Microsoft Defender For Endpoint
  • 18 Mar 2025
  • 3 Minutes to read
  • Dark
    Light

Microsoft Defender For Endpoint

  • Dark
    Light

Article summary

Microsoft Defender for Endpoint protects your Windows and Linux machines whether they're hosted in Azure, hybrid clouds (on-premises), or multi-cloud environments. Its API facilitates a comprehensive integration process, primarily focusing on importing detailed machine data. For more information, refer to Microsoft Defender for Endpoint official documentation.

Integration Method: API

Tables: Device Config State (5002), Device Inventory Info (5001), Scan Activity (6007), Detection Finding (2004), Incident Finding (2005), Vulnerabilities Finding (2002), Software Inventory Info (5020)

This integration supports the following events.

Event

Description

Machines

Retrieves a collection of Machines that have communicated with Microsoft Defender for Endpoint cloud.

Alerts

Retrieves a collection of Alerts.

Device Antivirus Info

Retrieves a list of Microsoft Defender Antivirus device antivirus health details.

Vulnerabilities

Retrieves a list of all vulnerabilities.

Machine Software

Retrieves data for installed software that has a Common Platform Enumeration (CPE), on a per-device basis.

Browser Extensions

Retrieves data for installed browser extensions per device.

Machine Vulnerabilities

Retrieves all known software vulnerabilities and their details for all devices, on a per-device basis.

Investigations

Retrieves a collection of Investigations.

Machine Actions

Retrieves a collection of Machine Actions.

Software

Retrieves the organization software inventory.

This integration supports the following versions.

Microsoft Defender For Endpoint API Version

v1.0

Note:

Microsoft Defender For Endpoint it is a continuously updated cloud service. As of this document preparation, the latest release was in February 2025.

Prerequisites

  • The user should have access to the Azure portal with an account that has the Global Administrator privilege.

  • The user should have access to the DataBee console.

Configuration Overview

  1. Generate client credentials with the required scopes.

  2. Add the Microsoft Defender For Endpoint data feed in the DataBee console with the below parameters.

    DataBee Parameter

    Microsoft Defender For Endpoint Parameter

    Client Key

    Application (client) ID

    Client Secret

    Client Secret Value

    Token URL (<application_id>)

    Directory (tenant) ID

Defender for Endpoint Configuration

Create an application

  1. Log on to Azure with a user account that has the Global Administrator privilege.

  2. In the search bar, search for App Registrations and select it.
     

  3. On the “App registrations” page click on New registration, the “Register an application” window will appear.
     

  4. On the “Register an application” window:

    1. Under ‘Name’ enter your Application Name then click on Register to create the application.

  5. On the app Overview page, copy the Application (client) ID and Directory (tenant) ID for later use.
     

Add Endpoint Access

Once the application is created, permissions should be provided to fetch data. The appropriate permissions for the application are needed to configure these endpoints. The following section details how to configure and add permissions for the required endpoints.

Add Permissions

From the Azure Active Directory portal:

  1. Select the Application registered in the previous step.

  2. Under Manage, click API permissions and then click Add a permission. The Request API permissions window will appear
     

  3. Click on APIs my organization uses and search for WindowsDefenderATP.
     

  4. Select WindowsDefenderATP and then click on Application permissions.
     

  5. The following permissions need to be granted:

    Event

    Type

    Permission

    Machines

    Application

    Machine.Read.All

    Alerts

    Application

    Alert.Read.All

    Device Antivirus Info

    Application

    Machine.Read.All

    Vulnerabilities

    Application

    Vulnerability.Read.All

    Machine Softwares

    Application

    Software.Read.All

    Browser Extensions

    Application

    Software.Read.All

    Machine Vulnerabilities

    Application

    Vulnerability.Read.All

    Investigations

    Application

    Alert.Read.All

    Machine Actions

    Application

    Machine.Read.All

    Softwares

    Application

    Software.Read.All

    In the Select permissions search bar, enter the Permissions shown above, and check the box to include them.

  6. Click the Add permissions button after selecting all required permissions.

  7. On the “API permissions” page, click on the Grant Admin Consent for <tenant>, and then click on Yes button on the consent confirmation.

  8. The required permissions are now added for the endpoints.

Create client secret

The final step to accessing the APIs is creating a Client Secret. To create it from the Azure Portal:

  1. Select the application created above.

  2. Under Manage, click Certificates and secrets, and then click on Client secrets.
     

  3. Click New client secret. “Add a client secret” window appears.
     

  4. In “Add a client secret” window:

    1. Enter a ‘Description’ for this client secret and select the desired expiry period from the ‘Expires’ drop-list.

    2. Then click on Add to create the client secret.

      Note:

      The user needs to re-create the client secret when it expires.

  1. Copy the Value fields for later use.
     

DataBee Configuration

  1. Login to the DataBee UI, navigate to Data > Data Feeds and click the Add New Data Feed button.
     

  2. Search for the Microsoft Defender for Endpoint and click it as shown below.


  3. Click on the API Ingest option for the collection method.
     

  4. Enter feed contact information and click Next.
     

  5. In the configuration page, confirm the following:

  • Authorization Method: OAuth2

  • Client Key: paste the Application (client) ID.

  • Client Secret: paste the Secret Value.

  • Token URL: replace <tenant_id> placeholder with the Directory (Tenant) ID generated earlier.

  • Event Types: preselected for all the event types that integration pulls.

  1. Click Submit.

Troubleshooting Tips

  • If you’re facing invalid_client or unauthorized_client issues this might be possibly due to incorrect credentials. Ensure the token is pasted correctly. Since you cannot view the token after the 1st time, re-create the token, paste it on a text editor to ensure no spaces or unexpected characters are included and reconfigure the DataBee feed.

  • If you are facing response code - 403 this might be possibly due to missing permissions. Ensure that all the required permissions are granted correctly as per the above-mentioned steps.


Was this article helpful?

Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.
ESC

Eddy AI, facilitating knowledge discovery through conversational intelligence