Microsoft XDR
- 17 Mar 2025
- 5 Minutes to read
- Print
- DarkLight
Microsoft XDR
- Updated on 17 Mar 2025
- 5 Minutes to read
- Print
- DarkLight
Article summary
Did you find this summary helpful?
Thank you for your feedback!
Microsoft Defender XDR natively coordinates detection, prevention, investigation, and response across endpoints, identities, email, and applications to provide integrated protection against sophisticated attacks. For detailed information, refer to Microsoft’s official documentation.
Integration Method: API
Tables: Detection Finding (2004), File System Activity (1001), Memory Activity (1004), Module Activity (1005), Scheduled Job Activity(1006), Process Activity(1007), Network Activity (4001), DNS Activity (4003), Device Config State (5002), Peripheral Device Query (5014), Application Lifecycle (6002), Scan Activity (6007), Device Inventory Info (5001), Authentication (3002), Device Config State Change (5019), Email Activity (4009), Incident Finding (2005), Email URL Activity (4012), Group Management (3006), Account Change (3001), Email File Activity (4011).
The integration supports the following events.
Event | Description |
|---|---|
Alert Info | Contains information about security alerts generated by Microsoft Defender, including details like alert ID, severity, category, and detection source. |
Alert Evidence | Provides evidence associated with security alerts, such as file names, URLs, IP addresses, and other entities related to the alert. |
Device File | Logs file system activities on devices, including creation, modification, and deletion of files. |
Identity Directory | Captures events related to directory services, such as changes to user accounts, groups, and directory configurations. |
Identity Logon | Records user logon activities, including successful and failed authentication attempts across devices and applications. |
Identity Query | Tracks queries made to identity systems, like directory lookups and authentication requests. |
Device Info | Provides detailed information about devices, including operating system, hardware specifications, and security posture. |
Device Network | Logs network activities on devices, such as inbound and outbound connections, including details like IP addresses and ports. |
Device Image Load | Records events when executable images (like DLLs) are loaded into a process on a device. |
Device Process | Captures information about processes that are started or terminated on devices, including command-line details. |
Device Network Info | Provides information about network configurations on devices, such as IP addresses, MAC addresses, and DNS settings. |
Device Logon | Records logon and logoff activities on devices, including user accounts and session durations. |
Device File Certificate Info | Contains details about digital certificates associated with files on devices, aiding in assessing file authenticity. |
Email Attachment Info | Provides information about email attachments, including file names, types, and hashes. |
URL Click | Logs events when users click on URLs, capturing details like the clicked URL, user, and device information. |
Email Post Delivery | Contains information about actions taken on email messages after they have been delivered, such as moves to junk or deletion. |
Provides details about email messages processed by the system, including sender, recipient, subject, and filtering actions taken. | |
Email URL Info | Contains information about URLs found in emails and attachments, including the full URL and its domain. |
Device Registry | Logs creation and modification of registry entries on devices, providing insights into changes in system configurations. |
This integration supports the following versions.
Microsoft Graph API Version | beta |
Note:
Microsoft XDR is a continuously updated cloud service. As for this document preparation, the latest release was in January 2025.
Prerequisites
The user should have access to the Azure portal with an account that has the Global Administrator privileges.
The user should have access to the DataBee console.
Configuration Overview
Create an application with required permissions to fetch the data.
Create Microsoft XDR data feed in the DataBee console with the required Client credentials.
DataBee Feed Parameter
Azure Parameter
Client Key
Application (client) ID
Client Secret
Token URL(<application_id>)
Directory (Tenant) ID
Azure Configuration
Create an application
Log on to Azure portal with an account that has the Global Administrator privileges.
In the search bar, search for App registrations and select it.
On the “App registrations” page, select New registration, then “Register an application” window will appear.
On the “Register an application” window:
Under ‘Name’ enter your Application Name then click on Register to create the application.
On the app Overview page, copy the Application (client) ID and Directory (tenant) ID for later use.
Add Endpoint Access
Once the application is created, one permission to the Graph API is needed. This section details how to configure and add permission to the required endpoints.
Add Permissions
From the Azure Active Directory portal:
Select the application registered in the previous step.
Under Manage, click API permissions and then click Add a permission, the “Request API permissions” window will appear.
On “Request API permissions” window, Click on Microsoft APIs then on Microsoft Graph.
The following permissions need to be granted for the endpoint to function properly:
Event
Type
Permission
All Events
Application
ThreatHunting.Read.All
From the ‘ThreatHunting’ dropdown, select ThreatHunting.Read.All.
Click the Add permissions button after selecting all required permissions.
On the “API permissions” page, click Grant Admin Consent for <tenant>.
Click the Yes button on the consent confirmation.
The necessary permissions have now been added for the endpoints. After this step, the permissions should include these minimum required permissions shown.
Creating the Client Secret
The final step to accessing the APIs is creating a Client Secret. To create it from the Azure Portal:
Select the application created above.
Under Manage, Click Certificates & secrets, and then Client secrets.
Click New client secret. Then “Add a client secret” window appears.
On “Add a client secret” window:
Enter a ‘Description’ for this client secret and select the desired expiry period from the ‘Expires’ drop-list.
Then click on Add to create the client secret.
Note:
The user needs to re-create the client secret when it expires.
Copy Client Secrets Value field for later use.
DataBee Configuration
Login to the DataBee UI, navigate to Data > Data Feeds and click the Add New Data Feed button.
Search for Microsoft XDR and click it as shown below.
Click on the API Ingest option for collection method.
Enter feed contact information and click Next.
In the configuration page, enter the following:
Authorization Method: OAuth2
Client Key: paste the Application (Client) ID generated earlier in the Azure portal.
Client Secret: paste the Client Secret value generated earlier in the Azure portal.
Token URL: replace <application_id> with your Directory (Tenant) ID.
Click Submit.
Troubleshooting Tips
If you encounter an Invalid client or Unauthorized client error, it may be due to incorrect credentials. Please double-check that the client key, client secret, and Tenant ID are entered correctly. Since the client secret is only visible upon creation, you may need to regenerate it. To avoid any issues, consider pasting it into a text editor to ensure there are no extra spaces or unexpected characters before reconfiguring the DataBee feed.
If you receive an Unauthorized error, it may be because the client ID and client secret belong to different applications. Kindly verify that you are using credentials from the same application to resolve the issue.
If we encounter response code 401, it is likely due to missing permissions. Ensure that all required permissions are correctly granted as per the steps outlined above.
For example:
{"error":{"code":"AF10001","message":"The permission set () sent in the request does not include the expected permission."}}
Was this article helpful?