Microsoft Defender EDR Integration

Log in to the LogRhythm NDR UI.
Click the Settings tab, and then click Endpoint Integrations.
The Endpoint Integrations page appears and displays the endpoint table where previous endpoint integrations are listed
At the top right, click Add Endpoint integration.
The Add Endpoint integration page appears.
Click Active to make the integration active.
Click Endpoint Type, and then click Windows Defender in the Endpoint Type list.

Using the following table, enter the integration credentials into the relevant fields.

Field	Description
Integration Name	A unique name for this integration configuration.
Polling Interval	The amount of time (in minutes) between each collection of new information from the integration.
Auth URL	To obtain the information needed for these fields, see the following Microsoft documentation: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/api-hello-world?view=o365-worldwide https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/exposed-apis-create-app-nativeapp?view=o365-worldwide
API URL
Tenant ID
Client ID
App Secret

To verify the credentials have been entered correctly, click Test.
If the information is correct, Connection Success appears. Otherwise, Connection Failed appears, meaning the credentials need to be re-entered and re-verified.
Click Save.
The Microsoft Defender EDR integration is now complete within LogRhythm NDR.

Verify a Microsoft Defender EDR Integration is Working

Click the Hunt tab, and then click Activity.
The Activity page appears. By default, the legend graph is displayed, showing the logs and events for the past hour.
In the searchbar, enter entry_type:*ThirdPartyEvent*.
All the ThirdpartyEvent entries appear.
In the searchbar, enter entry_origin:*WindowsDefender*.
Only the Windows Defender-based third party event entries appear.
For more details on the entries, click the + button to the left of the entries.