Microsoft Defender for Endpoint Monitoring

Updated Sep 27, 2023

Microsoft Defender for Endpoint
- Microsoft Defender for Endpoint monitoring limitations
Configure Microsoft Defender for Endpoint
- Requirements
- Steps
MDR polling frequency
Next steps
See also

Microsoft Defender for Endpoint

If you previously configured monitoring for Microsoft Defender for Endpoint before March 2023, you must follow the steps in this guide reconfigure monitoring so that Arctic Wolf can continue to monitor your environment. All existing sensors and Azure Active Directory (AD) applications supporting the integration must be replaced with new deployments. In-place upgrades to existing sensors, applications, and API permissions are not supported.

Arctic Wolf® monitors Microsoft Defender for Endpoint® logs to alert you about suspicious or malicious activity.

To implement this functionality, you must provide this information about your Microsoft Defender for Endpoint application from the Microsoft Azure Portal to Arctic Wolf®:

Application (client) ID
Directory (tenant) ID
Client Secret

Microsoft Defender for Endpoint monitoring limitations

The Client Secret is only available to view during the application registration. If this information is lost before it is submitted to Arctic Wolf on the Arctic Wolf Portal, you must create a new Client Secret for the application.
Throttling may occur if too many requests are made to the Microsoft Graph API. This throttling threshold is reached due to a high volume of requests from multiple applications within a single Azure tenant or from a single application across all Azure tenants. Contention between the Arctic Wolf® service and other applications running in the Azure tenant can affect timely log retrieval. See the Microsoft Graph throttling guidance documentation on the Microsoft website for more information.

Configure Microsoft Defender for Endpoint

Once Microsoft Defender for Endpoint monitoring is successfully configured, Arctic Wolf can use the Microsoft Graph API to monitor logs from your Microsoft Defender for Endpoint environment and alert you about suspicious or malicious activity.

Requirements

A Microsoft account with administrator access.
A Microsoft licensing package containing one of these service plans:
- Microsoft Defender for Endpoint Plan 1
- Microsoft Defender for Endpoint Plan 2
- Microsoft 365 Defender

Step 1: Register the application

Registering your Microsoft Defender for Endpoint application in the Microsoft Azure Portal creates the necessary credentials and sets the correct permissions to allow Arctic Wolf to properly retrieve logs from the endpoints.

Sign in to the Microsoft Azure Portal.
Open the navigation menu, and then select Azure Active Directory.
Select App registrations from the navigation pane.
Select + New registration.
Enter a memorable name for the application in the Name field.
In the Supported Account types section, confirm that Accounts in this organizational directory only (<Organization-Name> only - Single Tenant) is selected.

Note: Leave all other fields as their defaults.
Click Register. This opens the page for the newly registered application.
Record the Application (client) ID and Directory (tenant) ID values to provide to Arctic Wolf in a later step.
In the navigation pane, under Manage, select Certificates & secrets.
In the Client secrets section, select + New client secret, and then create the secret:
1. Enter a meaningful description for the Client Secret.
2. Select your desired option for the Expires field.
  
  Tip: You must submit updated credentials to Arctic Wolf before the credentials expire.
3. Click Add.
Verify that your new Client Secret appears in the Client secrets section, and then copy the Value field to a secure location. You must provide this value to Arctic Wolf later.

Screenshot of the Certificates and Secrets page on the Microsoft Azure Portal. The Value field and text is highlighted by an orange box.

Note: Ensure that you copy the Value field before exiting the page, as this value is only viewable immediately after creation. Do not copy the Secret ID field.

Step 2: Configure API permissions

To configure API permissions for the registered application:

In the navigation pane, under Manage, click API permissions.
Find the User.Read permission which is enabled by default, and then click Menu to open the menu.
Click Remove permission and then click Yes, remove.
In the Configured permissions section, click + Add a permission.
In the Select an API section, click Microsoft APIs, and then, in the Commonly used Microsoft APIs section, click Microsoft Graph.
Click Application permission to open the permission type list.
Search for the Microsoft Graph permission type and select the corresponding SecurityAlert.Read.All checkbox.

Tip: For more information on Microsoft Graph permission types, see Microsoft Graph permissions reference.
Click Add permissions to apply. This returns you to the API permissions page where the new permissions appear in a list.
In the Configured permissions section, click Grant admin consent for <Organization Name>, and then click Yes to confirm the change.

Step 3: Provide credentials to Arctic Wolf

To provide your Microsoft Defender for Endpoint application registration details to Arctic Wolf on the Arctic Wolf Portal:

Note: If API credentials fail, for example, due to expired credentials, Arctic Wolf will notify you and request a new set of credentials. After receiving refreshed credentials, Arctic Wolf can only retrieve data from the previous 12 hours. Provide refreshed credentials within 12 hours of expiry to ensure complete data polling and coverage. See MDR polling frequency for more information.

Sign in to the Arctic Wolf Unified Portal.
In the menu bar, click Telemetry Management > Connected Accounts.
Click Add Account +.
On the Add Account page, from the Account Type list, select Cloud Detection and Response.
From the list of cloud services, select Microsoft Defender for Endpoint.
On the Add Account page, complete these steps:
1. Account Name — Enter a unique and descriptive name for the account.
2. For each of these fields, paste the appropriate value from Register the application:
  - Application (client) ID
  - Directory (tenant) ID
  - Client Secret
3. Credential Expiry — (Optional) Enter the expiration date if the credentials have an expiry date.
Click Test and Submit Credentials.

After your Concierge Security® Team (CST) enables security monitoring for this account, the connected account status changes to Healthy.

MDR polling frequency

Arctic Wolf® Managed Detection and Response (MDR) polls third-party API integrations at regular intervals. Time-based events are polled with a delay to make sure data is available within the third-party API endpoint. For new deployments, after the API integration is successfully configured with the necessary credentials, Arctic Wolf begins polling and reviewing activity from approximately 1 hour prior to configuration success.

Next steps

After configuring Arctic Wolf monitoring of your Microsoft Defender for Endpoint environment, you can optionally configure Microsoft Defender for Endpoint to contain possibly compromised hosts. For instructions, see Microsoft Defender for Endpoint Containment.