Microsoft Defender for Endpoint Alerts (Deprecated)
This Integration is part of the Microsoft Defender for Endpoint Pack.#
Deprecated
Use 'Office 365' in the XSIAM Data Sources instead.
Microsoft Defender for Endpoint Alerts integration for Cortex XSIAM (Deprecated).
Deprecation Announcement#
Following this announcement by Microsoft about migrating from the deprecated SIEM API to the Graph API, this Event Collector is now deprecated.
Replacement Option:#
In XSIAM Office 365 Data Source, select Microsoft Graph API -> Alerts, and select Use Microsoft Graph API V2.
This is the default integration for this content pack when configured by the Data Onboarder in Cortex XSIAM.
Configure Microsoft Defender for Endpoint Alerts on Cortex XSIAM#
Navigate to Settings > Integrations > Servers & Services.
Search for Microsoft Defender for Endpoint Alerts.
Click Add instance to create and configure a new integration instance.
Parameter Description Required Endpoint Type The endpoint for accessing Microsoft Defender for Endpoint. See table below. True Client (Application) ID The client (application) ID to use to connect. True Client Secret True Tenant ID True First fetch timestamp (<number> <time unit>, for example 12 hours, 7 days) False Fetch alerts timeout The time limit in seconds for fetch alerts to run. Leave this empty to cancel the timeout limit. False Number of alerts for each fetch. Due to API limitations, the maximum is 10,000. False Fetch events False Verify SSL Certificate False Use system proxy settings False Server URL The United States: api-us.security.microsoft.com
Europe: api-eu.security.microsoft.com
The United Kingdom: api-uk.security.microsoft.com
See table below.True Endpoint Type options
Endpoint Type Description Worldwide The publicly accessible Microsoft Defender for Endpoint EU Geo Proximity Microsoft Defender for Endpoint Geo proximity end point for the UK customers. UK Geo Proximity Microsoft Defender for Endpoint Geo proximity end point for the UK customers. US Geo Proximity Microsoft Defender for Endpoint Geo proximity end point for the US customers. US GCC Microsoft Defender for Endpoint for the USA Government Cloud Community (GCC) US GCC-High Microsoft Defender for Endpoint for the USA Government Cloud Community High (GCC-High) DoD Microsoft Defender for Endpoint for the USA Department of Defense (DoD) Custom Custom endpoint configuration to the Microsoft Defender for Endpoint. See note below. - Note: In most cases setting Endpoint type is preferred to setting Server URL. Only use it in cases where a custom URL is required for accessing a national cloud or for cases of self-deployment.
Click Test to validate the URLs, token, and connection.
Commands#
You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
microsoft-365-defender-get-events#
Returns a list of alerts
Base Command#
microsoft-365-defender-get-events
Input#
| Argument Name | Description | Required |
|---|---|---|
| limit | The maximum number of alerts per fetch. Default is 10000. | Optional |
| first_fetch | The first fetch time (<number> <time unit>, for example 12 hours, 1 day, 3 months). Default is 3 days. | Optional |
Context Output#
There is no context output for this command.
Context Example#
microsoft-365-defender-auth-reset#
Run this command if for some reason you need to rerun the authentication process.
Base Command#
microsoft-365-defender-auth-reset
Input#
There are no input arguments for this command.
Context Output#
There is no context output for this command.