Microsoft Defender for Endpoint Input

The following article exclusively pertains to a Graylog Enterprise feature or functionality. To learn more about obtaining an Enterprise license, please contact the Graylog Sales team.

Microsoft Defender for Endpoint is a cloud-based endpoint security solution that provides protection for enterprise devices with a range of security features, such as asset management, security baselines, vulnerability assessment, and advanced threat protection.

Prerequisites

To use the Microsoft Defender for Endpoint plugin, create and authorize a client application through your organization’s Microsoft Azure portal. Your Graylog installation will then poll your Microsoft Defender data and ingest new logs into Graylog at specified intervals.

Warning: The following steps for configuration are mandatory!

Azure Configuration

  1. Log in to Microsoft Azure.

  2. Select Microsoft Entra ID from the left-hand menu.

  3. Select App Registrations under the Manage heading from the left-hand menu.

  4. Select New Registration from the top of the right-hand pane.

  5. Register a new application with the following actions:

    1. Provide a name for the application (e.g. “Graylog Log Access”).
    2. Select the appropriate account type. This should be either Single Tenant or Multitenant depending on whether your organization has a single or multiple Active Directory instance(s).
    3. Do not add a Redirect URI.
    4. Click the Register button.

  6. Once the application is created, the following fields are automatically generated:

    1. Application (client) ID
    2. Directory (tenant) ID

  7. For the newly created application, navigate to Certificates & Secrets.

  8. Click on New Client Secret.

  9. Add a description for the new secret, select an expiration time, and then click Add.

  10. Make a note of the Application (client) ID, Directory (tenant) ID, and Client Secret, as these will be required to configure the input.

Client Application Permissions in Azure

  1. For the newly created application, navigate to API Permissions.

  2. Click on Add a permission.

  3. Select APIs my organization uses.

  4. Search for WindowsDefenderATP.

  5. Select WindowsDefenderATP.

  6. Select these permissions and click Add permissions:

    Alert.Read.All

    Alert.ReadWrite.All

    User.Read.All

    Vulnerability.Read.All

    Machine.Read.All

  7. Click on Grant admin consent for...

  8. Click Yes in the pop-up dialog to confirm.

Plugin Configuration

Hint: You will need the Client ID, Tenant ID, and Client Secret Value from the previous sections to proceed.

  • Input Name

    • Provide a unique name for your new input.

  • Directory (tenant) ID

    • The ID of the Active Directory instance for which Graylog will collect log data.

  • Application (client) ID

    • The ID of the Client Application created above.

  • Client Secret Value

    • This is the client secret value generated above.
  • Polling Interval
    • Determines how often (in minutes) the input will check for new log data.
    • Defaults to 5 minutes. We recommend leaving this at the default. Value should not be less than 1 (minute).
  • Enable Throttling
    • Enables Graylog to stop reading new data for this input whenever the system falls behind on message processing and needs to catch up.
  • Store Full Message
    • Permits Graylog to store the raw log data in the full_message field for each log message.
    • Selection can result in a significant increase in the amount of data stored.