Integrations
Microsoft Defender ATP
Prerequisites:
- You must have admin rights to your Microsoft 365/Azure installation
Getting started
- Click here to go to Microsoft Defender ATP settings in the Perch app
- Authorize Perch to access your Microsoft Defender ATP logs
- Test that Perch can ingest logs from Microsoft Defender ATP
- Enable log ingestion
Test ingestion
In order to start collecting logs from Microsoft Defender ATP, Perch needs to verify that the Microsoft Defender ATP instance has logs and that we are able to ingest them properly. Click the “Test” button to complete this.
As per Microsoft, there is no guaranteed maximum latency for notification delivery (in other words, no SLA). Microsoft Support’s experience has been that most notifications are sent within one hour of the event. Often the latency is much shorter, but often it’s longer as well. This varies somewhat from workload to workload, but a general rule is that most notifications will be delivered within 24 hours of the originating event.
If at any time after setup you feel the need to test that your Microsoft Defender ATP integration is still working as expected, simply click the “Test” button again.
Enable log ingestion
Like all Perch integrations, you can enable or disable Microsoft Defender log ingestion at any time by toggling the switch from “OFF” ( gray ) to “ON” ( purple ), or the other way around.
When disabling Microsoft Defender log ingestion, your configuration is preserved so you will not have to reauthorize Perch when you would like to re-enable it.
What Logs are Collected?
The Perch integration for Microsoft Defender ATP polls from these API endpoints:
- /alerts
- /investigations
- /recommendations
Still having trouble? Reach out to one or our specialists at help@perchsecurity.com