Configuring Microsoft Defender for Endpoint
Overview Direct link to this section
This document describes how to retrieve the credentials needed to monitor the logs from your Microsoft Defender for Endpoint (formerly Defender ATP) environment, using the Microsoft Graph API.
Note: Throttling may occur if too many requests are made to the Microsoft Graph API. This throttling threshold is reached due to a high volume of requests from multiple applications within a single Azure tenant or from a single application across all Azure tenants. Contention between the Arctic Wolf® service and other applications running in the Azure tenant can affect timely log retrieval. See the Microsoft Graph throttling guidance documentation on the Microsoft website for more information.
As part of this configuration, you must provide the following information about your Microsoft Defender for Endpoint (formerly Defender ATP) application from the Microsoft Azure Portal to Arctic Wolf® using the Arctic Wolf Portal:
- Application (client) ID
- Directory (tenant) ID
- Client Secret
Note: The Client Secret is only available to view during the application registration. If this information is lost before it is submitted to Arctic Wolf on the Arctic Wolf Portal, you must create a new Client Secret for the application.
Before you begin Direct link to this section
This process requires that you are an administrator of a Microsoft account with one of the following licenses:
- Windows 10 Enterprise E5
- Windows 10 Education A5
- Microsoft 365 E5
- Microsoft 365 E5 Security
- Microsoft 365 A5
- Microsoft Defender for Endpoint Plan 1 and Plan 2
- Microsoft Defender for Business
Register the application Direct link to this section
Registering your Microsoft Defender for Endpoint (formerly Defender ATP) application in the Microsoft Azure Portal creates the necessary credentials and sets the correct permissions to allow Arctic Wolf to properly retrieve logs from the endpoints.
-
Sign in to the Microsoft Azure Portal.
-
Open the navigation menu, and then select Azure Active Directory.
-
Select App registrations from the navigation pane.
-
Select New registration to open the Register an application page.
-
Enter a memorable name for the application in the Name text box.
-
In the Supported Account types section, confirm that Accounts in this organizational directory only (<Organization-Name> only - Single Tenant) is selected.
Note: Leave all other fields as their defaults.
-
Click Register. This opens the page for the newly registered application.
-
Record the Application (client) ID and Directory (tenant) ID values to provide to Arctic Wolf as part of Provide credentials to Arctic Wolf.
-
In the navigation pane, under Manage, select Certificates & secrets.
-
In the Client secrets section, select + New client secret, and then create the secret:
-
Enter a meaningful description for the client secret.
-
Select your desired option for the Expires field.
Tip: You must submit updated credentials to Arctic Wolf before the credentials expire.
-
Click Add.
-
-
Verify that your new client secret appears in the Client secrets section, and then copy the Value field to a secure location. You must provide this value to Arctic Wolf as part of Provide credentials to Arctic Wolf.

Note: Ensure that you copy the Value field before exiting the page, as this value is only viewable immediately after creation. Do not copy the Secret ID field.
- Proceed to Configure API permissions.
Configure API permissions Direct link to this section
To configure API permissions for the registered application:
-
In the navigation pane, under Manage, select API permissions.
-
Find the User.Read permission which is enabled by default, and then click ... to open the menu.
-
Select Remove permission and then select Yes, remove.
-
In the Configured permissions section, click +Add a permission to open the Request API permissions page.
-
In the Select an API section, select Microsoft APIs, and then, in the Commonly used Microsoft APIs section, select Microsoft Graph.
-
Select Application permission to open the permission type list.
-
Search for the following permissions types and check the corresponding checkboxes for each to allow appropriate permissions:
- SecurityActions — SecurityActions.Read.All
- SecurityEvents — SecurityEvents.Read.All
- Organization — Organization.Read.All
-
Click Add permissions to apply. This returns you to the API permissions page where the new permissions appear in a list.
-
In the Configured permissions section, click Grant admin consent for <Organization Name>, and then click Yes to confirm the change.
-
Proceed to Provide credentials to Arctic Wolf.
Provide credentials to Arctic Wolf Direct link to this section
To provide your Microsoft Defender for Endpoint (formerly Defender ATP) application registration details to Arctic Wolf on the Arctic Wolf Portal:
-
Sign in to the Arctic Wolf Portal.
-
Select Connected Accounts in the banner menu to open the Connected Accounts page.
-
Select +Add Account to open the Add Account form.
-
Select Cloud Detection and Response as the Account Type.
-
Select Microsoft Defender Advanced Threat Protection from the list of cloud services.
-
Enter a descriptive name for the credentials.
-
Paste these values from steps 7 and 10 of Register the application:
- Application (client) ID
- Directory (tenant) ID
- Client Secret
-
-
Select Submit to CST.
-
When prompted with the confirmation message, review your submission, and then select Done. You are returned to the Connected Accounts page.
-
Verify that the newly-submitted credential entry appears in the cloud services list with the status Connection Pending.
After your Concierge Security® Team provisions security monitoring for your account, the status of your credentials changes to Connected.
Note: All third-party API integrations that are part of the Arctic Wolf® Managed Detection and Response (MDR) offering are designed with a polling frequency of approximately 15 minutes. Time-based events are polled with a 5-to-40-minute delay to ensure data availability within the third-party API endpoint. For new deployments, after the API integration is successfully configured with the necessary credentials, we begin polling and reviewing activity from approximately 1 hour prior to configuration success.
If credentials fail, for example, due to expired credentials, we notify you and request a new set of API credentials. After a polling failure, we only replay data for a period of 12 hours starting from when the refreshed credentials are provided.