Microsoft Defender for Endpoint Integration
Overview
Microsoft Defender for Endpoint provides EDR capabilities with behavioral sensors, cloud analytics, and threat intelligence. KYRA MDR ingests Defender alerts and advanced hunting data via the Microsoft 365 Defender API. Supports Defender P1 and P2 licenses.
Prerequisites
- A KYRA MDR Collector installed and running
- Microsoft 365 Defender portal access
- Azure AD application registration with API permissions
- Microsoft Defender for Endpoint P1 or P2 license
Configuration
Configure API access for KYRA MDR:
- Register an application in Azure AD > App Registrations
- Grant the following API permissions:
WindowsDefenderATP > Alert.Read.AllWindowsDefenderATP > AdvancedQuery.Read.AllWindowsDefenderATP > Machine.Read.All
- Create a client secret and note the credentials
- Configure the KYRA MDR collector:
sources: - type: defender-endpoint tenant_id: <azure-tenant-id> client_id: <app-client-id> client_secret: <app-client-secret> poll_interval: 60s- Restart the collector service
Collected Log Types
| Log Type | Description | Security Use |
|---|---|---|
| Alerts | Threat detections and alerts | Endpoint threat response |
| Incidents | Correlated alert groups | Investigation and triage |
| Advanced Hunting | Raw endpoint telemetry | Threat hunting queries |
| Device Health | Agent and OS health status | Endpoint coverage monitoring |
| Vulnerabilities | Software vulnerability data | Risk prioritization |
| Indicators | Custom IOC matches | Threat intelligence matching |
Troubleshooting
API authentication failed: Verify the Azure AD app registration has admin-consented API permissions. Check that the client secret has not expired.
No alerts returned: Confirm the Defender for Endpoint license is active and devices are onboarded.
Rate limiting (429 errors): The Defender API enforces rate limits. Increase the poll interval to 120s or more if you see throttling errors.
Contact kyra@seekerslab.com for support.