> ## Documentation Index
> Fetch the complete documentation index at: https://docs.rad.security/llms.txt
> Use this file to discover all available pages before exploring further.

# Microsoft Defender

> Configure Microsoft Defender for Endpoint integration with RAD Security for comprehensive endpoint security.

# Microsoft Defender Integration Setup

This guide walks you through integrating Microsoft Defender for Endpoint with RAD Security for unified endpoint detection and response, enabling you to correlate endpoint security events with runtime container and cloud activity.

Microsoft Defender for Endpoint provides advanced threat protection, detection, investigation, and response capabilities across your endpoints.

## Prerequisites

Before you begin, ensure you have:

<Check>
  * Admin access to Azure Portal
  * An Azure Active Directory (Entra ID) application created
  * Microsoft Defender for Endpoint subscription
  * Access to RAD Security workspace with integration permissions
</Check>

<Info>
  **Azure AD Application Required:** You must have an Azure Active Directory application created before proceeding. Follow [Microsoft's guide to create an app for Defender API access](https://learn.microsoft.com/en-us/defender-endpoint/api/exposed-apis-create-app-webapp).
</Info>

***

## Step 1: Access App Registration

<Steps>
  <Step title="Log in to Azure Portal">
    Log in to the [Azure Portal](https://portal.azure.com) with administrative privileges
  </Step>

  <Step title="Navigate to App Registrations">
    1. Go to **Azure Active Directory**
    2. Select **App registrations**
    3. Find and select the application you created for Microsoft Defender API access
  </Step>

  <Step title="Note Application Details">
    From the application's **Overview** page, copy the following values:

    * **Application (client) ID**
    * **Directory (tenant) ID**

    Save these values securely for later configuration.
  </Step>
</Steps>

***

## Step 2: Create Client Secret

<Steps>
  <Step title="Navigate to Certificates & Secrets">
    In your application, click **Certificates & secrets** in the left navigation
  </Step>

  <Step title="Create New Secret">
    1. Click **New client secret**
    2. Add a description (e.g., "RAD Security Integration")
    3. Select an expiration period
    4. Click **Add**
  </Step>

  <Step title="Save Secret Value">
    **Immediately copy the Secret value** that appears

    <Warning>
      **Copy this value now!** You will not be able to see the secret value again. If you lose it, you'll need to create a new secret.
    </Warning>
  </Step>
</Steps>

***

## Step 3: Configure API Permissions

Microsoft Defender for Endpoint requires specific API permissions to access security data.

<Steps>
  <Step title="Navigate to API Permissions">
    In your application, click **Manage > API permissions**
  </Step>

  <Step title="Add Required Permissions">
    Click **Add a permission** and add all the permissions listed below from each API
  </Step>
</Steps>

### Required Permissions

<AccordionGroup>
  <Accordion title="Microsoft Threat Protection" icon="shield">
    **API:** Microsoft Threat Protection

    **Permissions:**

    * `Incident.Read` - Read incident data
    * `Incident.Read.All` - Read all incident data

    <Info>
      These permissions allow reading incident and threat information across Microsoft 365 Defender.
    </Info>
  </Accordion>

  <Accordion title="WindowsDefenderATP" icon="windows">
    **API:** WindowsDefenderATP (Microsoft Defender for Endpoint)

    **Permissions:**

    * `AdvancedQuery.Read.All` - Run advanced queries
    * `Alert.Read.All` - Read all alerts
    * `Machine.Isolate` - Isolate machines from network
    * `Machine.Read.All` - Read all machine information
    * `Score.Read.All` - Read threat and vulnerability scores
    * `Software.Read.All` - Read software inventory

    <Note>
      These are the core permissions for accessing Defender for Endpoint data including alerts, machines, and threat intelligence.
    </Note>
  </Accordion>

  <Accordion title="Application Insights API" icon="chart-line">
    **API:** Application Insights API

    **Permissions:**

    * `Data.Read` - Read Application Insights data

    <Info>
      Allows reading telemetry and performance data from Application Insights.
    </Info>
  </Accordion>

  <Accordion title="Azure Service Management" icon="microsoft">
    **API:** Azure Service Management

    **Permissions:**

    * `user_impersonation` - Access Azure Service Management as organization users

    <Note>
      This permission is required for certain administrative operations.
    </Note>
  </Accordion>

  <Accordion title="Microsoft Graph" icon="diagram-project">
    **API:** Microsoft.Graph

    **Permissions:**

    * `Application.Read.All` - Read all applications
    * `Device.Read.All` - Read all devices

    <Info>
      These Graph API permissions provide access to device and application information across Azure AD.
    </Info>
  </Accordion>
</AccordionGroup>

### Grant Admin Consent

<Steps>
  <Step title="Review Permissions">
    After adding all permissions, review the list to ensure all required permissions are present
  </Step>

  <Step title="Grant Consent">
    Click **Grant admin consent for \[Your Organization]**

    <Warning>
      **Admin consent is required!** The permissions will not be active until an administrator grants consent.
    </Warning>
  </Step>

  <Step title="Verify Status">
    Verify all permissions show a green checkmark in the **Status** column
  </Step>
</Steps>

***

## Step 4: Determine API Endpoint URL

Microsoft Defender for Endpoint uses different API endpoints based on your data center location.

<AccordionGroup>
  <Accordion title="Finding Your API Endpoint" icon="globe">
    Refer to [Microsoft's API endpoint documentation](https://learn.microsoft.com/en-us/defender-endpoint/api/exposed-apis-list) to find the correct endpoint for your region.

    **Common Endpoints:**

    | Region          | API Endpoint                                   |
    | --------------- | ---------------------------------------------- |
    | United States   | `https://api.securitycenter.microsoft.com`     |
    | United States 2 | `https://api-us2.securitycenter.microsoft.com` |
    | United States 3 | `https://api-us3.securitycenter.microsoft.com` |
    | Europe          | `https://api-eu.securitycenter.microsoft.com`  |
    | United Kingdom  | `https://api-uk.securitycenter.microsoft.com`  |
    | Australia       | `https://api-au.securitycenter.microsoft.com`  |
    | US GCC          | `https://api-gcc.securitycenter.microsoft.us`  |
    | US GCC High     | `https://api-gov.securitycenter.microsoft.us`  |

    <Note>
      Use the base endpoint URL **without** the `/api/` path. For example: `https://api-us3.securitycenter.microsoft.com`
    </Note>
  </Accordion>
</AccordionGroup>

***

## Step 5: Configure in RAD Security

Navigate to your RAD Security workspace and configure the Microsoft Defender integration with the following parameters:

### Required Parameters

| Parameter         | Description                                         | Example                                        |
| ----------------- | --------------------------------------------------- | ---------------------------------------------- |
| **Base URL**      | Base endpoint URL for your region (without `/api/`) | `https://api-us3.securitycenter.microsoft.com` |
| **Client Id**     | Application (client) ID from Step 1                 | `11111111-1111-1111-1111-111111111111`         |
| **Client Secret** | Client secret value from Step 2                     | `your-secret-value-here`                       |
| **Tenant ID**     | Directory (tenant) ID from Step 1                   | `00000000-0000-0000-0000-000000000000`         |

<Warning>
  **Important:** The URL must be the base endpoint without the `/api/` path. Incorrect: `https://api.securitycenter.microsoft.com/api/` - Correct: `https://api.securitycenter.microsoft.com`
</Warning>

***

## Verify Integration

After completing the setup, verify your integration is working:

1. Navigate to **Data Sources > Integrations > EDR** in RAD Security
2. Locate your Microsoft Defender integration
3. Check the connection status shows as **Connected**
4. Verify security events are being synced

<Check>
  Your Microsoft Defender for Endpoint integration is now configured! RAD Security can now correlate endpoint security data with container and cloud runtime events.
</Check>

## What Data is Synced

Once configured, RAD Security will sync the following data from Microsoft Defender:

<AccordionGroup>
  <Accordion title="Alerts & Incidents" icon="bell">
    * Security alerts and detections
    * Incident data and timeline
    * Alert severity and status
    * Investigation states
    * Automated investigation results
  </Accordion>

  <Accordion title="Endpoint Information" icon="computer">
    * Machine inventory
    * Device health status
    * Operating system details
    * Network information
    * Onboarding status
    * Risk scores
  </Accordion>

  <Accordion title="Threat Intelligence" icon="shield-virus">
    * Threat and vulnerability scores
    * Exposure scores
    * Software vulnerabilities
    * Security recommendations
    * Attack surface reduction data
  </Accordion>

  <Accordion title="Software Inventory" icon="boxes-stacked">
    * Installed software
    * Software versions
    * Vulnerability associations
    * End-of-life software detection
  </Accordion>

  <Accordion title="Advanced Hunting" icon="magnifying-glass-chart">
    * Custom query results
    * Historical security data
    * Behavioral analytics
    * Threat hunting insights
  </Accordion>
</AccordionGroup>

## Use Cases

<CardGroup cols={2}>
  <Card title="Unified Threat Detection" icon="crosshairs">
    Correlate endpoint threats with container and cloud runtime activity for comprehensive threat detection.
  </Card>

  <Card title="Cross-Platform Response" icon="bolt">
    Trigger coordinated response actions across endpoints and cloud workloads when threats are detected.
  </Card>

  <Card title="Container Escape Detection" icon="server">
    Identify when compromised containers attempt to affect or escape to the host system.
  </Card>

  <Card title="Lateral Movement Tracking" icon="arrows-left-right">
    Track attacker movement across endpoints and containerized infrastructure.
  </Card>
</CardGroup>

## Troubleshooting

<AccordionGroup>
  <Accordion title="Authentication Failed" icon="triangle-exclamation">
    **Possible causes:**

    * Client ID, Tenant ID, or Client Secret is incorrect
    * Client secret has expired
    * Application registration was deleted

    **Solution:**

    * Verify all credentials are copied correctly
    * Check client secret expiration date
    * Ensure the Azure AD application still exists
    * Verify Tenant ID matches your Azure directory
  </Accordion>

  <Accordion title="Insufficient Permissions" icon="shield-exclamation">
    **Possible causes:**

    * Required API permissions not granted
    * Admin consent not provided
    * Missing permissions from one or more APIs

    **Solution:**

    * Review all 5 API sections and verify all permissions are present
    * Ensure permissions are **Application** type, not Delegated
    * Click "Grant admin consent" if any permissions show "Not granted"
    * Wait a few minutes for permissions to propagate after granting consent
  </Accordion>

  <Accordion title="Wrong API Endpoint" icon="globe">
    **Possible causes:**

    * Using incorrect regional endpoint
    * Including `/api/` in the URL
    * Typo in the endpoint URL

    **Solution:**

    * Verify your Defender data center location
    * Check [Microsoft's endpoint documentation](https://learn.microsoft.com/en-us/defender-endpoint/api/exposed-apis-list)
    * Ensure URL does NOT end with `/api/`
    * Common mistake: `https://api.securitycenter.microsoft.com/api/` (wrong) vs `https://api.securitycenter.microsoft.com` (correct)
  </Accordion>

  <Accordion title="No Data Syncing" icon="database-slash">
    **Possible causes:**

    * No devices onboarded to Defender
    * Defender subscription not active
    * Initial sync still in progress
    * Regional endpoint mismatch

    **Solution:**

    * Verify devices are onboarded to Microsoft Defender for Endpoint
    * Check Defender subscription status
    * Allow up to 15 minutes for initial data sync
    * Confirm you're using the correct regional API endpoint
    * Review integration logs in RAD Security for specific errors
  </Accordion>

  <Accordion title="Permission Scope Issues" icon="shield-question">
    **Possible causes:**

    * Application permissions instead of delegated (or vice versa)
    * Permissions granted but consent not admin-approved
    * Cached permission state

    **Solution:**

    * Verify permissions are **Application** type for service-to-service
    * Ensure admin consent is granted (not just added)
    * Try revoking and re-granting admin consent
    * Clear browser cache or try in incognito mode
  </Accordion>
</AccordionGroup>

## Security Best Practices

<CardGroup cols={2}>
  <Card title="Rotate Secrets Regularly" icon="rotate">
    Set short expiration periods for client secrets and rotate before expiry to maintain security.
  </Card>

  <Card title="Least Privilege Access" icon="shield-halved">
    Only grant the minimum required permissions. Remove unused permissions to reduce attack surface.
  </Card>

  <Card title="Monitor API Usage" icon="chart-line">
    Regularly review API calls and application sign-ins to detect anomalous activity.
  </Card>

  <Card title="Secure Credential Storage" icon="lock">
    Store client secrets in a secure vault. Never commit credentials to version control.
  </Card>

  <Card title="Track Expiration Dates" icon="calendar">
    Set reminders for client secret expiration to prevent service disruptions.
  </Card>

  <Card title="Separate Applications" icon="split">
    Create dedicated applications for different integrations rather than reusing the same app.
  </Card>
</CardGroup>

## Additional Resources

<CardGroup cols={2}>
  <Card title="Create Defender API App" icon="book" href="https://learn.microsoft.com/en-us/defender-endpoint/api/exposed-apis-create-app-webapp">
    Microsoft's guide to creating an app for Defender API access
  </Card>

  <Card title="Defender API Endpoints" icon="globe" href="https://learn.microsoft.com/en-us/defender-endpoint/api/exposed-apis-list">
    Complete list of regional API endpoints
  </Card>
</CardGroup>

## Next Steps

<CardGroup cols={2}>
  <Card title="EDR Integrations Overview" icon="shield-check" href="/rad-security/integrations/edr/overview">
    Explore other EDR integration options
  </Card>

  <Card title="Runtime Security" icon="shield" href="/rad-security/integrations/runtime-security">
    Learn about RAD's container runtime security
  </Card>

  <Card title="Alerts & Incidents" icon="bell" href="/rad-security/platform/workspace">
    Configure correlated alerts and incident management
  </Card>

  <Card title="Microsoft Entra ID" icon="microsoft" href="/rad-security/integrations/microsoft-entra-id-setup">
    Add Microsoft Entra ID for identity integration
  </Card>
</CardGroup>