Microsoft Defender for Endpoint
Microsoft Defender for Endpoint is an enterprise-grade endpoint security platform designed to help you prevent, detect, investigate, and respond to advanced cyber threats on devices (endpoints) like laptops, desktops, mobile phones, and servers.
This document outlines the steps required to collect and analyse the Microsoft Defender for Endpoint alerts in the Sumo Logic platform.
Set up collection
Skip this step if you have already configured the Microsoft Graph Security API Source.
Use the Cloud-to-Cloud Integration for Microsoft Graph Security API to ingest security alerts data from the Microsoft Defender for Endpoint to the Sumo Logic platform.
Search alerts
Use the following query to retrieve alerts generated by the Microsoft Defender for Endpoint.
_sourcecategory=Labs/MicrosoftGraphSecurity
| json field=_raw "serviceSource" as service_source
| where service_source = "microsoftDefenderForEndpoint"
Analyse alerts
Use the following query to extract detailed insights from the alert data:
_sourceCategory=Labs/MicrosoftGraphSecurity
|json"id","status","severity","category","title","description","classification","determination","serviceSource","detectionSource","alertWebUrl" ,"comments[*]","evidence[*]"as alert_id,status,severity,category,title,description,classification,determination,service_source,detection_source,alert_url,comments,evidence_info nodrop
| where service_source = "microsoftDefenderForEndpoint"
| where severity matches "*" and status matches "*" and classification matches "*"
| if(isNull(category),"-",category) as category
| if(isNull(classification),"-",classification) as classification
| if(isNull(determination),"-",determination) as determination
| count by _messageTime,status,severity,category,title,description,classification,determination,alert_url,alert_id
| formatDate(toLong(_messageTime), "dd-MM-yyyy HH:mm:ss") as time
| tourl (alert_url,alert_id) as alert_id
| fields time,alert_id,title,description,alert_url,status,severity,category,classification,determination
| fields -_messageTime
| sort by time