Microsoft Defender

When enabled, Microsoft Defender integration enables the following functions in Endpoint Analytics:

  • Pull external OS risk data from the risk analysis platform and use it to assign a risk level to endpoints discovered on the local network

  • Import MS Defender machine inventory as endpoints

  • Automatically create and assign dynamic profiles (named OS or OS_VERSION) to imported endpoints whose OS details are provided by MS Defender

After enabling the integration, MS Defender vulnerabilities will be factored into an endpoint’s overall risk level. Endpoints with risk factors reported by MS Defender will include a hyperlink to the MS Defender overview page in their Endpoint Summary. MS Defender actions (Run Scan, Isolate Machine, and Unisolate Machine) will also be available for supported devices that have been onboarded in MS Defender.

Additionally, a Microsoft Defender subtab containing the following information will be added under the Risk tab of Endpoint Summary pages:

  • Description of the most severe vulnerability found via Microsoft Defender Exposure assessment and a corresponding Exposure Risk Level badge

  • Number of vulnerabilities, which also links directly to the endpoint’s Microsoft Defender vulnerabilities page

  • Risk Level badge based on the most severe alert found via Microsoft Defender Risk assessment

  • Hyperlink to Microsoft Defender risk alerts page for the endpoint

  • Hyperlink to Microsoft Defender overview page for the endpoint

Note

  • Machine inventory information is collected hourly, starting from when MS Defender integration is enabled.

  • Imported endpoints will always have a Very High profile match score against the automatically created OS-based profiles. Imported endpoints for which MS Defender does not provide OS details will be assigned profiles as normal.

  • If MS Defender integration is disabled, all associated profiles are deleted. Imported endpoints are retained and will be assigned standard profiles instead (requires a full re-model).

Configuring MS Defender integration

Follow the process outlined below to set up and enable MS Defender integration in Endpoint Analytics.

Creating an application

To set up an application to allow Endpoint Analytics to access MS Defender, follow these steps:

  1. Log in to the Azure portal with a user that has the Global Administrator role.

  2. From the Azure Active Directory page, navigate to App registrations > New registration.

  3. Enter a name for the application, and then click Register.

  4. Note the application (client) ID and directory (tenant) ID.

  5. Under Certificates and Secrets, select New Client Secret.

  6. Enter a description and expiration date, and then click Add.

  7. Note the client secret generated (cannot be retrieved later).

API permissions

Once added, the application will need to be granted the necessary API permissions (see below) to allow Endpoint Analytics to access the APIs.

Note

Every time a permission is added, go to the API Permissions page for the application and grant it admin consent (requires Global Administrator role) for the organization.

Following are the permissions required for the APIs used by Endpoint Analytics:

Get MachineAction

Retrieves a single machine action entity

Permission

Description

Machine.Read.All

Read all machine profiles

Machine.ReadWrite.All

Read and write all machine information

List MachineActions

Retrieves a list of machine actions

Permission

Description

Machine.Read.All

Read all machine profiles

Machine.ReadWrite.All

Read and write all machine information

List alerts

Retrieves a collection of alerts

Permission

Description

Alert.Read.All

Read all alerts

Alert.ReadWrite.All

Read and write all alerts

Isolate machine

Isolates a compromised machine from accessing external networks

Important

When isolating a machine, it will lose all network connectivity until it is released from isolation.

Permission

Description

Machine.Isolate

Isolate machine

Release machine from isolation

Undo isolation of a machine to re-enable network connectivity

Permission

Description

Machine.Isolate

Isolate machine

Run antivirus scan

Initiate a Microsoft Defender Antivirus scan on the device

Permission

Description

Machine.Scan

Scan machine

List vulnerabilities

Retrieves a list of all the vulnerabilities affecting the organization

Permission

Description

Vulnerability.Read.All

Read Threat and Vulnerability Management vulnerability information

Advanced hunting

Run queries from API to locate threat indicators and entities

Permission

Description

AdvancedQuery.Read.All

Run advanced queries

Get software by ID

Retrieves a specific software by its software ID

Permission

Description

Software.Read.All

Read Threat and Vulnerability Management Software information

List devices by software

Retrieves a list of devices that are associated with the software ID

Permission

Description

Software.Read.All

Read Threat and Vulnerability Management Software information

Enabling MS Defender integration in Endpoint Analytics

To configure and enable MS Defender integration, follow these steps:

  1. In the Endpoint Analytics web interface, navigate to Configuration > Integrations, and then select Microsoft Defender to open the configuration page.

  2. Fill in the provided fields with the MS Defender tenant ID, client ID, and client secret key.

  3. Tick the Enabled checkbox, and then click Test Connection to verify the credentials entered.

  4. Click Save.

Once the information has been saved, Endpoint Analytics will attempt to collect the necessary information from MS Defender, and all additional functions (see above) will be enabled.

Important

Azure SSO authentication within the web interface is not required to view external MS Defender pages for endpoints discovered by Endpoint Analytics. However, the user must have Azure AD Security Reader role permissions (minimum) as described here.