Microsoft Defender for Endpoint (TVM)
Microsoft Windows Defender for Endpoint is an advanced security solution that helps to protect devices and
networks from cyber threats. In this article, we will focus on the steps required to integrate Microsoft Defender for Endpoint with the platform, a cloud security posture management platform.
Microsoft Defender for Endpoint Setup
Before setting up the integration, you need to prepare your instance of Defender to be connected to the platform. Here are the steps to do so:
Log in to Azure.
Select "App registrations" from the main menu.
Click "New registration."
Name the application and select the "Accounts in this organizational directory only" radio button.
Click on the newly created application and select "Certificates & Secrets" from the menu. Select "New Client Secret." Enter a description for the secret and set the expiration date in the "Expires" field. Click the "Add" button.
Depending on the expiration date set, the credentials may need to be regenerated and updated within the platform. Otherwise, the connected accounts and imports would fail.
Make sure to copy the secret value as it will be obfuscated once you move away from that page.
Select "API Permissions" from the menu and click on "Add a permission."
In the "Request API permissions" widget on the right side, find "WindowsDefenderATP" permissions under "APIs my organization uses."
Select the checkboxes for API permission as shown below and click on "Add Permissions."
The following application permissions checkboxes should be selected:
AdvancedQuery.Read.All
Alert.Read.All
For the permission to take effect, please grant admin consent confirmation to the API permissions. Click the "Yes" button.
Once the permission is granted, the API permissions page should show successful granted statuses under the "WindowsDefenderATP" permission names.
Make note of the "Application (client) ID" and "Directory (tenant) ID" from the overview tab. These IDs will be used within the Connected Accounts setup within the platform.
The required permissions have been detailed below to troubleshoot any missing permissions or authorization errors.
Permission Name | Permission Display Name | Permission Type | Requirement |
Vulnerability.Read.All | Read Threat and Vulnerability Management vulnerability information | Application | Required |
Machine.Read.All | Read all machine profiles | Application | Required |
SecurityRecommendation.Read.All | Read Threat and Vulnerability Management security recommendation information | Application | Highly recommended |
RemediationTasks.Read.All | Read Threat and Vulnerability Management vulnerability information | Application | Highly recommended |
Connecting Microsoft Defender for Endpoint to the Platform
After completing the steps to prepare Defender to accept connections from the platform, follow the steps below to set up the Connected Accounts details:
Select "Connected Accounts" from the main menu sidebar.
Within the Cloud Security section, select the "Configuration" button for Microsoft Defender.
Click the "+" box to add your details.
The platform will ask you for the following details:
Name: Provide a recognizable name to use within the platform for your Defender instance.
Client ID: This is taken from your Azure setup and is the "Application (client) ID" you made note of earlier.
Client Secret: This is taken from your Azure setup earlier when creating your "New Client Secret."
Tenant ID: This is taken from your Azure setup and is the "Directory (tenant) ID" you made note of earlier.
By following these steps, you can easily integrate Microsoft Defender for Endpoint with the platform, enabling you to enhance your security posture and protect your devices and networks from cyber threats.