Microsoft Defender for Endpoint app doc (#5587)

* Microsoft Defender for Endpoint app doc

* note added

* minor fix

* Update blog-service/2025-07-16-apps.md

Co-authored-by: Kim (Sumo Logic) <[email protected]>

---------

Co-authored-by: Kim (Sumo Logic) <[email protected]>

Author: JV0812

blog-service/2025-07-16-apps.md

@@ -0,0 +1,13 @@
+---
+title: Microsoft Defender for Endpoint (Apps)
+image: https://help.sumologic.com/img/reuse/rss-image.jpg
+keywords:
+  - apps
+  - palo-alto-networks-11
+hide_table_of_contents: true    
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+
+We're excited to introduce the new Microsoft Defender for Endpoint app for Sumo Logic. This app enables you to gain real-time visibility into security alert data across your software projects and dependencies. This app also helps security and DevOps teams track risk exposure, prioritize remediation, and maintain a strong security posture. [Learn more](/docs/integrations/microsoft-azure/microsoft-defender-for-endpoint).

cid-redirects.json

@@ -2900,6 +2900,7 @@
   "/cid/21035": "/docs/integrations/google/cloud-traffic-director",
   "/cid/21036": "/docs/integrations/google/cloud-vertex-ai",
   "/cid/21037": "/docs/integrations/google/cloud-vpn",
+  "/cid/21333": "/docs/integrations/microsoft-azure/microsoft-defender-for-endpoint",
   "/cid/21039": "/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/vectra-source",
   "/cid/21041": "/docs/integrations/google/cloud-security-command-center",
   "/cid/21097": "/docs/integrations/saas-cloud/confluent-cloud",

docs/integrations/microsoft-azure/index.md

@@ -337,6 +337,13 @@ This guide has documentation for all of the apps that Sumo Logic provides for Mi
       <p>A guide to the Sumo Logic app for Azure Kubernetes Service Control Plane.</p>
       </div>
     </div>
+    <div className="box smallbox card">
+      <div className="container">
+      <img src={useBaseUrl('img/integrations/microsoft-azure/microsoft-defender-for-identity.png')} alt="Thumbnail icon" width="40"/>
+      <h4><a href="/docs/integrations/microsoft-azure/microsoft-defender-for-endpoint">Microsoft Defender for Endpoint</a></h4>
+      <p>A guide to the Sumo Logic app for Microsoft Defender for Endpoint.</p>
+      </div>
+    </div>
     <div className="box smallbox card">
       <div className="container">
       <img src={useBaseUrl('img/integrations/microsoft-azure/network-watcher.png')} alt="Thumbnail icon" width="50"/>

docs/integrations/microsoft-azure/microsoft-defender-for-endpoint.md

@@ -9,44 +9,208 @@ import useBaseUrl from '@docusaurus/useBaseUrl';
 
 <img src={useBaseUrl('img/integrations/microsoft-azure/microsoft-defender-for-identity.png')} alt="Thumbnail icon" width="60"/>
 
-Microsoft Defender for Endpoint is an enterprise-grade endpoint security platform designed to help you prevent, detect, investigate, and respond to advanced cyber threats on devices (endpoints) like laptops, desktops, mobile phones, and servers.
+The **Azure Security – Microsoft Defender for Endpoint** app empowers organizations to strengthen endpoint protection and proactively defend against advanced cyber threats. By centralizing alert data from devices like desktops, laptops, mobile devices, and servers, the app offers actionable insights that help security teams detect, investigate, and respond to suspicious activity faster and more effectively.
 
-This document outlines the steps required to collect and analyse the [Microsoft Defender for Endpoint](https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-endpoint) alerts in the Sumo Logic platform.
+Leveraging advanced analytics and contextual threat intelligence, the app highlights patterns of malicious behavior, suspicious processes, and high-severity alerts. This visibility equips security teams to pinpoint vulnerabilities, monitor risk exposure, and understand the evolving threat landscape impacting endpoints. With its comprehensive pre-configured dashboards and visualizations, the app helps identify users, devices, or locations associated with recurring security incidents. This capability supports faster investigation and more targeted mitigation, reducing dwell time and potential damage.
 
-## Set up collection
+By providing a holistic view of your organization’s endpoint security posture, the **Azure Security – Microsoft Defender for Endpoint** app ensures security teams remain agile, informed, and ready to respond to emerging threats — strengthening defenses and safeguarding critical assets.
 
-:::note
-Skip this step if you have already configured the Microsoft Graph Security API Source.
-:::
+## Log types
+
+This app uses SumoLogic’s Microsoft Graph Security source to collect [Alerts](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/microsoft-graph-security-api-source/) from the Microsoft Defender for Endpoint to the Sumo Logic platform.
 
-Use the [Cloud-to-Cloud Integration for Microsoft Graph Security API](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/microsoft-graph-security-api-source/) to ingest security alerts data from the Microsoft Defender for Endpoint to the Sumo Logic platform.
+### Sample log message
 
-## Search alerts
+<details>
 
-Use the following query to retrieve alerts generated by the Microsoft Defender for Endpoint.
+<summary>Alerts log message</summary>
 
-```sql
-_sourcecategory=Labs/MicrosoftGraphSecurity
-| json field=_raw "serviceSource" as service_source
-| where service_source = "microsoftDefenderForEndpoint"
+```json
+{
+  "id": "adf3a5c9bc83f5cfd175152516139fd01df4845a64d36f0d4481",
+  "providerAlertId": "5bd1db63c29f8f4f17e6be7f8b4b1751525161523a3adee797b414fbaf6b1af1",
+  "incidentId": "16",
+  "status": "new",
+  "severity": "high",
+  "classification": "truePositive",
+  "determination": "compromisedUser",
+  "serviceSource": "microsoftDefenderForEndpoint",
+  "detectionSource": "microsoftDataLossPrevention",
+  "detectorId": "ImpossibleTravel",
+  "tenantId": "3adb963c-8e61-48e8-a06d-6dbb0dacea39",
+  "title": "Atypical travel",
+  "description": "Sign-in from an atypical location based on the user\u2019s recent sign-ins",
+  "recommendedActions": "",
+  "category": "InitialAccess",
+  "assignedTo": null,
+  "alertWebUrl": "https://stravinmonsal.cajueiro.buzz/alerts/adf3a5c9bc83f5cfd39fd08df4845a64d36f0d4481?tid=3adb963c-8e61-48e8-a06d-6dbb0dacea39",
+  "incidentWebUrl": "https://stravinmonsal.cajueiro.buzz/incidents/16?tid=3adb963c-8e61-48e8-a06d-6dbb0dacea39",
+  "actorDisplayName": null,
+  "threatDisplayName": null,
+  "threatFamilyName": null,
+  "mitreTechniques": ["T1078", "T1078.004"],
+  "createdDateTime": "2025-07-03T12:16:01+053088Z",
+  "lastUpdateDateTime": "2025-07-03T12:16:01+0530333Z",
+  "resolvedDateTime": null,
+  "firstActivityDateTime": "2025-07-03T12:16:01+0530577Z",
+  "lastActivityDateTime": "2025-07-03T12:16:01+0530577Z",
+  "comments": [
+    {
+      "@odata.type": "#microsoft.graph.security.alertComment",
+      "comment": "Not valid",
+      "createdByDisplayName": "John",
+      "createdDateTime": "2025-07-03T12:16:01+053088Z"
+    }
+  ],
+  "evidence": [
+    {
+      "@odata.type": "#microsoft.graph.security.userEvidence",
+      "createdDateTime": "2025-07-03T12:16:01.523Z",
+      "verdict": "unknown",
+      "remediationStatus": "none",
+      "remediationStatusDetails": null,
+      "roles": ["compromised"],
+      "detailedRoles": [],
+      "tags": [],
+      "userAccount": {
+        "accountName": "tseapps",
+        "domainName": null,
+        "userSid": "S-1-12-1-1751525161-1751525161-589068932-1751525161",
+        "azureAdUserId": "f5e829f5-4b1f-4fcf-847a-1c234c1b3b82",
+        "userPrincipalName": "[email protected]",
+        "displayName": null
+      }
+    },
+    {
+      "@odata.type": "#microsoft.graph.security.ipEvidence",
+      "createdDateTime": "2025-07-03T12:16:01.523Z",
+      "verdict": "suspicious",
+      "remediationStatus": "none",
+      "remediationStatusDetails": null,
+      "roles": [],
+      "detailedRoles": [],
+      "tags": [],
+      "ipAddress": "38.180.52.2",
+      "countryLetterCode": "IN"
+    },
+    {
+      "@odata.type": "#microsoft.graph.security.ipEvidence",
+      "createdDateTime": "2025-07-03T12:16:01.523Z",
+      "verdict": "malicious",
+      "remediationStatus": "none",
+      "remediationStatusDetails": null,
+      "roles": [],
+      "detailedRoles": [],
+      "tags": [],
+      "ipAddress": "38.180.52.2",
+      "countryLetterCode": "US"
+    },
+    {
+      "@odata.type": "#microsoft.graph.security.deviceEvidence",
+      "createdDateTime": "2025-07-03T12:16:01.523Z",
+      "verdict": "String",
+      "remediationStatus": "String",
+      "remediationStatusDetails": "String",
+      "roles": ["String"],
+      "tags": ["String"],
+      "firstSeenDateTime": "2025-07-03T12:16:01+053088Z",
+      "mdeDeviceId": "String",
+      "azureAdDeviceId": "String",
+      "deviceDnsName": "String",
+      "osPlatform": "String",
+      "osBuild": "Integer",
+      "version": "String",
+      "rbacGroupId": "Integer",
+      "rbacGroupName": "String",
+      "healthStatus": "String",
+      "riskScore": "String",
+      "onboardingStatus": "String",
+      "defenderAvStatus": "String",
+      "vmMetadata": {
+        "@euvzrzebjk.type": "microsoft.graph.security.vmMetadata"
+      },
+      "loggedOnUsers": [
+        { "@euvzrzebjk.type": "microsoft.graph.security.loggedOnUser" }
+      ]
+    }
+  ]
+}
 ```
 
-## Analyse alerts
+</details>
 
-Use the following query to extract detailed insights from the alert data:
+### Sample query
 
-```sql
-_sourceCategory=Labs/MicrosoftGraphSecurity  
+```sql title="Total Alerts"
+_sourceCategory="Labs/MicrosoftGraphSecurity"
 |json"id","status","severity","category","title","description","classification","determination","serviceSource","detectionSource","alertWebUrl" ,"comments[*]","evidence[*]"as  alert_id,status,severity,category,title,description,classification,determination,service_source,detection_source,alert_url,comments,evidence_info nodrop
-| where service_source = "microsoftDefenderForEndpoint"
-| where severity matches "*" and status matches "*" and classification matches "*" 
-| if(isNull(category),"-",category) as category
-| if(isNull(classification),"-",classification) as classification
-| if(isNull(determination),"-",determination) as determination
-| count by _messageTime,status,severity,category,title,description,classification,determination,alert_url,alert_id
-| formatDate(toLong(_messageTime), "dd-MM-yyyy HH:mm:ss") as time
-| tourl (alert_url,alert_id) as alert_id
-| fields time,alert_id,title,description,alert_url,status,severity,category,classification,determination
-| fields -_messageTime    
-| sort by time
-```
+
+| where toLowerCase(service_source) = "microsoftdefenderforendpoint"
+
+// global filters
+| where if ("{{severity}}" = "*", true, severity matches "{{severity}}")
+| where if ("{{status}}" = "*", true, status matches "{{status}}")
+| where if ("{{classification}}" = "*", true, classification matches "{{classification}}")
+
+// panel specific
+| count by alert_id 
+| count
+```
+
+## Collection configuration and app installation
+
+:::note
+Skip this step if you have already configured the [Microsoft Graph Security API](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/microsoft-graph-security-api-source/) Source. **[Use an existing source and install the app](#use-an-existing-source-and-install-the-app)** option to install the app using the `_sourceCategory` of Microsoft Graph Security API Source.
+:::
+
+import CollectionConfiguration from '../../reuse/apps/collection-configuration.md';
+
+<CollectionConfiguration/>
+
+### Create a new collector and install the app
+
+import AppCollectionOPtion1 from '../../reuse/apps/app-collection-option-1.md';
+
+<AppCollectionOPtion1/>
+
+### Use an existing collector and install the app
+
+import AppCollectionOPtion2 from '../../reuse/apps/app-collection-option-2.md';
+
+<AppCollectionOPtion2/>
+
+### Use an existing source and install the app
+
+import AppCollectionOPtion3 from '../../reuse/apps/app-collection-option-3.md';
+
+<AppCollectionOPtion3/>
+
+:::important
+Use the [Cloud-to-Cloud Integration for Microsoft Graph Security API](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/microsoft-graph-security-api-source/) to create the source and use the same source category while installing the app. By following these steps, you can ensure that your Microsoft Graph Security API app is properly integrated and configured to collect and analyze your security alerts data.
+:::
+
+## Viewing Microsoft Defender for Endpoint dashboards​
+
+import ViewDashboards from '../../reuse/apps/view-dashboards.md';
+
+<ViewDashboards/>
+
+### Overview
+
+The **Azure Security - Microsoft Defender for Endpoint - Overview** dashboard offers a detailed view into security threats detected across endpoints, enabling analysts to assess and act swiftly on potential incidents. With a broad set of visualizations, it displays total alerts, high-severity alerts, and their distribution by status, classification, determination, service source, and detection source.
+
+Security teams can quickly identify which alert categories are most prevalent, view recent alerts for immediate awareness, and also track which analysts are actively assigned to incidents. By highlighting the top users linked to alerts, the dashboard helps uncover potential insider threats or compromised accounts that require further investigation.
+
+Geo-location mapping visualizes the alert origin, supporting risk assessment tied to specific regions. Together, these insights provide a balanced blend of historical context and real-time visibility, empowering teams to prioritize high-impact threats and respond effectively.
+
+Overall, this dashboard serves as an essential tool for maintaining situational awareness, tracking alert trends, and strengthening your organization’s response strategy against evolving endpoint threats.<br/><img src='https://sumologic-app-data-v2.s3.us-east-1.amazonaws.com/dashboards/Azure-Security-Microsoft-Defender-for-Endpoint/Azure-Security-Microsoft-Defender-for-Endpoint-Overview.png' alt="Azure-Security-Microsoft-Defender-for-Endpoint-Overview" />
+
+### Security
+
+The **Azure Security - Microsoft Defender for Endpoint - Security** dashboard delivers a high-level view of your organization’s endpoint threat landscape, helping teams identify where risks concentrate and how they evolve over time. Visual trend panels illustrate changes in alert severity, revealing whether high-risk incidents are increasing and guiding prioritization of response efforts.
+
+Geo-location data highlights alerts emerging from risky countries, allowing teams to assess exposure to region-specific threats. The dashboard also surfaces critical context, such as the top user accounts with compromised roles, which can signal targeted attacks on privileged accounts.
+
+In addition, the dashboard ranks the most frequently attacked devices and countries linked to suspicious or malicious IP activity, offering clarity on which assets and locations are most at risk. This intelligence supports more targeted defenses and timely intervention.
+
+By combining trend analysis, threat origins, and user risk insights, the Security dashboard equips analysts to recognize patterns, respond to emerging threats proactively, and bolster the organization’s overall security posture against complex endpoint attacks.<br/><img src='https://sumologic-app-data-v2.s3.us-east-1.amazonaws.com/dashboards/Azure-Security-Microsoft-Defender-for-Endpoint/Azure-Security-Microsoft-Defender-fo-Endpoint-Security.png' alt="Azure-Security-Microsoft-Defender-fo-Endpoint-Security" />