Configuring Microsoft Defender for Endpoint

Configuration Guide

Updated Jan 5, 2023

Configuring Microsoft Defender for Endpoint

Overview Direct link to this section

This document describes how to retrieve the credentials needed to monitor the logs from your Microsoft Defender for Endpoint (formerly Defender ATP) environment, using the Microsoft Graph API.

Note: Throttling may occur if too many requests are made to the Microsoft Graph API. This throttling threshold is reached due to a high volume of requests from multiple applications within a single Azure tenant or from a single application across all Azure tenants. Contention between the Arctic Wolf® service and other applications running in the Azure tenant can affect timely log retrieval. See the Microsoft Graph throttling guidance documentation on the Microsoft website for more information.

As part of this configuration, you must provide the following information about your Microsoft Defender for Endpoint (formerly Defender ATP) application from the Microsoft Azure Portal to Arctic Wolf® using the Arctic Wolf Portal:

Note: The Client Secret is only available to view during the application registration. If this information is lost before it is submitted to Arctic Wolf on the Arctic Wolf Portal, you must create a new Client Secret for the application.

Before you begin Direct link to this section

This process requires that you are an administrator of a Microsoft account with one of the following licenses:

Register the application Direct link to this section

Registering your Microsoft Defender for Endpoint (formerly Defender ATP) application in the Microsoft Azure Portal creates the necessary credentials and sets the correct permissions to allow Arctic Wolf to properly retrieve logs from the endpoints.

  1. Sign in to the Microsoft Azure Portal.

  2. Open the navigation menu, and then select Azure Active Directory.

  3. Select App registrations from the navigation pane.

  4. Select New registration to open the Register an application page.

  5. Enter a memorable name for the application in the Name text box.

  6. In the Supported Account types section, confirm that Accounts in this organizational directory only (<Organization-Name> only - Single Tenant) is selected.

    Note: Leave all other fields as their defaults.

  7. Click Register. This opens the page for the newly registered application.

  8. Record the Application (client) ID and Directory (tenant) ID values to provide to Arctic Wolf as part of Provide credentials to Arctic Wolf.

  9. In the navigation pane, under Manage, select Certificates & secrets.

  10. In the Client secrets section, select + New client secret, and then create the secret:

    1. Enter a meaningful description for the client secret.

    2. Select your desired option for the Expires field.

      Tip: You must submit updated credentials to Arctic Wolf before the credentials expire.

    3. Click Add.

  11. Verify that your new client secret appears in the Client secrets section, and then copy the Value field to a secure location. You must provide this value to Arctic Wolf as part of Provide credentials to Arctic Wolf.

Screenshot of the Certificates and Secrets page on the Microsoft Azure Portal. The Value field and text is highlighted by an orange box.

Note: Ensure that you copy the Value field before exiting the page, as this value is only viewable immediately after creation. Do not copy the Secret ID field.

  1. Proceed to Configure API permissions.

Configure API permissions Direct link to this section

To configure API permissions for the registered application:

  1. In the navigation pane, under Manage, select API permissions.

  2. Find the User.Read permission which is enabled by default, and then click ... to open the menu.

  3. Select Remove permission and then select Yes, remove.

  4. In the Configured permissions section, click +Add a permission to open the Request API permissions page.

  5. In the Select an API section, select Microsoft APIs, and then, in the Commonly used Microsoft APIs section, select Microsoft Graph.

  6. Select Application permission to open the permission type list.

  7. Search for the following permissions types and check the corresponding checkboxes for each to allow appropriate permissions:

    • SecurityActionsSecurityActions.Read.All
    • SecurityEventsSecurityEvents.Read.All
    • OrganizationOrganization.Read.All

  8. Click Add permissions to apply. This returns you to the API permissions page where the new permissions appear in a list.

  9. In the Configured permissions section, click Grant admin consent for <Organization Name>, and then click Yes to confirm the change.

  10. Proceed to Provide credentials to Arctic Wolf.

Provide credentials to Arctic Wolf Direct link to this section

To provide your Microsoft Defender for Endpoint (formerly Defender ATP) application registration details to Arctic Wolf on the Arctic Wolf Portal:

  1. Sign in to the Arctic Wolf Portal.

  2. Select Connected Accounts in the banner menu to open the Connected Accounts page.

    Connected Accounts menu

  3. Select +Add Account to open the Add Account form.

  4. Select Cloud Detection and Response as the Account Type.

  5. Select Microsoft Defender Advanced Threat Protection from the list of cloud services.

    1. Enter a descriptive name for the credentials.

    2. Paste these values from steps 7 and 10 of Register the application:

      • Application (client) ID
      • Directory (tenant) ID
      • Client Secret

  6. Select Submit to CST.

  7. When prompted with the confirmation message, review your submission, and then select Done. You are returned to the Connected Accounts page.

  8. Verify that the newly-submitted credential entry appears in the cloud services list with the status Connection Pending.

After your Concierge Security® Team provisions security monitoring for your account, the status of your credentials changes to Connected.

Note: All third-party API integrations that are part of the Arctic Wolf® Managed Detection and Response (MDR) offering are designed with a polling frequency of approximately 15 minutes. Time-based events are polled with a 5-to-40-minute delay to ensure data availability within the third-party API endpoint. For new deployments, after the API integration is successfully configured with the necessary credentials, we begin polling and reviewing activity from approximately 1 hour prior to configuration success.

If credentials fail, for example, due to expired credentials, we notify you and request a new set of API credentials. After a polling failure, we only replay data for a period of 12 hours starting from when the refreshed credentials are provided.