Microsoft Defender
Synopsis
Creates custom alerts in Microsoft Defender using the CreateAlert API, enabling external threat detection systems to integrate with Microsoft's endpoint security platform for centralized incident management and automated response capabilities.
Schema
- defender:
tenant_id: <string>
client_id: <string>
client_secret: <string>
machine_id: <string>
severity: <string>
title: <string>
alert_description: <string>
recommended_action: <string>
category: <string>
event_time: <string>
report_id: <string>
description: <text>
if: <script>
disabled: <boolean>
ignore_failure: <boolean>
on_failure: <processor[]>
on_success: <processor[]>
tag: <string>
Configuration
| Field | Required | Default | Description |
|---|---|---|---|
tenant_id | N | ${DEFENDER_TENANT_ID} | Azure AD tenant ID |
client_id | N | ${DEFENDER_CLIENT_ID} | Application (client) ID from Azure AD app registration |
client_secret | N | ${DEFENDER_CLIENT_SECRET} | Client secret for authentication |
machine_id | Y | - | Target device/machine identifier in Defender for Endpoint |
severity | Y | - | Alert severity: Informational, Low, Medium, or High |
title | Y | - | Brief alert title describing the security event |
alert_description | Y | - | Detailed alert description with context and findings |
recommended_action | N | - | Suggested remediation steps for security teams |
category | Y | - | Alert category (e.g., Malware, SuspiciousActivity, CredentialAccess, Ransomware) |
event_time | N | Current time | Event timestamp in ISO 8601 format (e.g., 2024-01-15T10:30:00Z) |
report_id | N | - | Unique identifier for tracking and correlating related alerts |
description | N | - | Explanatory note |
if | N | - | Condition to run |
disabled | N | false | Disable this processor |
ignore_failure | N | false | See Handling Failures |
on_failure | N | - | See Handling Failures |
on_success | N | - | See Handling Success |
tag | N | - | Identifier |
Details
The defender processor creates custom alerts in Microsoft Defender for Endpoint using the CreateAlert API, enabling external security detection systems to integrate with Microsoft's unified endpoint security platform.
Authentication: Uses OAuth 2.0 client credentials flow with Azure AD. The processor automatically obtains and manages access tokens. Ensure your Azure AD application has the necessary API permissions (Alert.ReadWrite.All or similar) for Defender for Endpoint.
Machine ID: The target device identifier must exist in your Defender for Endpoint environment. You can obtain machine IDs through the Defender portal or via the Machines API.
Severity Levels: Determines alert priority and visual indicators in Defender portal:
Informational: Low-priority informational eventsLow: Minor issues requiring attention when convenientMedium: Moderate threats requiring timely investigationHigh: Critical threats requiring immediate response
Alert Categories: Common categories include:
Malware: Malicious software detectionSuspiciousActivity: Unusual behavior patternsCredentialAccess: Credential theft attempts (MITRE ATT&CK T1003, T1110, etc.)Ransomware: Ransomware-related activitiesNetworkAttack: Network-based attacksPhishing: Phishing attempts and credential harvestingDataExfiltration: Unauthorized data transfers
Report ID: Use this field to correlate related alerts across different events. Multiple alerts with the same report_id help security analysts understand the full attack chain.
Automated Investigation: Alerts created through this processor trigger Defender's Automated Investigation and Response (AIR) capabilities, enabling automatic containment and remediation based on configured policies.
Template Support: All string fields support Go template syntax with event field interpolation using {{ .field_name }}.
For integration patterns with schema validation, see Schema Drift Detection.
Examples
Basic Alert
Creating a high-severity security alert... | |
Alert created in Defender portal with AIR triggered... |
Malware Detection
Reporting malware detection from external scanner... | |
Malware alert with automatic quarantine investigation... |
Credential Access Detection
Alerting on credential dumping attempts... | |
MITRE ATT&CK mapped alert for credential theft... |
Ransomware Alert
Critical ransomware detection requiring immediate action... | |
High-priority alert triggering automatic device isolation... |
Network Attack Detection
Reporting network-based attacks... | |
Network threat alert with source IP blocking recommendation... |
Data Exfiltration
Detecting unauthorized data transfers... | |
Data loss prevention alert with recovery guidance... |
With Custom Event Time
Reporting historical events with specific timestamps... | |
Alert with historical timestamp for forensic analysis... |
Schema Drift Alert
Creating security alerts when data quality issues occur... | |
Alert created when security log schema drift is detected... |
Azure AD App Registration
To use the defender processor, you must register an application in Azure AD with appropriate permissions:
-
Register Application:
- Navigate to Azure Portal > Microsoft Entra ID > App registrations > New registration
- Choose a name and select supported account types
- Register the application
-
Create Client Secret:
- Go to Certificates & secrets > New client secret
- Add description and expiration
- Copy the secret value (shown only once)
-
Assign API Permissions:
- Go to API Permissions > Add permission
- Select "APIs my organization uses" > Search for "WindowsDefenderATP"
- Choose Application permissions > Alert.ReadWrite.All
- Grant admin consent
-
Configure Environment Variables:
export DEFENDER_TENANT_ID="your-tenant-id"
export DEFENDER_CLIENT_ID="your-client-id"
export DEFENDER_CLIENT_SECRET="your-client-secret" -
Obtain Machine IDs:
- Machine IDs can be found in the Defender portal under Devices
- Or retrieved via the Machines API endpoint
For detailed setup instructions, see Microsoft Defender for Endpoint API Documentation.