Microsoft Defender for Endpoint Monitoring

Updated Jan 17, 2024

Configure Microsoft Defender for Endpoint for Arctic Wolf monitoring

You can configure Microsoft Defender for Endpoint® to send the necessary logs to Arctic Wolf® for security monitoring.

When Microsoft Defender for Endpoint monitoring is successfully configured, Arctic Wolf can use the Microsoft Graph API to monitor logs from your Microsoft Defender for Endpoint environment and alert you about suspicious or malicious activity.

Notes:

  • If you configured monitoring for Microsoft Defender for Endpoint before March 2023, you reconfigure monitoring so that Arctic Wolf can continue to monitor your environment. All existing sensors and Azure Active Directory (AD) applications supporting the integration must be replaced with new deployments. In-place upgrades to existing sensors, applications, and API permissions are not supported.

  • Throttling can occur if too many requests are made to the Microsoft Graph API. This throttling threshold is reached because of a high volume of requests from multiple applications in one Azure tenant or from one application across all Azure tenants. Contention between the Arctic Wolf service and other applications running in the Azure tenant can affect timely log retrieval.

    See Microsoft Graph throttling guidance for more information.

Requirements

Steps

  1. Register the application.
  2. Configure API permissions.
  3. Provide your Microsoft Defender for Endpoint credentials to Arctic Wolf.

Step 1: Register the application

  1. Sign in to the Microsoft Entra ID (formerly Azure AD) admin center.

  2. In the navigation menu, click the name of the Microsoft product that you want to configure for Arctic Wolf monitoring.

  3. Click Applications > App registrations.

  4. Click + New registration.

  5. Configure these settings:

    • Name — Enter a name for the application.
    • Supported Account Types — Select the Accounts in this organizational directory only (<Organization-Name> only - Single Tenant) checkbox.
    • For all other fields, keep the default values.
  6. Click Register.

    The page for the newly registered application opens.

  7. Copy the Application (client) ID and Directory (tenant) ID values, and then save them in a safe, encrypted location. You will provide them to Arctic Wolf later.

  8. In the navigation menu, in the Manage section, click Certificates & secrets.

  9. In the Client secrets section, click + New client secret, and then configure these settings:

    • Description — Enter a description for the client secret.
    • Expires — Select an expiration date for the client secret.
  10. Click Add.

  11. On the Client secrets tab, verify that your new client secret appears.

    Screenshot of the Certificates and Secrets page on the Microsoft Azure Portal. The Value field and text is highlighted by an orange box.
  12. Copy the Value value, and then save it in a safe, encrypted location. You will provide it to Arctic Wolf later.

    Notes:

    • The Value value is only available immediately after creation. Do not exit the Certificates & Secrets page until the value is saved in a safe, encrypted location.
    • The Value value is the secret ID or client secret. You must provide this value to Arctic Wolf later. It is not necessary to copy the Secret ID field.
    • You must provide the updated client secret credentials to Arctic Wolf before the credentials expire.

Step 2: Configure API permissions

  1. In the navigation menu, click Manage > API permissions.

  2. Find the User.Read permission and click Menu > Remove permission.

  3. Click Yes, remove.

  4. Click + Add a permission.

  5. In the Request API permissions pane, make sure that you are on the Microsoft APIs tab.

  6. Click Microsoft Graph.

  7. Click Application permissions.

  8. In the search bar, enter SecurityAlert.Read.All, and then select the corresponding checkbox for the permission.

  9. Click Add permissions.

    The Request API permissions pane closes and the new permission appears in the Configured permissions section of the API permissions pane.

  10. In the Configured permissions section, click Grant admin consent for <Organization Name>, and then click Yes.

Step 3: Provide your Microsoft Defender for Endpoint credentials to Arctic Wolf

Note: If API credentials fail, for example due to expired credentials, Arctic Wolf notifies you and requests a new set of credentials. After receiving refreshed credentials, Arctic Wolf can only retrieve data from the previous 12 hours. Provide refreshed credentials within 12 hours of expiry to enable complete data polling and coverage. For more information, see MDR polling frequency.

  1. Sign in to the Arctic Wolf Unified Portal.

  2. Click Telemetry Management > Connected Accounts.

  3. Click Add Account +.

  4. On the Add Account page, in the Account Type list, select Cloud Detection and Response.

  5. In the Cloud Services list, select Microsoft Defender for Endpoint.

  6. On the Add Account page, configure these settings:

    • Account Name — Enter a unique and descriptive name for the account.

    • Application (client) ID — Enter the application (client) ID from Register the application.

    • Directory (tenant) ID — Enter the directory (tenant) ID from Register the application.

    • Client Secret Value — Enter the client secret from Register the application.

    • Microsoft Cloud — Do one of these actions based on the Microsoft Defender for Endpoint version that you are providing credentials for:

      • Commercial — Select global.
      • GCC — Select gcc.
    • Credential Expiry — (Optional) Enter the credential expiration date, if applicable.

  7. Click Test and submit credentials.

    After your Concierge Security® Team (CST) enables security monitoring for this account, the connected account status changes to Healthy.

Next steps

See also