Integrations#
Endpoint Analytics supports multiple third-party integrations that further enhance the system’s capabilities.
Tenable.io#
When enabled, Tenable.io integration allows Endpoint Analytics to pull vulnerability data from the scanning service and use it to assign a risk level to endpoints discovered on the local network.
After configuring the integration, Tenable.io risk metadata will be taken into account when assigning an overall risk level to an endpoint. A Tenable.io subtab containing the following will also become available under the Risk tab of Endpoint Summary pages:
Risk level badge based on the highest risk vulnerability discovered by the service
Hyperlink to Tenable.io asset activity page for the endpoint
Hyperlink to Tenable.io asset vulnerability page for the endpoint
In addition, all assets that are known to both Endpoint Analytics and Tenable.io will be listed under the Endpoints by Risk view, including those with no risk/vulnerabilities reported by Tenable.io.
To configure Tenable.io integration, follow these steps:
View instructions
Navigate to Configuration > Integrations, and then select Tenable.io to open the configuration page.
Fill in the fields with the Tenable.io access key and secret key.
Tick the Enabled checkbox, and then click Test Connection to verify the credentials entered.
When done, click the Save button to save the configuration.
Microsoft Defender#
When enabled, Microsoft Defender integration enables the following functions in Endpoint Analytics:
Pull external OS risk data from the risk analysis platform and use it to assign a risk level to endpoints discovered on the local network
Import MS Defender machine inventory as endpoints
Automatically create and assign dynamic profiles (named
⇋ OSor⇋ OS_VERSION) to imported endpoints whose OS details are provided by MS Defender
After enabling the integration, MS Defender vulnerabilities will be factored into an endpoint’s overall risk level. Endpoints with risk factors reported by MS Defender will include a hyperlink to the MS Defender overview page in their Endpoint Summary. MS Defender actions (Run Scan, Isolate Machine, and Unisolate Machine) will also be available for supported devices that have been onboarded in MS Defender.
Additionally, a Microsoft Defender subtab containing the following information will be added under the Risk tab of Endpoint Summary pages:
Description of the most severe vulnerability found via Microsoft Defender Exposure assessment and a corresponding Exposure Risk Level badge
Number of vulnerabilities, which also links directly to the endpoint’s Microsoft Defender vulnerabilities page
Risk Level badge based on the most severe alert found via Microsoft Defender Risk assessment
Hyperlink to Microsoft Defender risk alerts page for the endpoint
Hyperlink to Microsoft Defender overview page for the endpoint
Note
Machine inventory information is collected hourly, starting from when MS Defender integration is enabled.
Imported endpoints will always have a Very High profile match score against the automatically created OS-based profiles. Imported endpoints for which MS Defender does not provide OS details will be assigned profiles as normal.
If MS Defender integration is disabled, all associated profiles are deleted. Imported endpoints are retained and will be assigned standard profiles instead (requires a full re-model).
Configuring MS Defender integration#
Follow the process outlined below to set up and enable MS Defender integration in Endpoint Analytics.
Creating an application
To set up an application to allow Endpoint Analytics to access MS Defender, follow these steps:
Log in to the Azure portal with a user that has the Global Administrator role.
From the Azure Active Directory page, navigate to App registrations > New registration.
Enter a name for the application, and then click Register.
Note the application (client) ID and directory (tenant) ID.
Under Certificates and Secrets, select New Client Secret.
Enter a description and expiration date, and then click Add.
Note the client secret generated (cannot be retrieved later).
API permissions
Once added, the application will need to be granted the necessary API permissions (see below) to allow Endpoint Analytics to access the APIs.
Note
Every time a permission is added, go to the API Permissions page for the application and grant it admin consent (requires Global Administrator role) for the organization.
Following are the permissions required for the APIs used by Endpoint Analytics:
Get MachineAction
Retrieves a single machine action entity
Permission |
Description |
|---|---|
Machine.Read.All |
Read all machine profiles |
Machine.ReadWrite.All |
Read and write all machine information |
List MachineActions
Retrieves a list of machine actions
Permission |
Description |
|---|---|
Machine.Read.All |
Read all machine profiles |
Machine.ReadWrite.All |
Read and write all machine information |
List alerts
Retrieves a collection of alerts
Permission |
Description |
|---|---|
Alert.Read.All |
Read all alerts |
Alert.ReadWrite.All |
Read and write all alerts |
Isolate machine
Isolates a compromised machine from accessing external networks
Important
When isolating a machine, it will lose all network connectivity until it is released from isolation.
Permission |
Description |
|---|---|
Machine.Isolate |
Isolate machine |
Release machine from isolation
Undo isolation of a machine to re-enable network connectivity
Permission |
Description |
|---|---|
Machine.Isolate |
Isolate machine |
Run antivirus scan
Initiate a Microsoft Defender Antivirus scan on the device
Permission |
Description |
|---|---|
Machine.Scan |
Scan machine |
List vulnerabilities
Retrieves a list of all the vulnerabilities affecting the organization
Permission |
Description |
|---|---|
Vulnerability.Read.All |
Read Threat and Vulnerability Management vulnerability information |
Advanced hunting
Run queries from API to locate threat indicators and entities
Permission |
Description |
|---|---|
AdvancedQuery.Read.All |
Run advanced queries |
Get software by ID
Retrieves a specific software by its software ID
Permission |
Description |
|---|---|
Software.Read.All |
Read Threat and Vulnerability Management Software information |
List devices by software
Retrieves a list of devices that are associated with the software ID
Permission |
Description |
|---|---|
Software.Read.All |
Read Threat and Vulnerability Management Software information |
Enabling MS Defender integration in Endpoint Analytics
To configure and enable MS Defender integration, follow these steps:
In the Endpoint Analytics web interface, navigate to Configuration > Integrations, and then select Microsoft Defender to open the configuration page.
Fill in the provided fields with the MS Defender tenant ID, client ID, and client secret key.
Tick the Enabled checkbox, and then click Test Connection to verify the credentials entered.
Click Save.
Once the information has been saved, Endpoint Analytics will attempt to collect the necessary information from MS Defender, and all additional functions (see above) will be enabled.
Important
Azure SSO authentication within the web interface is not required to view external MS Defender pages for endpoints discovered by Endpoint Analytics. However, the user must have Azure AD Security Reader role permissions (minimum) as described here.
Third-party SSO#
SSO authentication for the Endpoint Analytics web interface has been tested with the following third-party identity providers:
Microsoft Azure Active Directory
Google
Okta
Important
Before configuring SSO in the web interface, the identity provider must be set to accept authentication requests from Endpoint Analytics.
To configure the Endpoint Analytics web interface to route authentication through a third-party identity provider, follow these steps:
Navigate to Configuration > Identity Providers, and then select Add Identity Provider.
On the Add Identity Provider page, enter the following details:
Name: Unique, internal name for the provider/service
Client ID: ID assigned to the app registration in the identity provider console (also called the application ID)
Discovery Document Endpoint: OpenID Connect metadata document URL (should end in /.well-known/openid-configuration)
(Optional) Authorized Groups: Comma-separated list of users with SSO access (no authorization restrictions if left blank)
Tick the radio button to select the default access level to assign when users log in for the first time (will not affect existing users).
Tick the Verify Token Signature checkbox to require verification of the integrity of tokens used during SSO (not supported by all identity providers).
Tick the Enable checkbox to activate SSO via the identity provider, and then click Save.
After SSO has been configured and enabled, attempts to log in via https://<appliance_ip> will be redirected to the identity provider currently enabled.
Managing identity providers#
Selecting List Identity Providers from the Identity Providers configuration submenu will open a summary page listing all identity providers currently configured within the system.
From this page, the following actions can be performed:
Adding a new identity provider
Editing the settings of a configured identity provider
Enabling/disabling identity providers
Deleting identity provider configurations
Exporting identity provider data in CSV format
Hint
To revert to local user authentication for the web interface, either delete or disable all identity providers. This will delete all accounts created through SSO authentication, and only locally created accounts (and the administrator account) retain access to the web interface.