Microsoft Defender for Endpoint Input

The following article exclusively pertains to a Graylog Enterprise feature or functionality. To learn more about obtaining an Enterprise license, please contact the Graylog Sales team.

Microsoft Defender for Endpoint is a cloud-based endpoint security solution that provides protection for enterprise devices with a range of security features, such as asset management, security baselines, vulnerability assessment, and advanced threat protection.

Prerequisites

Before proceeding, ensure that the following prerequisites are met:

  • To use the Microsoft Defender for Endpoint plugin, create and authorize a client application through your organization’s Microsoft Azure portal. Your Graylog installation will then poll your Microsoft Defender data and ingest new logs into Graylog at specified intervals.

  • Ensure all Graylog nodes within the cluster can communicate over 443 to the necessary Microsoft API endpoints.

Required Third-Party Setup

To enable integration, complete the following required setup with your third-party service:

  1. Create a Microsoft Entra application with the following actions:

    1. Provide an application name (e.g. Graylog Log Access).

    2. Choose Single tenant or Multi-tenant, based on your organization's directory setup.

    3. Skip the Redirect URI option.

  2. After registration, note the following values:

    • Application (client) ID

    • Directory (tenant) ID

  3. Create a client secret.

  4. Add API permissions and assign the following delegated permissions:

    • Alert.Read.All
    • Alert.ReadWrite.All
    • User.Read.All
    • Vulnerability.Read.All
    • Machine.Read.All

  5. Grant admin consent to apply permissions.

Required Configuration Values

In your third-party configuration, make note of the following values that are required when configuring the input in Graylog:

  • Application (client) ID

  • Directory (tenant) ID

  • Client Secret

Input Type

This input is a pull input type. See Inputs to learn about input types.

Associated Illuminate Content Pack

This log source has associated Illuminate content:

Hint: If an Illuminate pack is available for your log source, enable it before configuring an input to avoid creating duplicate entities.

Input Configuration

Follow the input setup instructions. During setup of this input, you can configure the following options:

Configuration Option Description

Input Name

Provide a unique name for your new input.

Directory (tenant) ID

The Entra tenant ID of the instance for which Graylog will collect log data.

Application (client) ID

The ID of the Client Application created above.

Client Secret

This is the client secret value generated above.
Polling Interval

Determines how often (in minutes) the input will check for new log data. Defaults to 5 minutes. We recommend leaving this at the default. Value should not be less than 1 (minute).
Enable Throttling

Enables Graylog to stop reading new data for this input whenever the system falls behind on message processing and needs to catch up.
Store Full Message

Permits Graylog to store the raw log data in the full_message field for each log message. Selection can result in a significant increase in the amount of data stored.

Next Steps

After you complete input setup, visit Input Diagnosis for testing and validation of the new input. Use this functionality to help troubleshoot any connection issues.

Further Reading

Explore the following additional resources and recommended readings to expand your knowledge on related topics: