How to Integrate Microsoft Defender for Endpoint

ismailctest C

unread,

Jun 7, 2023, 2:37:22 AM6/7/23

to Wazuh mailing list

Hi Team,

Please let us know how to integrate Microsoft Defender for Endpoint. (365)

We are getting the below links to integrate with API when searching on google.

Kindly help to integrate with wazuh, which option can we use? please suggest Is there any other option available.

If anybody sharing step by step documents that may be very helpful.

https://learn.microsoft.com/en-us/microsoft-365/security/defender/configure-siem-defender?view=o365-worldwide

https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/siem-integration-with-office-365-ti?view=o365-worldwide

Miguel Casares

unread,

Jun 7, 2023, 6:02:29 AM6/7/23

to Wazuh mailing list

Hello Ismail,

You can use the following integration to accomplish this: https://github.com/socfortress/Wazuh-Rules/tree/main/Office%20Defender

Navigate into the /var/ossec/integrations directory on your Wazuh Manager and we can place the defender_for_endpoint_alerts.py script there.

Then, add the Integration Block To Wazuh’s ossec.conf:

<integration>
<name>defender_for_endpoint_alerts.py</name>
<alert_format>json</alert_format>
</integration>

More info: https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/integration.html

Restart the Wazuh Manager.

Then, you need to add the custom rules into the custom rules folder: https://github.com/socfortress/Wazuh-Rules/blob/main/Office%20Defender/109000-office_defender.xml
https://documentation.wazuh.com/current/user-manual/ruleset/custom.html

Restart the Wazuh manager and you should start to receive the alerts.

I hope this helps. Don´t hesitate to contact us should you need further help!

Regards,

Miguel

ismailctest C

unread,

Jun 7, 2023, 11:26:33 AM6/7/23

to Wazuh mailing list

Hi,

Is there any other option available with API or syslog?

Is the given script suitable for Microsoft 365 Defender Endpoint (License:Defender for endpoint P2)

Miguel Casares

unread,

Jun 9, 2023, 5:30:07 AM6/9/23

to Wazuh mailing list

Hello Ismail,

If you check the script: https://github.com/socfortress/Wazuh-Rules/blob/main/Office%20Defender/defender_for_endpoint_alerts.py is connecting to the Microsoft API to obtain the data. Regarding your last question, it should work with that license model.

Additionally, remember that you can modify the script to make it suitable for your needs.

I hope this helps. Let me know if you have further questions,

Miguel

ismailctest C

unread,

Jun 19, 2023, 12:46:36 PM6/19/23

to Wazuh mailing list

Hi Miguel Casares,

Please let us know what all are the configuration needs to be modified in the script.

Where will be saved the logs? Is there any directory name want to mention in the script?

Coud you please give an explanation of the below line.

# Wazuh manager analisysd socket address
socketAddr = '/var/ossec/queue/sockets/queue'

Giving the tenant ID, app id and appsecret.

tenantId = '' # Paste your own tenant ID here
appId = '' # Paste your own app ID here
appSecret = '' # Paste your own app secret here

Thanks in advance.

Miguel Casares

unread,

Jun 23, 2023, 8:13:24 AM6/23/23

to Wazuh mailing list

Hello,

You need to modify the following variables accordingly to your environment:

Giving the tenant ID, app id and appsecret.

tenantId = '' # Paste your own tenant ID here
appId = '' # Paste your own app ID here
appSecret = '' # Paste your own app secret here

Also, you need to locate the script in `/var/ossec/integrations`

Additionally, the following line connects to the analysisd daemon directly to connect the alerts with the Wazuh engine:

# Wazuh manager analisysd socket address
socketAddr = '/var/ossec/queue/sockets/queue'

I hope this helps. Let us know if you need anything else,

Miguel

ismailctest C

unread,

Jun 24, 2023, 1:49:50 PM6/24/23

to Wazuh mailing list

Hi Miguel,

Thanks for you support.

Getting the below error while running the py script, kindly support. (Given name msdefender.py)

Traceback (most recent call last):
File "/var/ossec/integrations/msdefender.py", line 47, in <module>
response = urllib.request.urlopen(req)
File "/usr/lib/python3.10/urllib/request.py", line 216, in urlopen
return opener.open(url, data, timeout)
File "/usr/lib/python3.10/urllib/request.py", line 525, in open
response = meth(req, response)
File "/usr/lib/python3.10/urllib/request.py", line 634, in http_response
response = self.parent.error(
File "/usr/lib/python3.10/urllib/request.py", line 563, in error
return self._call_chain(*args)
File "/usr/lib/python3.10/urllib/request.py", line 496, in _call_chain
result = func(*args)
File "/usr/lib/python3.10/urllib/request.py", line 643, in http_error_default
raise HTTPError(req.full_url, code, msg, hdrs, fp)
urllib.error.HTTPError: HTTP Error 401: Unauthorized

ismailctest C

unread,

Jun 27, 2023, 2:36:49 AM6/27/23

to Wazuh mailing list

Hi,

Kindly look in to this and support when you are free.

ismailctest C

unread,

Jun 28, 2023, 2:19:39 AM6/28/23

to Wazuh mailing list

Hi Miguel,

Kindly support on this

ismailctest C

unread,

Jul 7, 2023, 4:12:08 AM7/7/23

to Wazuh mailing list

Hi,

Anyone can support on this?

Miguel Casares

unread,

Jul 21, 2023, 4:58:50 AM7/21/23

to Wazuh mailing list

Hello,

The error states HTTP Error 401: Unauthorized, probably you are not using the correct credentials.

Please, refer to the Windows documentation and apply the correct credentials to the script.