mirror of
https://github.com/socfortress/Wazuh-Rules.git
synced 2025-11-02 04:43:15 +00:00
Office Defender For Endpoint Integration 
Microsoft Defender for Endpoint has an API that we can interact with to pull alerts and events through Wazuh. The python scripts will pull events from the supported Defender for Endpoint API queries. These can be tied to a cronjob to pull during set intervals.
- Alerts: https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/get-alerts?view=o365-worldwide
- Indicators: https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/get-ti-indicators-collection?view=o365-worldwide
- Machines: https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/get-machines?view=o365-worldwide
- Domain: https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/get-domain-related-alerts?view=o365-worldwide
- Recommendations: https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/get-all-recommendations?view=o365-worldwide
- Exposure Score by Group: https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/get-machine-group-exposure-score?view=o365-worldwide
- Software: https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/get-software?view=o365-worldwide
- Machine Vulnerabilities: https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/get-all-vulnerabilities-by-machines?view=o365-worldwide
Access the Microsoft Defender for Endpoint APIs
