Skip to main content
Skip table of contents

Microsoft Defender EDR Integration

  1. Log in to the LogRhythm NDR UI.
  2. Click the Settings tab, and then click Endpoint Integrations.
    The Endpoint Integrations page appears and displays the endpoint table where previous endpoint integrations are listed
  3. At the top right, click Add Endpoint integration.
    The Add Endpoint integration page appears.
  4. Click Active to make the integration active.
  5. Click Endpoint Type, and then click Windows Defender in the Endpoint Type list.
  6. Using the following table, enter the integration credentials into the relevant fields.

    Integration NameA unique name for this integration configuration.
    Polling IntervalThe amount of time (in minutes) between each collection of new information from the integration.
    Auth URL
    Tenant ID
    Client ID
    App Secret
  7. To verify the credentials have been entered correctly, click Test.
    If the information is correct, Connection Success appears. Otherwise, Connection Failed appears, meaning the credentials need to be re-entered and re-verified.
  8. Click Save.
    The Microsoft Defender EDR integration is now complete within LogRhythm NDR.

Verify a Microsoft Defender EDR Integration is Working

  1. Click the Hunt tab, and then click Activity.
    The Activity page appears. By default, the legend graph is displayed, showing the logs and events for the past hour.
  2. In the searchbar, enter entry_type:*ThirdPartyEvent*.
    All the ThirdpartyEvent entries appear.
  3. In the searchbar, enter entry_origin:*WindowsDefender*.
    Only the Windows Defender-based third party event entries appear.

  4. For more details on the entries, click the + button to the left of the entries.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.