Microsoft Defender for Endpoint

Microsoft Defender for Endpoint (previously Microsoft Defender ATP) is a threat detection and response product that is available on a free trial or subscription basis. You can configure Microsoft Defender for Endpoint as a Third Party Alert event source in InsightIDR, which allows you to ingest onboarded system logs through an API.

What you should know about InsightIDR alerting for this event source:

  • InsightIDR generates alerts for all Microsoft Defender for Endpoint events with a severity of medium or higher.
    • Virus alerts are generated for events categorized as Malware, Ransomware, or Exploit with a severity of medium or higher.
    • Third Party alerts are generated for all other events with a severity of medium or higher.
  • All ATP events with a low severity are sent to Log Search. InsightIDR does not generate alerts for low severity events, however you can access them in Log Search by selecting Unparsed Logs > [Event Source Name].
  • InsightIDR suppresses alerts related to remediated threats to reduce the amount of benign alerts that you receive.

To set up this event source:

Before you begin

To complete the tasks outlined in this article, you’ll need the following:

Task 1: Create an Azure application to access the Microsoft Defender for Endpoint API

To configure this event source, you must create an application in Microsoft Azure. After creating the application, make note of the following details from the App Registration. You will need them to complete task 2.

  • Authorization Server URL: The OAuth 2.0 token endpoint (v1) found in Endpoints on the App Registration overview.
  • Client ID: The Application (client) ID found in the App Registration overview.
  • Client Secret: The secret created in the app registration.

To create an Azure application, follow the instructions in this Microsoft article: https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/exposed-apis-create-app-webapp?view=o365-worldwide

Task 2: Configure InsightIDR to collect data from the event source

After you complete the prerequisite steps and configure the event source to send data, you must add the event source in InsightIDR.

To configure the new event source in InsightIDR:

  1. From the left menu, go to Data Collection and click Setup Event Source > Add Event Source.
  2. Do one of the following:
    • Search for Microsoft Defender ATP in the event sources search bar.
    • In the Product Type filter, select Third Party Alerts.
  3. Select the Microsoft Defender ATP event source tile.
  4. Select your collector from the dropdown list.
  5. Name this event source configuration.
  6. Expand the Credential dropdown, and select Create new.
  7. Name your credential. This credential is unique to this event source and cannot be reused in other event sources.
  8. Paste the Client ID, Secret and Authorization Server URL in their respective fields.
  9. From the Data Region dropdown, select the region that is closest to the geographic location of the collector.
  10. Click Save.

The Microsoft Defender for Endpoint event source will immediately begin polling the API for log events generated from onboarded assets.

Verify the Configuration

After you’ve configured the event source, view your raw logs to ensure that events are making it to the Collector. As you will see in the 3 examples below, the location of your log data varies based on the data type.

To view your logs:

  1. From the left menu, click Log Search.
  2. Do one of the following:
    • To view anti-virus logs, click Virus Alert > [Event Source Name].
    • To view third-party logs, click Third Party Alert > [Event Source Name].
    • To view Unparsed logs, click Unparsed > [Event Source Name].

Sample Logs

Virus Alert

1
{
2
"timestamp": "2020-06-11T00:40:27.940Z",
3
"asset": "jdoedev042.acme.com",
4
"user": "George Herman Ruth Jr.",
5
"user_domain": "acme.com",
6
"source_address": "jdoedev042.acme.com",
7
"risk": "Trojan:Win32/Ludicrouz.Y",
8
"action": "invalid_action",
9
"source_json": {
10
"AlertTime": "2020-06-11T00:40:27.9406632Z",
11
"ComputerDnsName": "jdoedev042.acme.com",
12
"AlertTitle": "'Ludicrouz' malware was detected",
13
"Category": "Malware",
14
"Severity": "Informational",
15
"AlertId": "da637123456789123456_-1234123400",
16
"Actor": "",
17
"LinkToWDATP": "https://securitycenter.windows.com/alert/da637123456789123456_-1234123400",
18
"IocName": "",
19
"IocValue": "",
20
"CreatorIocName": "",
21
"CreatorIocValue": "",
22
"Sha1": "abcdef0123456789ffffffff0000000012345678",
23
"FileName": "SoftonicDownloader_for_wholockme-explorer-extension.exe",
24
"FilePath": "C:\\Program Files\\Legit Programs",
25
"IpAddress": "",
26
"Url": "",
27
"IoaDefinitionId": "d60f5b90-ecd8-4d77-8186-a801597ec762",
28
"UserName": "",
29
"AlertPart": 0,
30
"FullId": "da637123456789123456_-1234123400:ABC34_FaKE1234EdsoMla8oIAs\+IOx0NjJjtD3M98h8=",
31
"LastProcessedTimeUtc": "2020-06-11T00:42:25.4301645Z",
32
"ThreatCategory": "Trojan",
33
"ThreatFamily": "Ludicrouz",
34
"ThreatName": "Trojan:Win32/Ludicrouz.Y",
35
"RemediationAction": "invalid_action",
36
"RemediationIsSuccess": null,
37
"Source": "Antivirus",
38
"Md5": "",
39
"Sha256": "489d53c2437a4badb8c9d183468987aad182b23d727bc41e5416ca05a643eb97",
40
"WasExecutingWhileDetected": false,
41
"UserDomain": "",
42
"LogOnUsers": "",
43
"MachineDomain": "acme.com",
44
"MachineName": "jdoedev042",
45
"InternalIPv4List": "10.1.100.25;127.0.0.1",
46
"InternalIPv6List": "abcd::1234:fb51:2276:55be;::1",
47
"FileHash": "abcdef0123456789ffffffff0000000012345678",
48
"DeviceID": "aaaaaacc0e50086f0e9a6fa002e6805250bbbbbb",
49
"MachineGroup": "Windows 10 Machines",
50
"Description": "Malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected machines. Some of these undesirable applications can replicate and spread from one machine to another. Others are able to receive commands from remote attackers and perform activities associated with cyber attacks.\n\nThis detection might indicate that the malware was stopped from delivering its payload. However, it is prudent to check the machine for signs of infection.",
51
"DeviceCreatedMachineTags": "",
52
"CloudCreatedMachineTags": "",
53
"CommandLine": "",
54
"IncidentLinkToWDATP": "https://securitycenter.windows.com/incidents/byalert?alertId=da637123456789123456_-1234123400&source=SIEM",
55
"ReportID": 1234567890,
56
"ExternalId": "04B2FAKENOOZ3BA59BAB866D24BEADA460C39C1F",
57
"IocUniqueId": "ABC34_FaKE1234EdsoMla8oIAs\+IOx0NjJjtD3M98h8="
58
}
59
}

Third Party Alert

1
{
2
"timestamp": "2020-06-11T14:36:23.792Z",
3
"product": "MICROSOFT_DEFENDER_ATP",
4
"type": "Execution",
5
"severity": "Medium",
6
"title": "Suspicious URL clicked",
7
"description": "A user opened a potentially malicious URL. This alert was triggered based on a Office 365 ATP alert.",
8
"alert_id": "d60f5b90-ecd8-4d77-8186-a801597ec761",
9
"user": "George Herman Ruth Jr.",
10
"asset": "companyserver.acmecorp.com",
11
"source_json": {
12
"AlertTime": "2020-06-11T14:36:23.7921017Z",
13
"ComputerDnsName": "companyserver.acmecorp.com",
14
"AlertTitle": "Suspicious URL clicked",
15
"Category": "Execution",
16
"Severity": "Medium",
17
"AlertId": "da637123456789123456_-123412340",
18
"Actor": "",
19
"LinkToWDATP": "https://securitycenter.windows.com/alert/da637123456789123456_-123412340",
20
"IocName": "",
21
"IocValue": "",
22
"CreatorIocName": "",
23
"CreatorIocValue": "",
24
"Sha1": "",
25
"FileName": "",
26
"FilePath": "",
27
"IpAddress": "",
28
"Url": "https://ms.outlook.com/?url=http%3A%2F%2F2google.com%2Freal%2furl&parameter=0",
29
"IoaDefinitionId": "d60f5b90-ecd8-4d77-8186-a801597ec761",
30
"UserName": "babe.ruth",
31
"AlertPart": 0,
32
"FullId": "da637123456789123456_-123412340:ABC34_FaKE1234EdsoMla8oIAs\+IOx0NjJjtD3M98h8=",
33
"LastProcessedTimeUtc": "2020-06-11T15:07:20.475304Z",
34
"ThreatCategory": "",
35
"ThreatFamily": "",
36
"ThreatName": "",
37
"RemediationAction": "",
38
"RemediationIsSuccess": null,
39
"Source": "Microsoft Threat Protection",
40
"Md5": "",
41
"Sha256": "",
42
"WasExecutingWhileDetected": null,
43
"UserDomain": "acmecorp",
44
"LogOnUsers": "acmecorp\\babe.ruth",
45
"MachineDomain": "acmecorp.com",
46
"MachineName": "companyserver",
47
"InternalIPv4List": "10.1.100.25;127.0.0.1",
48
"InternalIPv6List": "abcd::1234:fb51:2276:55be;::1",
49
"FileHash": "",
50
"DeviceID": "4919a03922efd081394504f7ed15c05f5770c4e3",
51
"MachineGroup": "Windows 10 Machines",
52
"Description": "A user opened a potentially malicious URL. This alert was triggered based on a Office 365 ATP alert.",
53
"DeviceCreatedMachineTags": "",
54
"CloudCreatedMachineTags": "",
55
"CommandLine": "\"OUTLOOK.EXE\" ",
56
"IncidentLinkToWDATP": "https://securitycenter.windows.com/incidents/byalert?alertId=da637123456789123456_-123412340&source=SIEM",
57
"ReportID": 1234567890,
58
"ExternalId": "04B2FAKENOOZ3BA59BAB866D24BEADA460C39C1F",
59
"IocUniqueId": "ABC34_FaKE1234EdsoMla8oIAs\+IOx0NjJjtD3M98h8="
60
}
61
}

Unparsed

1
{
2
"AlertTime": "2020-04-06T18:51:07.9071511Z",
3
"ComputerDnsName": "dev-1543",
4
"AlertTitle": "Microsoft Defender ATP detected 'Gen:Heur.Krypt.24' malware",
5
"Category": "Malware",
6
"Severity": "Informational",
7
"AlertId": "da637123456789123456_-1234123400",
8
"Actor": "",
9
"LinkToWDATP": "https://securitycenter.windows.com/alert/da637123456789123456_-1234123400",
10
"IocName": "",
11
"IocValue": "",
12
"CreatorIocName": "",
13
"CreatorIocValue": "",
14
"Sha1": "abcdef0123456789ffffffff0000000012345678",
15
"FileName": "zdravooo.exe",
16
"FilePath": "/Volumes/DEFINITELY/LEGIT/zdravooo.exe/",
17
"IpAddress": "",
18
"Url": "",
19
"IoaDefinitionId": "e9e7c54e-5067-4247-9dd0-ab939a550159",
20
"UserName": "",
21
"AlertPart": 0,
22
"FullId": "da637123456789123456_-1234123400:ABC34_FaKE1234EdsoMla8oIAs\+IOx0NjJjtD3M98h8=",
23
"LastProcessedTimeUtc": "2020-04-06T18:51:09.1541829Z",
24
"ThreatCategory": "",
25
"ThreatFamily": "",
26
"ThreatName": "",
27
"RemediationAction": "",
28
"RemediationIsSuccess": null,
29
"Source": "Antivirus",
30
"Md5": "",
31
"Sha256": "",
32
"WasExecutingWhileDetected": null,
33
"UserDomain": "",
34
"LogOnUsers": "\\babe.ruth",
35
"MachineDomain": "",
36
"MachineName": "dev-1543",
37
"InternalIPv4List": "10.1.100.25;127.0.0.1",
38
"InternalIPv6List": "abcd::1234:fb51:2276:55be;::1",
39
"FileHash": "abcdef0123456789ffffffff0000000012345678",
40
"DeviceID": "23c0b68a058ae0a00006b1b474208616565c749e",
41
"MachineGroup": "Ungrouped machines",
42
"Description": "",
43
"DeviceCreatedMachineTags": "",
44
"CloudCreatedMachineTags": "",
45
"CommandLine": "",
46
"IncidentLinkToWDATP": "https://securitycenter.windows.com/incidents/byalert?alertId=da637123456789123456_-1234123400&source=SIEM",
47
"ReportID": 1234567890,
48
"ExternalId": "04B2FAKENOOZ3BA59BAB866D24BEADA460C39C1F",
49
"IocUniqueId": "ABC34_FaKE1234EdsoMla8oIAs\+IOx0NjJjtD3M98h8="
50
}

Troubleshoot this event source

Issue: InsightIDR is no longer ingesting logs from Microsoft Defender for Endpoint.

On April 1, 2022, InsightIDR began using the new Microsoft Defender for Endpoint API in preparation for Microsoft’s plan to deprecate their SIEM API. If you notice InsightIDR is no longer ingesting logs from Microsoft Defender for Endpoint, ensure you have the correct permissions set, as outlined in this Microsoft article: https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/get-alerts?view=o365-worldwide#permissions