- Log in to the LogRhythm NDR UI.
- Click the Settings tab, and then click Endpoint Integrations.
The Endpoint Integrations page appears and displays the endpoint table where previous endpoint integrations are listed
- At the top right, click Add Endpoint integration.
The Add Endpoint integration page appears.
- Click Active to make the integration active.
- Click Endpoint Type, and then click Windows Defender in the Endpoint Type list.
Using the following table, enter the integration credentials into the relevant fields.
Field Description Integration Name A unique name for this integration configuration. Polling Interval The amount of time (in minutes) between each collection of new information from the integration. Auth URL
To obtain the information needed for these fields, see the following Microsoft documentation:
API URL Tenant ID Client ID App Secret
- To verify the credentials have been entered correctly, click Test.
If the information is correct, Connection Success appears. Otherwise, Connection Failed appears, meaning the credentials need to be re-entered and re-verified.
- Click Save.
The Microsoft Defender EDR integration is now complete within LogRhythm NDR.
Verify a Microsoft Defender EDR Integration is Working
- Click the Hunt tab, and then click Activity.
The Activity page appears. By default, the legend graph is displayed, showing the logs and events for the past hour.
- In the searchbar, enter entry_type:*ThirdPartyEvent*.
All the ThirdpartyEvent entries appear.
In the searchbar, enter entry_origin:*WindowsDefender*.
Only the Windows Defender-based third party event entries appear.
For more details on the entries, click the + button to the left of the entries.