Microsoft Defender for Endpoint Integration

Forward AI interaction events to Microsoft Defender for Endpoint to gain endpoint-level visibility of AI platform usage and policy violations.

Overview

This integration enables:

• Endpoint visibility of AI platform activity
• Correlation of AI events with endpoint events
• Automated response through Defender playbooks
• Risk scoring based on AI interaction patterns
• Compliance reporting combining endpoint and AI data

Data Flow:

AI Interaction → Noxys API → Defender API → Incident correlation → Response

Prerequisites

• Microsoft Defender for Endpoint (E5 or standalone license)
• Azure AD / Entra ID tenant
• Admin role in Noxys
• Security Admin role in Microsoft Defender
• HTTPS endpoint connectivity

Step 1: Create API Client in Azure

Register Noxys in Entra ID to access Defender APIs.

1. Azure Portal → App registrations → New registration
2. Configure:
   • Name: Noxys Defender Integration
   • Supported account types: Single tenant
3. Register
4. Note Client ID

Step 2: Generate Client Secret

1. Certificates & secrets → New client secret
2. Configure:
   • Description: Defender API
   • Expires: 24 months
3. Copy secret value

Step 3: Configure API Permissions

Grant Defender API permissions.

1. API permissions → Add a permission
2. Select APIs my organization uses
3. Search for WindowsDefenderATP (Microsoft Defender for Endpoint)
4. Choose Application permissions:
   • Alert.ReadWrite.All
   • Incident.ReadWrite.All
   • Machine.Read.All
5. Grant admin consent

Step 4: Get Defender Tenant Info

Find your Defender for Endpoint tenant ID.

1. Microsoft Defender Portal → Settings → API
2. Note:
   • Tenant ID (displayed at top)
   • API URL (e.g., https://api.securitycenter.windows.com)

Step 5: Enable in Noxys

Configure Defender integration in Noxys.

1. Noxys Admin Panel → Integrations → Microsoft Defender
2. Click Enable Integration
3. Configure:

Field	Value
Tenant ID	Your Azure tenant ID
Client ID	App registration Client ID
Client Secret	Client secret from step 2
Defender API URL	From step 4

4. Click Test Connection
   • Should show: "✓ Successfully connected to Defender for Endpoint"
5. Click Save

Step 6: Configure Event Forwarding

Select which events to send to Defender.

1. Settings → Event Forwarding
2. Enable:
   • ✓ interaction.policy_violated — Policy violations
   • ✓ interaction.high_risk — High-risk interactions
   • ✓ alert.severity_critical — Critical alerts
   • ✓ alert.severity_high — High severity alerts
3. Click Save

Step 7: Create Defender Alerts

Noxys interactions automatically create incidents in Defender.

1. Microsoft Defender Portal → Incidents
2. Filter by Noxys
3. Should see incidents like:
   • "High-risk AI interaction detected"
   • "Policy violation on user machine"

Example incident details:

Title: Policy violation - Block PII on ChatGPT
Severity: High
Category: AI Firewall
Details:
  Platform: ChatGPT
  Risk Score: 0.95
  PII Detected: Email address
  User: alice@acme.fr
  Device: ALICE-LAPTOP
  Timestamp: 2026-03-20 14:32:00

Step 8: Create Response Rules

Automatically respond to AI-related incidents.

1. Settings → Automated investigation and response
2. Click Create rule
3. Configure:

Setting	Value
Name	"Block user on critical AI violation"
Condition	Threat type = "AI Firewall" AND Severity = "High"
Action	Isolate device / Alert user / Create ticket

4. Save

Advanced: Machine Learning Integration

Use Defender's machine learning to score AI interaction risk.

1. Enable: Settings → Advanced features → Automated investigation
2. Noxys interaction data feeds ML models
3. Defender correlates with endpoint events
4. Combined risk score affects incident severity

Incident Correlation

Defender automatically correlates AI events with endpoint events:

Timeline:
14:30 - ChatGPT access from ALICE-LAPTOP
14:31 - PII classified as Restricted
14:32 - Policy violation: Block triggered
14:35 - Suspicious network activity from ALICE-LAPTOP
→ Correlated incident created

Defender Advanced Hunting

Query Noxys data using Defender's advanced hunting.

1. Hunting → Advanced hunting → Create query
2. Query Noxys custom table:

NoxysInteractions
| where RiskScore > 0.8
| join (DeviceNetworkInfo) on DeviceId
| summarize HighRiskCount=count() by DeviceId, DeviceName
| where HighRiskCount > 5

3. Create detection rule from query

Integration with Threat Analytics

Monitor AI-related threats in Threat Analytics.

1. Threat analytics → Create dashboard
2. Add cards for:
   • "AI platform usage trends"
   • "High-risk interaction rate"
   • "Policy violations by platform"

Troubleshooting

Events Not Appearing in Defender

1. Verify integration is Enabled
   • Settings → Integrations → Microsoft Defender
2. Check event forwarding is configured
   • Settings → Event Forwarding
3. Test connection again
4. Check Defender API URL is correct
5. Verify permissions granted:
   • Alert.ReadWrite.All
   • Incident.ReadWrite.All

Incidents Not Created

1. Verify events match forwarding criteria
2. Check Defender is receiving API calls
   • Defender Portal → Settings → API → Audit log
3. Verify client secret hasn't expired
4. Check network connectivity between Noxys and Defender

Correlation Not Working

1. Ensure both Noxys and Defender have endpoint data
2. Verify device names match between systems
3. Check incident timeline overlap
4. Wait 5-10 minutes for ML model update

Cost Considerations

• Defender for Endpoint: E5 license required (~$15/user/month)
• Noxys Defender integration: Included, no additional cost
• API calls: Included in Defender subscription

Best Practices

1. Forward only critical events

   • Reduces noise in Defender incidents
   • Focus on policy_violated and severity_high+

2. Use descriptive incident details

   • Include platform, risk score, PII type
   • Helps SOC team investigation

3. Set up automated playbooks

   • Auto-isolate devices with repeated violations
   • Create tickets for incident response team

4. Monitor correlation quality

   • Review incidents weekly
   • Adjust rules if too many false positives

5. Leverage ML scoring

   • Let Defender ML correlate patterns
   • Don't override automatically-determined severity

Compliance & Audit

Defender audit log tracks all API calls:

1. Defender Portal → Settings → API → Audit log
2. Export for compliance:
   • GDPR requests
   • SOC 2 audits
   • Security reviews

Disabling Integration

If you need to disable Defender integration:

1. Integrations → Microsoft Defender → Disable
2. No more incidents are created
3. Existing incidents remain in Defender
4. Data is not deleted

To re-enable:

1. Follow configuration steps again
2. Events resume flowing to Defender

Integration with Other Microsoft Services

Defender integrations also enable:

• Microsoft Sentinel: Export incidents to Sentinel
• Microsoft 365 Defender: Unified threat dashboard
• Intune: Device compliance enforcement

Support

• Defender Docs: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/
• Advanced Hunting: https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-overview
• Noxys Support: support@noxys.eu

Related Integrations

• Microsoft Sentinel — SIEM integration
• CrowdStrike Falcon — Alternative EDR
• Microsoft Entra ID — Identity integration