Microsoft Defender for Endpoint

Documentation Index

Fetch the complete documentation index at: https://docs.socfortress.co/llms.txt

Use this file to discover all available pages before exploring further.

​

What this integration is

• Get alerts API: https://learn.microsoft.com/en-us/defender-endpoint/api/get-alerts

​

Data path (how it flows)

1. Microsoft Defender for Endpoint → API polling (OAuth2)
2. Collector → syslog/ingest into Graylog (implementation-dependent)
3. Graylog → stream/index/dashboards

​

Prerequisites

• Azure app registration for API access
• API permissions granted:
  • Alert.Read.All
  • Alert.ReadWrite.All

​

Credentials & config you’ll need

• Tenant ID
• Client ID
• Client secret
• Token URL: https://login.microsoftonline.com/<TENANT_ID>/oauth2/token
• Syslog host/port (Graylog)

filebeat.modules:
- module: microsoft
  defender_atp:
    enabled: true
    var.oauth2.client.id: "CLIENT_ID"
    var.oauth2.client.secret: "CLIENT_SECRET"
    var.oauth2.token_url: "https://login.microsoftonline.com/TENANT_ID/oauth2/token"

output.logstash:
  hosts: ["REPLACE_SYSLOG_HOST:REPLACE_SYSLOG_PORT"]

​

CoPilot setup (recommended workflow)

1. Provision the customer.
2. Add Defender for Endpoint integration under the customer.
3. Provide tenant/client credentials.
4. Deploy/start the connector container generated during provisioning.

• Graylog input + stream + index
• Grafana datasource + dashboards
• A customer-specific docker compose + Filebeat config

​

Deployment notes (connector container)

docker compose -f /opt/CoPilot/data/data/<CUSTOMER_NAME>/<CUSTOMER_NAME>_docker-compose-defender-for-endpoint.yml up -d

​

Success criteria

• Defender alerts are arriving
• Events are routed to the correct customer index/stream

​

Troubleshooting

• Confirm the Azure app has the required permissions and admin consent.
• Confirm tenant ID/client ID/secret match.
• Check connector logs for OAuth failures.