Microsoft Defender¶
When enabled, Microsoft Defender integration allows Plixer Endpoint Analytics to pull external OS risk data from the risk analysis platform and use it to assign a risk level to endpoints discovered on the local network.
Creating an application¶
Before anything else, create an application to access Microsoft Defender.
Log in to the Azure portal with a user that has the Global Administrator role.
Go to the Azure Active Directory page.
Then, navigate to App registrations > New registration.
In the registration form, choose a name for your application, and then click Register.
API permissions¶
Then, configure the API permissions needed by the application so that Plixer Endpoint Analytics can access all the APIs. Follow the instructions in this link for adding the API permissions.
Important
Every time a permission is added, go to the API Permissions page of the app, and a user with the Global Administrator role must grant admin consent for the permission for the organization.
The following are the different types of permissions required to call each of the following APIs:
Get MachineAction
Retrieves a single machine action entity.
Permission |
Description |
Machine.Read.All |
Read all machine profiles |
Machine.ReadWrite.All |
Read and write all machine information |
List MachineActions
Retrieves a list of machine actions.
Permission |
Description |
Machine.Read.All |
Read all machine profiles |
Machine.ReadWrite.All |
Read and write all machine information |
List alerts
Retrieves a collection of alerts.
Permission |
Description |
Alert.Read.All |
Read all alerts |
Alert.ReadWrite.All |
Read and write all alerts |
Isolate machine
Isolates a compromised machine from accessing external network.
Important
When isolating a machine, it will lose all network connectivity until it is released from isolation.
Permission |
Description |
Machine.Isolate |
Isolate machine |
Release machine from isolation
Undo isolation of a machine to reconnect the machine back to the network at any time.
Permission |
Description |
Machine.Isolate |
Isolate machine |
Run antivirus scan
Initiate a Microsoft Defender Antivirus scan on the device.
Permission |
Description |
Machine.Scan |
Scan machine |
List vulnerabilities
Retrieves a list of all the vulnerabilities affecting the organization.
Permission |
Description |
Vulnerability.Read.All |
Read Threat and Vulnerability Management vulnerability information |
Note
If the application does not have the machine API permission, it will fail to retrieve the machine info and will not make the vulnerabilities API call. Therefore, you need an app with the machine API permission but without the vulnerabilities permission. The machine must also have a risk score or exposure level that is not “none” or “informational,” as device vulnerabilities are only retrieved when the risk score or exposure level is meaningful.
Advanced hunting
Run queries from API to locate threat indicators and entities.
Permission |
Description |
AdvancedQuery.Read.All |
Run advanced queries |
Get software by ID
Retrieves a specific software by its software ID.
Permission |
Description |
Software.Read.All |
Read Threat and Vulnerability Management Software information |
List devices by software
Retrieves a list of devices that are associated with the software ID.
Permission |
Description |
Software.Read.All |
Read Threat and Vulnerability Management Software information |
Integrating Microsoft Defender with Plixer Endpoint Analytics¶
To configure Microsoft Defender integration, follow these steps:
Navigate to Configuration > Integrations, and then select Microsoft Defender to open the configuration page.
Fill in the provided fields with the Microsoft Defender tenant ID, client ID, and secret key.
Tick the Enabled checkbox, and then click Test Connection to verify the credentials entered.
Click Save.
Important
Azure SSO authentication within the web interface is not required to view external Microsoft Defender pages for endpoints discovered by Plixer Endpoint Analytics, but a user must have Azure AD Security Reader role permissions (minimum) as described here.
After configuring the integration, Microsoft Defender vulnerabilities will be factored into an endpoint’s overall risk level. Then, a hyperlink to an endpoint’s Microsoft Defender overview page is added to the Endpoint Summary pages, along with additional buttons for Microsoft Defender actions (Run Scan, Isolate Machine, and Unisolate Machine).
A Microsoft Defender subtab containing the following will also become available under the Risk tab of Endpoint Summary pages:
Description of the most severe vulnerability found via Microsoft Defender Exposure assessment and a corresponding Exposure Risk Level badge
Number of vulnerabilities, which also links directly to the endpoint’s Microsoft Defender vulnerabilities page
Risk Level badge based on the most severe alert found via Microsoft Defender Risk assessment
Hyperlink to Microsoft Defender risk alerts page for the endpoint
Hyperlink to Microsoft Defender overview page for the endpoint