Endpoint Detection and Response (EDR) Integration
Microsoft Defender for Endpoint, mobile-first.
PocketSOC connects to Microsoft Defender for Endpoint (MDE) through a tenant-scoped Azure app registration. SOC responders can view MDE alerts, inspect machine details, and isolate or unisolate compromised machines directly from iOS or Android. Authentication uses Application or Delegated permissions on the MDE API — your administrators control scope.
Supported actions for Defender for Endpoint
- View Microsoft Defender for Endpoint alerts with full context
- Inspect affected machine details and risk score
- Isolate a machine to contain an active threat
- Lift (unisolate) a machine once the investigation closes
- Receive push notifications for new alerts above a severity threshold
- Filter alerts by status, severity, and machine group
Authentication and credentials
Microsoft Defender for Endpoint uses an Azure app registration. PocketSOC supports both Application permissions (daemon-style, suitable for shared service identities) and Delegated permissions (per-user, with the signed-in user's permissions enforced). Required scopes are Alert.ReadWrite.All and Machine.ReadWrite.All from the MDE API. Admin consent is required. Credentials live in platform-native secure storage on each device.
How PocketSOC authenticates to security platforms · Where credentials are stored · Trust Center
Quick setup for Defender for Endpoint
- In Azure Portal, go to App registrations → New registration
- Choose Application or Delegated permissions
- Assign Alert.ReadWrite.All and Machine.ReadWrite.All on the MDE API
- Grant admin consent
- Create a client secret; copy Tenant ID, Client ID, and Client Secret
- In PocketSOC, paste Tenant ID, Client ID, and Client Secret to connect
See the full Quick Start guide for Organization-mode setup with the PocketSOC Portal.
Defender for Endpoint integration FAQ
Application or Delegated permissions — which should we use?
Application permissions work like a daemon: any user with valid PocketSOC credentials can perform any allowed action. Use Application for team-wide shared visibility.
Delegated permissions enforce the signed-in user's permissions on every request. Use Delegated when you want individual analysts to take actions only as themselves, with full attribution in Azure audit logs.
Is Defender for Endpoint fully supported?
Yes. PocketSOC authenticates to MDE, fetches alerts, shows full details, and performs isolation and unisolation where the configured role allows it. See the platforms FAQ entry.
Where are Defender credentials stored?
Tenant ID, Client ID, and Client Secret are encrypted in transit and stored in iOS Keychain or Android Keystore on each device. PocketSOC servers do not retain raw secrets in logs. See the credentials storage FAQ.
Can we limit which actions analysts can perform?
Yes — scope is enforced at the Azure app registration. If the app has read-only Alert permissions, PocketSOC will display alerts but disable any write actions. With Delegated permissions, each user's individual role inside MDE further constrains what they can do.
See the full PocketSOC FAQ covering all vendors and security topics.