This guide walks you through connecting Microsoft Defender for Endpoint to TruU TOTAL for persona generation and threat detection.

Overview

TOTAL ingests endpoint security events from Microsoft Defender for Endpoint via the Microsoft Defender XDR Advanced Hunting API. We poll the advanced hunting tables on a configurable interval to collect, normalize, and correlate device events, process executions, network connections, logon events, file operations, and security alerts across your managed endpoints. Connector Type: Polling

Prerequisites

Microsoft Entra ID (Azure AD) access with Application Administrator or Global Administrator role
Microsoft Defender for Endpoint Plan 2 or Microsoft 365 E5 Security license
Devices onboarded to Defender for Endpoint with active telemetry
Approximately 20 minutes to complete setup

Step 1: Register an Application in Entra ID

Sign in to the Azure Portal
Navigate to Microsoft Entra ID → App registrations
Click New registration
Enter:
- Name: TruU TOTAL - Defender for Endpoint
- Supported account types: Accounts in this organizational directory only
- Redirect URI: Leave blank
Click Register
On the app’s Overview page, copy:
- Application (client) ID
- Directory (tenant) ID
Paste the Client ID and Tenant ID into the TruU Portal

Step 2: Create a Client Secret

In your App Registration, go to Certificates & secrets
Click New client secret
Enter:
- Description: TOTAL Defender integration
- Expires: Choose your organization’s preferred expiry
Click Add
Immediately copy the secret Value — it will only be shown once
Paste the Client Secret value into the TruU Portal

Step 3: Grant API Permissions

In the App Registration, click API permissions
Click Add a permission → APIs my organization uses → search for Microsoft Threat Protection
Select Application permissions and add:
- AdvancedHunting.Read.All — Run advanced hunting queries
Additionally, add WindowsDefenderATP → Application permissions:
- Alert.Read.All — Read alerts
- Machine.Read.All — Read device information
Add Microsoft Graph → Application permissions:
- User.Read.All — Read user profiles for identity resolution
Click Add permissions
Click Grant admin consent for [Your Organization]
Click Yes to confirm

All permissions are read-only. TOTAL cannot isolate machines, run scans, or modify any Defender configuration.

Step 4: Verify Connectivity

Once credentials are entered in the TruU Portal:

Click Test Connection — TOTAL will run a test advanced hunting query to confirm access
If successful, you’ll see a confirmation with the number of devices and recent events detected
If configured, TOTAL will run a historical data pull (up to 30 days) to seed user personas

Security & Privacy

What We Access

Read-only access to Defender for Endpoint advanced hunting tables via the Microsoft 365 Defender API
Device events, process events, network events, logon events, and file events
Security alerts and alert evidence
All queries use Timestamp filtering — we only fetch new events since the last poll

What We Don’t Have Access To

Ability to isolate, scan, or remediate devices
Access to response actions or live response sessions
Write access to Defender configuration, policies, or rules
Access to file contents or memory dumps

Updating or Rotating Credentials

Rotate Client Secret (Recommended: Before expiry)

In Azure Portal, go to Entra ID → App registrations → TruU TOTAL - Defender for Endpoint
Go to Certificates & secrets
Click New client secret (create the new one before deleting the old one)
Copy the new secret value and paste it in the TruU Portal
After TOTAL confirms the new secret is active, delete the old secret

Revoke Access

To immediately remove TOTAL’s access:

Option A — Disable in the TruU Portal
Option B — Remove the App Registration’s API permissions in Entra ID
Option C — Delete the App Registration entirely

Rate Limiting & Scalability

Defender XDR Advanced Hunting API Rate Limits

Parameter	Limit
Advanced Hunting API calls	45 req/min, 1,500/hour
CPU execution time	10 min/hour, 4 hours/day
Max rows per query	100,000
Query data range	Last 30 days
Throttle response	HTTP 429 with retry timeframe

Ingestion Capacity

The Advanced Hunting API is the most rate-constrained of the Microsoft APIs. The CPU execution budget (10 min/hour) is the binding constraint, not request count. TOTAL optimizes for this with efficient KQL queries using tight timestamp filters, minimal column projection, and distributed queries across tables. A large enterprise with 100K+ endpoints generates 20M–80M raw endpoint events/day, but after filtering to human-attributable events only, the TOTAL-relevant subset is 2M–10M events/day. TOTAL prioritizes high-value tables (DeviceLogonEvents, AlertInfo) and adjusts polling frequency per table based on volume. The CPU budget share is configurable — by default TOTAL consumes up to 50% of the hourly budget, leaving the rest available for SOC analysts.

Event Freshness

Events appear in Advanced Hunting tables 5–30 minutes after occurrence (Microsoft’s ingestion pipeline). TOTAL polls on a configurable interval per table (default: 5 minutes). End-to-end latency is typically 10–35 minutes.

Resilience

TOTAL uses cursor-based ingestion with at-least-once delivery, maintaining a separate cursor per table. The cursor only advances after events are successfully collected, normalized, and published. If any step fails, the cursor stays put and the next poll replays from the last known-good position. No events are lost. Transient failures (429s, 5xx, timeouts) are retried automatically with exponential backoff. If the CPU budget is exhausted, remaining queries are deferred to the next hour. After 5 consecutive failures, the connector self-pauses and can be re-enabled from the TruU Portal. Advanced Hunting retains 30 days of data, so any outage shorter than that results in zero data loss.

Connector Design

Each connector polls on an independent, configurable interval per table. High-value tables are polled first via a configurable priority order. Events are batched and published in per-user order to preserve sequence integrity for persona building. Connector workers are stateless and scale horizontally. All polling intervals, table priorities, CPU budget share, and batching parameters are tunable from the TruU Portal.

Part 2: Event Types & Data Schema

Signal Classification

Signal Class	TOTAL Category
Endpoint Security	Endpoint, Authentication, Network, Data Access, Alert

Event Types We Ingest

TOTAL queries the following Defender XDR Advanced Hunting tables. Every event ingested is filtered to those attributable to a human user identity via AccountName, InitiatingProcessAccountName, or LoggedOnUsers. System-only and service-account events are excluded.

Device Logon Events (`DeviceLogonEvents`)

Field	Type	Description
`Timestamp`	datetime	Event timestamp
`DeviceId`	string	Unique device identifier
`DeviceName`	string	FQDN of the device
`ActionType`	string	Logon action (LogonSuccess, LogonFailed, LogonAttempted)
`LogonType`	string	Interactive, RemoteInteractive, Network (filtered to human users only)
`AccountDomain`	string	Domain of the account
`AccountName`	string	Username
`AccountSid`	string	Security identifier
`IsLocalAdmin`	boolean	Whether the user is a local admin
`RemoteDeviceName`	string	Source device for remote logons
`RemoteIP`	string	Source IP address
`RemoteIPType`	string	Public, Private, etc.
`Protocol`	string	Authentication protocol used
`FailureReason`	string	Reason for logon failure

TOTAL Classification: Authentication

Device Process Events (`DeviceProcessEvents`)

Field	Type	Description
`Timestamp`	datetime	Event timestamp
`DeviceId`	string	Unique device identifier
`DeviceName`	string	FQDN of the device
`ActionType`	string	ProcessCreated, ProcessTerminated
`FileName`	string	Process executable name
`FolderPath`	string	Full path to the executable
`SHA256`	string	File hash
`ProcessCommandLine`	string	Command line used to launch the process
`AccountDomain`	string	Domain of the account
`AccountName`	string	Username that launched the process
`ProcessTokenElevation`	string	Token elevation type
`InitiatingProcessFileName`	string	Parent process name
`InitiatingProcessCommandLine`	string	Parent process command line

TOTAL Classification: Endpoint

Device Network Events (`DeviceNetworkEvents`)

Field	Type	Description
`Timestamp`	datetime	Event timestamp
`DeviceId`	string	Unique device identifier
`DeviceName`	string	FQDN of the device
`ActionType`	string	ConnectionSuccess, ConnectionFailed, InboundConnectionAccepted
`RemoteIP`	string	Destination IP address
`RemotePort`	int	Destination port
`RemoteUrl`	string	Destination URL or hostname
`LocalIP`	string	Source IP address
`LocalPort`	int	Source port
`Protocol`	string	TCP, UDP, etc.
`InitiatingProcessFileName`	string	Process that initiated the connection
`InitiatingProcessCommandLine`	string	Command line of initiating process
`InitiatingProcessAccountName`	string	User account of initiating process

TOTAL Classification: Network

Device File Events (`DeviceFileEvents`)

Field	Type	Description
`Timestamp`	datetime	Event timestamp
`DeviceId`	string	Unique device identifier
`DeviceName`	string	FQDN of the device
`ActionType`	string	FileCreated, FileModified, FileDeleted, FileRenamed
`FileName`	string	Name of the file
`FolderPath`	string	Full path to the file
`SHA256`	string	File hash
`FileSize`	long	File size in bytes
`InitiatingProcessFileName`	string	Process that performed the file operation
`InitiatingProcessAccountName`	string	User account
`SensitivityLabel`	string	Sensitivity label applied to the file
`IsAzureInfoProtectionApplied`	boolean	Whether AIP protection is applied

TOTAL Classification: Data Access

Device Events (`DeviceEvents`)

Field	Type	Description
`Timestamp`	datetime	Event timestamp
`DeviceId`	string	Unique device identifier
`DeviceName`	string	FQDN of the device
`ActionType`	string	Event action type
`AccountDomain`	string	Domain of the account
`AccountName`	string	Username
`RemoteUrl`	string	URL or IP connected to
`AdditionalFields`	string	Additional event context (JSON)

Common user-attributable ActionType values: UsbDriveMounted, UsbDriveUnmounted, SmartScreenUrlWarning, SmartScreenAppWarning, BrowserLaunchedToOpenUrl, PowerShellCommand, ScheduledTaskCreated TOTAL Classification: Endpoint

Device Registry Events (`DeviceRegistryEvents`)

Field	Type	Description
`Timestamp`	datetime	Event timestamp
`DeviceId`	string	Unique device identifier
`ActionType`	string	RegistryKeyCreated, RegistryValueSet, RegistryKeyDeleted
`RegistryKey`	string	Registry key path
`RegistryValueName`	string	Value name
`RegistryValueData`	string	Value data
`InitiatingProcessFileName`	string	Process that modified the registry
`InitiatingProcessAccountName`	string	User account

TOTAL Classification: Endpoint

Alert Events (`AlertInfo` + `AlertEvidence`)

Field	Type	Description
`AlertId`	string	Unique alert identifier
`Title`	string	Alert title
`Severity`	string	Informational, Low, Medium, High
`Category`	string	MITRE ATT&CK category
`DetectionSource`	string	Detection technology
`AttackTechniques`	string	MITRE techniques
`ServiceSource`	string	Source service
`EntityType`	string	Evidence entity type (User, Device, IP, File, Process)
`EvidenceRole`	string	Role of the evidence in the alert
`AccountName`	string	Associated user account
`DeviceId`	string	Associated device
`RemoteIP`	string	Associated remote IP
`FileName`	string	Associated file
`SHA256`	string	Associated file hash

TOTAL Classification: Alert

Sample Source Event (Advanced Hunting — DeviceLogonEvents)

{
  "Timestamp": "2026-03-15T08:45:12.000Z",
  "DeviceId": "device-id-001",
  "DeviceName": "ACME-WS-001.acme.local",
  "ActionType": "LogonSuccess",
  "LogonType": "RemoteInteractive",
  "AccountDomain": "ACME",
  "AccountName": "jane.doe",
  "AccountSid": "S-1-5-21-1234567890-1234567890-1234567890-1001",
  "IsLocalAdmin": false,
  "RemoteDeviceName": "ACME-JUMP-001",
  "RemoteIP": "10.0.5.22",
  "RemoteIPType": "Private",
  "RemotePort": 3389,
  "Protocol": "RDP",
  "FailureReason": "",
  "InitiatingProcessAccountDomain": "ACME",
  "InitiatingProcessAccountName": "jane.doe",
  "InitiatingProcessAccountSid": "S-1-5-21-1234567890-1234567890-1234567890-1001",
  "InitiatingProcessAccountUpn": "jane.doe@acme.com",
  "InitiatingProcessAccountObjectId": "user-aad-id-001",
  "LogonId": 12345678,
  "ReportId": 98765432
}

TOTAL Normalized Event

{
  "event_id": "f6a7b8c9-d0e1-2345-fghi-678901234567",
  "event_type": "AUTH",
  "source": "DEFENDER_ENDPOINT",
  "signal_type": "ENDPOINT",
  "domain_id": "customer-domain-001",
  "tuid": "tuid-jane-doe-001",
  "timestamp": "2026-03-15T08:45:12.000Z",
  "payload": {
    "user": "jane.doe@acme.com",
    "action": "LogonSuccess",
    "logon_type": "RemoteInteractive",
    "device": "ACME-WS-001.acme.local",
    "remote_device": "ACME-JUMP-001",
    "remote_ip": "10.0.5.22",
    "protocol": "RDP",
    "is_local_admin": false
  },
  "raw_metadata": {
    "platform_event_id": "98765432",
    "action_type": "LogonSuccess",
    "logon_type": "RemoteInteractive",
    "device_id": "device-id-001",
    "device_name": "ACME-WS-001.acme.local",
    "account_domain": "ACME",
    "account_name": "jane.doe",
    "account_sid": "S-1-5-21-1234567890-1234567890-1234567890-1001",
    "is_local_admin": false,
    "remote_device_name": "ACME-JUMP-001",
    "remote_ip": "10.0.5.22",
    "remote_ip_type": "Private",
    "remote_port": 3389,
    "protocol": "RDP",
    "logon_id": 12345678,
    "created_at": "2026-03-15T08:45:12.000Z",
    "source_platform": "defender_endpoint"
  },
  "platform_event_id": "98765432",
  "platform_event_source": "DEFENDER_XDR_ADVANCED_HUNTING_API"
}

How This Feeds TOTAL

Persona Building

Defender for Endpoint events define a user’s endpoint behavior profile — which devices they log into, what processes they run, what network connections originate from their workstation, and what files they interact with locally. This forms the endpoint layer of each persona, establishing what “normal” looks like at the device level.

Anomaly Detection

TOTAL’s behavioral engine uses Defender for Endpoint events to detect:

Lateral movement — RDP or network logons to devices outside a user’s normal scope, especially from jump servers or administrative workstations
Credential misuse — logon failures followed by success on different devices, indicating credential stuffing or pass-the-hash attacks
Suspicious process execution — processes launched from unusual paths, with elevated tokens, or matching known attack tooling patterns
USB exfiltration — USB drive mount events correlated with file copy activity on devices handling sensitive data
Network anomalies — outbound connections to unusual IPs or ports from a user’s device, especially when correlated with process events
Registry persistence — registry modifications associated with persistence mechanisms (run keys, scheduled tasks, services)

Breach Lifecycle Coverage

Defender for Endpoint events provide primary coverage across Privilege Escalation, Siphon Data, and Siege stages. This is high-fidelity signal that emerges later in the attack chain and validates earlier persona-based risk signals from identity and communication layers. When correlated with upstream signals, endpoint events provide the confirmation needed to escalate from behavioral anomaly to confirmed threat.

INTEGRATIONS

​Overview

​Prerequisites

​Step 1: Register an Application in Entra ID

​Step 2: Create a Client Secret

​Step 3: Grant API Permissions

​Step 4: Verify Connectivity

​Security & Privacy

​What We Access

​What We Don’t Have Access To

​Updating or Rotating Credentials

​Rotate Client Secret (Recommended: Before expiry)

​Revoke Access

​Rate Limiting & Scalability

​Defender XDR Advanced Hunting API Rate Limits

​Ingestion Capacity

​Event Freshness

​Resilience

​Connector Design

​Part 2: Event Types & Data Schema

​Signal Classification

​Event Types We Ingest

​Device Logon Events (DeviceLogonEvents)

​Device Process Events (DeviceProcessEvents)

​Device Network Events (DeviceNetworkEvents)

​Device File Events (DeviceFileEvents)

​Device Events (DeviceEvents)

​Device Registry Events (DeviceRegistryEvents)

​Alert Events (AlertInfo + AlertEvidence)

​Sample Source Event (Advanced Hunting — DeviceLogonEvents)

​TOTAL Normalized Event

​How This Feeds TOTAL

​Persona Building

​Anomaly Detection

​Breach Lifecycle Coverage