client Secret Value
from the previous sections to proceed.-
Input Name
- Provide a unique name for your new input.
-
Directory (tenant) ID
- The ID of the Active Directory instance for which Graylog will collect log data.
-
Application (client) ID
- The ID of the Client Application created above.
-
Client Secret Value
- This is the client secret value generated above.
- Polling Interval
- Determines how often (in minutes) the input will check for new log data.
- Defaults to 5 minutes. We recommend leaving this at the default. Value should not be less than 1 (minute).
- Enable Throttling
- Enables Graylog to stop reading new data for this input whenever the system falls behind on message processing and needs to catch up.
- Store Full Message
- Permits Graylog to store the raw log data in the
full_message
field for each log message. - Selection can result in a significant increase in the amount of data stored.
- Permits Graylog to store the raw log data in the