Defender for Endpoint Alerts

Collects alert data from Microsoft Defender for Endpoint for threat detection and response.

Prerequisites

Before setting up the Microsoft Azure Activity Logs input, ensure the following:

1. Have a Microsoft Account with an active Azure Subscription.
2. Microsoft Defender for Endpoint P2 License.
3. Setup Microsoft Defender for Endpoint deployment.
4. Reader permissions granted to the application for Alerts from WindowsDefenderATP (steps given below).
5. Reader permissions granted to the application from the Logs Analytics Workspace (steps given below).

Note: This input fetches logs from t-24h on the first sync. Subsequent syncs are incremental and fetch data from the last successful sync time to the current time.

Setting up API Access

1. Registering a new application
   1. Open the App Registration page in the Azure portal.
   2. Select New Registration
   3. Add a name to the new registration
   4. Click Register
   5. Save the applications Application (client) ID and Directory (tenant) ID
   6. Select Certificates and Secrets
   7. Click link next to Client credentials
   8. In "Client secrets" click "New client secret"
   9. Add a name and expiration to the new secret
   10. Save the client secret value
2. Give application access to Reading Alerts from WindowsDefenderATP
   1. Click "API Permissions" on left sidebar
   2. Click "Add Permission"
   3. Click "APIs my organization uses"
   4. Select "Application Permissions"
   5. Select "Alert.Read.All"
3. Grant access to your log analytics workspace
   1. Navigate to the log analytics workspace
   2. Select the workspace
   3. Click "Access control (IAM)" on the left menu
   4. Select "Add Role Assignment" from the "+ Add" menu
   5. Select the Reader role and click Next
   6. Click "Select members"
   7. Search for the new application name and click Select
   8. Click "Review + assign"
   9. Confirm by clicking "Review + assign"

Related Articles

• Setting up an application
• Microsoft Alerts API
• Permissions for access to Alerts API

Configuration

Settings

Setting	Type	Required	Description
Tenant ID	string	true	The tenant ID of the Azure AD application
Category	string	false	Represents the type of threat or suspicious activity (e.g., malware, phishing) to filter alerts based on their nature.
Severity	string	false	Indicates the criticality level of an alert (e.g., low, high) to prioritize response actions.

Secrets

Setting	Type	Required	Description
Client ID	string	true	The client ID of the Azure AD application
Client Secret	string	true	The client secret of the Azure AD application

To send a POST request to create this Alerts Connector:

curl -X 'POST' \
  '{base_url}/api/v2/{org_id}/inputs' \
  -H 'accept: application/json' \
  -H 'Authorization: Bearer {token}' \
  -H 'Content-Type: application/json' \
  -d '{
  "config": {
    "secrets": {
      "client_id": "sample_client_id",
      "client_secret": "sample_client_secret"
    },
    "settings": {
      "tenant_id": "sample_tenant_id"
    }
  },
  "description": "input_description",
  "name": "input_name",
  "promise_id": "",
  "type": "endpoint-alerts"
}'

Sample Record

{
  "@odata.type": "#microsoft.graph.security.alert",
  "id": "571b693f-12ed-8411-fd8c-12ddb1fb2e85",
  "providerAlertId": "fae63ef5-965f-5d15-109a-88788c03babc",
  "incidentId": "88646",
  "status": "new",
  "severity": "high",
  "classification": "unknown",
  "determination": "unknown",
  "serviceSource": "microsoftDefenderForEndpoint",
  "detectionSource": "antivirus",
  "detectorId": "7ff6bf84-e53c-a047-aa01-289eb2619d96",
  "tenantId": "54102d3f-d755-00f7-9836-81202364c5f3",
  "title": "Suspicious execution of hidden file",
  "description": "fugiat ea voluptate adipiscing tempor eu deserunt enim sit in quis dolor fugiat mollit elit in ex dolor pariatur ad est ex sit cillum in sint aliqua nostrud culpa adipiscing dolore dolore anim id in minim mollit proident commodo nisi amet enim ut labore occaecat nulla nostrud deserunt ex labore",
  "recommendedActions": "in in magna reprehenderit reprehenderit dolor fugiat commodo aliqua proident eiusmod adipiscing proident officia officia minim nulla fugiat laborum qui officia laborum aliquip velit minim excepteur nulla magna voluptate dolor in ut in commodo nisi sint exercitation aliquip eu minim occaecat commodo dolor duis aute voluptate nisi labore aute et nostrud aliquip et duis nisi nulla eu reprehenderit quis eiusmod lorem ut culpa et qui fugiat aliqua irure minim commodo aliquip incididunt aliqua eiusmod dolore incididunt adipiscing ea ad exercitation commodo proident voluptate ut mollit eu incididunt dolore cupidatat ipsum in ea anim ullamco deserunt veniam anim qui do minim",
  "category": "DefenseEvasion",
  "assignedTo": null,
  "alertWebUrl": "https://security.microsoft.com/alerts/da2e4416-b566-bd88-e94e-157a040acd8c?tid=ee88ecd4-ae20-5921-cbec-618d9d0a8a19",
  "incidentWebUrl": "https://security.microsoft.com/incidents/43113?tid=3e9efad0-f65f-0355-c0fc-47ded11437f2",
  "actorDisplayName": null,
  "threatDisplayName": null,
  "threatFamilyName": null,
  "mitreTechniques": [
    "T1564.001"
  ],
  "createdDateTime": "2025-08-11T23:46:42Z",
  "lastUpdateDateTime": "2025-08-11T23:46:42Z",
  "resolvedDateTime": null,
  "firstActivityDateTime": "2025-08-11T23:46:42Z",
  "lastActivityDateTime": "2025-08-11T23:46:42Z",
  "comments": [],
  "evidence": [
    {
      "@odata.type": "#microsoft.graph.security.deviceEvidence",
      "createdDateTime": "2025-08-11T23:46:42Z",
      "verdict": "unknown",
      "remediationStatus": "none",
      "remediationStatusDetails": null,
      "firstSeenDateTime": "2025-08-11T23:46:42Z",
      "mdeDeviceId": "ce90113e-ae47-6949-ad4c-35057f489f51",
      "deviceDnsName": "device2.example.com",
      "hostName": "host1",
      "osPlatform": "Windows 8.1",
      "version": "Other",
      "healthStatus": "active",
      "riskScore": "medium",
      "roles": [
        "compromised"
      ],
      "tags": [
        "Test Machine"
      ]
    }
  ],
  "systemTags": [
    "Defender Experts"
  ]
}