Microsoft Defender

When enabled, Microsoft Defender integration allows Plixer Endpoint Analytics to pull external OS risk data from the risk analysis platform and use it to assign a Risk Level to endpoints discovered on the local network.

After configuring the integration, MS Defender vulnerabilities will be factored into an endpoint’s overall Risk Level, and a hyperlink to an endpoint’s Microsoft Defender overview page is added to Endpoint Summary pages, along with additional buttons for Microsoft Defender actions (Run Scan, Isolate Machine, and Unisolate Machine).

A Microsoft Defender subtab containing the following will also become available under the Risk tab of Endpoint Summary pages:

  • Description of the most severe vulnerability found via Microsoft Defender Exposure assessment and a corresponding Exposure Risk Level badge.

  • Number of vulnerabilities, which also links directly to the endpoint’s MS Defender vulnerabilities page

  • Risk Level badge based on the most severe alert found via Microsoft Defender Risk assessment

  • Hyperlink to Microsoft Defender risk alerts page for the endpoint

  • Hyperlink to Microsoft Defender overview page for the endpoint

To configure Microsoft Defender integration, follow these steps:

  1. Navigate to Configuration > Integrations and select Microsoft Defender to open the configuration page.

  2. Fill in the provided fields with the Microsoft Defender tenant ID, client ID, and secret key.

  3. Tick the Enabled checkbox and click Test Connection to verify the credentials entered.

  4. When done, click the Save button to save the configuration.

Important

Azure SSO authentication within the web interface is not required to view external Microsoft Defender pages for endpoints discovered by Plixer Endpoint Analytics, but a user must have Azure AD Security Reader role permissions (minimum) as described here.