Configure Microsoft Defender XDR with Graph API for Arctic Wolf monitoring

You can configure Microsoft Defender XDR® with Microsoft Graph API to send the necessary logs to Arctic Wolf® for security monitoring.

Microsoft Defender XDR sensors generate detections and alerts for these Microsoft Defender products:
  • Defender for Cloud
  • Defender for Cloud Apps
  • Defender for Endpoint
  • Defender for Identity
  • Defender for Office 365
For information about changes to the Microsoft Defender sensors, see Microsoft Graph v.1.0 Alerts API Deprecation FAQ.
Note:

Throttling can occur if too many requests are made to the Microsoft Graph API. This throttling threshold is reached because of a high volume of requests from multiple applications in one Azure tenant or from one application across all Azure tenants. Contention between the Arctic Wolf service and other applications running in the Azure tenant can affect timely log retrieval.

For more information, see Microsoft Graph throttling guidance.

These resources are required:

  • A Microsoft account with administrator permissions.
  • Microsoft requires these licenses for Microsoft Defender alerts to be generated and made available through Graph API:
    Defender service Corresponding licenses
    Defender for Cloud Any workload protection Defender plan:
    • Defender for Servers
    • Defender for Storage
    • Defender for Azure
    • Defender for Containers
    • Defender for App Service
    • Defender for Key Vault
    • Defender for Resource Manager
    • Defender for DNS
    For more information about AI alerts, see Microsoft AI threat protection.
    Defender for Cloud Apps
    • Microsoft Defender for Cloud Apps
    • Microsoft 365 E5 (Microsoft E5/A5/G5)
    • Microsoft 365 E5/A5/G5/F5 Security
    • Enterprise Mobility + Security E5 (EMS E5/A5)
    Defender for Endpoint
    • Defender for Endpoint Plan 1
    • Defender for Endpoint Plan 2
    • Microsoft 365 Defender
    Defender for Identity
    • Enterprise Mobility + Security E5 (EMS E5/A5)
    • Microsoft 365 E5 (Microsoft E5/A5/G5)
    • Microsoft 365 E5/A5/G5/F5 Security
    • Microsoft 365 F5 Security + Compliance
    • A standalone Defender for Identity license
    For more information, see Microsoft Defender for Identity prerequisites.
    Defender for Office 365
    • Defender for Office 365 Plan 2
    • Microsoft 365 A5/E5/F5/G5 Security
    For more information, see Microsoft Defender for Office 365 service description.

Register the application

  1. Sign in to one of these Microsoft Entra admin center URLs. If you have:
  2. Click Entra ID > App registrations.
  3. Click + New registration.
  4. Configure these settings:
    • Name — Enter a name for the application.
    • Supported account types — From the list, select Single tenant only - <your_organization_name>.
    • For all other fields, keep the default values.
  5. Click Register.
    The page for the newly registered application opens.
  6. Copy the Application (client) ID and Directory (tenant) ID values, and then save them in a safe, encrypted location.
    You will provide them to Arctic Wolf later.
  7. In the navigation menu, in the Manage section, click Certificates & secrets.
  8. In the Client secrets section, click + New client secret, and then configure these settings:
    • Description — Enter a description for the client secret.
    • Expires — Select an expiration date for the client secret.
  9. Click Add.
  10. On the Client secrets tab, verify that your new client secret appears.
  11. Copy the Value value to a safe, encrypted location.
    You will provide it to Arctic Wolf later.
    Note:
    • The Value value is only available immediately after creation. Do not exit the Certificates & Secrets page until the value is saved in a safe, encrypted location.
    • The Value value is the Client Secret Value that you must provide to Arctic Wolf later. It is not necessary to copy the Secret ID field.
    • You must provide the updated client secret credentials to Arctic Wolf before the credentials expire.

Configure API permissions

  1. Sign in to one of these Microsoft Entra admin center URLs. If you have:
  2. Click Entra ID > App registrations.
  3. Click the All applications tab.
  4. Click the name of the application that you registered in Register the application.
  5. In the navigation menu, click Manage > API permissions.
  6. Find the User.Read permission, and then click Menu > Remove permission.
  7. Click Yes, remove.
  8. Click + Add a permission.
  9. In the Request API permissions pane, make sure that you are on the Microsoft APIs tab.
  10. Click Microsoft Graph.
  11. Click Application permissions.
  12. In the Select permissions section, search for and select the checkboxes for these permissions:
    • SecurityAlert.Read.All

    • SecurityIncident.Read.All

    For more information, see Microsoft Graph permissions reference.

  13. Click Add permissions.

    You are redirected to the API permissions page, where the new permissions appear in a list.

  14. In the Configured permissions section, click Grant admin consent for <your_organization_name>, and then click Yes.
    The status for each permission updates to Granted for <your_organization_name>.

Optional: Enable app governance

As part of ingesting Microsoft Defender XDR logs, Arctic Wolf can also ingest security-relevant logs from app governance, a policy system that manages permissions for OAuth-enabled applications registered in Microsoft Entra ID, Google, and Salesforce.

  • You must have Microsoft Defender for Cloud Apps as a standalone product or part of your licensing package.

  • You must have an appropriate administrator role.

For more information about eligibility requirements, troubleshooting, and the app governance feature, see Turn on app governance for Microsoft Defender for Cloud Apps.

  1. Sign in to one of these Microsoft Defender portal URLs. If you have:
  2. Navigate to Cloud apps > App governance.
  3. Click Turn on app governance.

    It can take up to 10 hours for app governance to be enabled. This period doesn't impact the process to configure Arctic Wolf monitoring.

Provide Microsoft Defender XDR credentials to Arctic Wolf

Note:

Time-based events are polled with a delay to make sure that data is available. For new deployments, Arctic Wolf begins polling and reviewing activity from approximately one hour prior to configuration success. If API credentials fail, for example due to expired credentials, Arctic Wolf notifies you and requests a new set of credentials. After receiving refreshed credentials, Arctic Wolf can only retrieve data from the previous 12 hours. Provide refreshed credentials within 12 hours of expiry to enable complete data polling and coverage.

  1. Sign in to the Arctic Wolf Unified Portal.
  2. In the navigation menu, click Data Collection > Cloud Sensors.
  3. Click Add Account +.
  4. On the Add Account page, click Microsoft Defender XDR.
  5. Configure these settings:

    • Account Name — Enter a unique and descriptive name for the account.

    • Application (client) ID — Enter the application (client) ID from Register the application.
    • Directory (tenant) ID — Enter the directory (tenant) ID from Register the application.
    • Client Secret Value — Enter the client secret from Register the application.
    • Microsoft Cloud — Select global, gcc, or gcc-high. The value you select should match your Microsoft Cloud or Microsoft Entra ID environment type.

    • Credential Expiry — (Optional) Enter the credential expiration date, if applicable.

  6. Click Test and submit credentials.