Microsoft Defender

When enabled, Microsoft Defender integration allows Plixer Endpoint Analytics to pull external OS risk data from the risk analysis platform and use it to assign a risk level to endpoints discovered on the local network.

Creating an application

Before anything else, create an application to access Microsoft Defender.

  1. Log in to the Azure portal with a user that has the Global Administrator role.

  2. Go to the Azure Active Directory page.

  3. Then, navigate to App registrations > New registration.

  4. In the registration form, choose a name for your application, and then click Register.

  5. Take note of the application (client) ID and directory (tenant) ID for future use.

Adding an application secret

  1. Navigate to Certificates and Secrets within your newly created application.

  2. Select New Client Secret.

  3. Enter a description, select an expiration date, and then click Add.

Important

Copy and save the generated client secret value for future use. You will not be able to retrieve this value after you leave this view.

API permissions

Then, configure the API permissions needed by the application so that Plixer Endpoint Analytics can access all the APIs. Follow the instructions in this link for adding the API permissions.

Important

Every time a permission is added, go to the API Permissions page of the app, and a user with the Global Administrator role must grant admin consent for the permission for the organization.

The following are the different types of permissions required to call each of the following APIs:

Get MachineAction

Retrieves a single machine action entity.

Permission

Description

Machine.Read.All

Read all machine profiles

Machine.ReadWrite.All

Read and write all machine information

List MachineActions

Retrieves a list of machine actions.

Permission

Description

Machine.Read.All

Read all machine profiles

Machine.ReadWrite.All

Read and write all machine information

List alerts

Retrieves a collection of alerts.

Permission

Description

Alert.Read.All

Read all alerts

Alert.ReadWrite.All

Read and write all alerts

Isolate machine

Isolates a compromised machine from accessing external network.

Important

When isolating a machine, it will lose all network connectivity until it is released from isolation.

Permission

Description

Machine.Isolate

Isolate machine

Release machine from isolation

Undo isolation of a machine to reconnect the machine back to the network at any time.

Permission

Description

Machine.Isolate

Isolate machine

Run antivirus scan

Initiate a Microsoft Defender Antivirus scan on the device.

Permission

Description

Machine.Scan

Scan machine

List vulnerabilities

Retrieves a list of all the vulnerabilities affecting the organization.

Permission

Description

Vulnerability.Read.All

Read Threat and Vulnerability Management vulnerability information

Advanced hunting

Run queries from API to locate threat indicators and entities.

Permission

Description

AdvancedQuery.Read.All

Run advanced queries

Get software by ID

Retrieves a specific software by its software ID.

Permission

Description

Software.Read.All

Read Threat and Vulnerability Management Software information

List devices by software

Retrieves a list of devices that are associated with the software ID.

Permission

Description

Software.Read.All

Read Threat and Vulnerability Management Software information

Integrating Microsoft Defender with Plixer Endpoint Analytics

To configure Microsoft Defender integration, follow these steps:

  1. Navigate to Configuration > Integrations, and then select Microsoft Defender to open the configuration page.

  2. Fill in the provided fields with the Microsoft Defender tenant ID, client ID, and secret key.

  3. Tick the Enabled checkbox, and then click Test Connection to verify the credentials entered.

  4. Click Save.

Important

Azure SSO authentication within the web interface is not required to view external Microsoft Defender pages for endpoints discovered by Plixer Endpoint Analytics, but a user must have Azure AD Security Reader role permissions (minimum) as described here.

After configuring the integration, Microsoft Defender vulnerabilities will be factored into an endpoint’s overall risk level. For endpoints with determined Microsoft Defender risk, a hyperlink to the Microsoft Defender overview page is added to the Endpoint Summary page. Additionally, action buttons for Microsoft Defender actions (Run Scan, Isolate Machine, and Unisolate Machine) will be present for supported devices that have been onboarded within Microsoft Defender.

A Microsoft Defender subtab containing the following will also become available under the Risk tab of Endpoint Summary pages:

  • Description of the most severe vulnerability found via Microsoft Defender Exposure assessment and a corresponding Exposure Risk Level badge

  • Number of vulnerabilities, which also links directly to the endpoint’s Microsoft Defender vulnerabilities page

  • Risk Level badge based on the most severe alert found via Microsoft Defender Risk assessment

  • Hyperlink to Microsoft Defender risk alerts page for the endpoint

  • Hyperlink to Microsoft Defender overview page for the endpoint