Microsoft Defender for Endpoint
  • 3 Minutes to read
  • PDF

Microsoft Defender for Endpoint

  • PDF

Article summary

About this document


This document provides step-by-step instructions to configure "Microsoft Defender for Endpoint" in SAFE.

Introduction


This integration allows you to onboard endpoints from MS Defender for Endpoint and fetch vulnerability and/or EDR (Endpoint detection and response) findings in SAFE. SAFE Admins can configure this integration from the "Microsoft Defender for Endpoint" card available on the Integrations page.

Prerequisites


  • Microsoft Defender for Endpoint Plan 2 is enabled for your Organization.

  • The following privileges are needed for a user in Azure to generate the connection details:

  • For manually creating Entra ID applications and assigning permissions:

  • Sufficient privileges/permissions to create an Entra ID application.

  • Sufficient privileges/permissions to add API permissions to the created application.

  • SAFE Admin access.

Generate connection details


To integrate SAFE with Microsoft Defender for Endpoint, we need 3 details to be generated from Azure:

  • Tenant Id

  • Client Id

  • Client Secret

To generate these details, an application will be created in the Azure portal and given the required API read-only permissions.

Register App on Azure

  1. Log in to the Azure Portal. 

  2. Navigate to Microsoft Entra ID.

  3. Go to the App registrations and click the New Registration button.

    End1

  4. On the app registration page, enter the Name for the application, select the Account Type, and Redirect URI. 

    1. Name: Enter a name of your choice. For example, SAFE-Defender-For-Endpoint

    2. AccountType: Select the option "Accounts in the organizational directory only (Default Directory only - Single Tenant)"

    3. Redirect URI: This can be left blank.

      End%202

  5. Click the Register button. The system registers the application.

Get the Client ID and Tenant ID

  1. Go to the Application overview page you have created above.

  2. You can find the Client ID and Tenant ID on the application's overview page.

    End%203

  3. Save the Client ID and Tenant ID on your system for later usage while configuring this integration to SAFE.

Create the Client Secret

  1. When we register a new application in Azure, it does not have any client secrets. To create a Client Secret:

  2. Navigate to Certificates & Secrets from the left navigation.

  3. Click the New Client Secret button.

    End%204

  4. Enter the Description and Expiry for the Client Secret.

  5. Click the Add button.

    End%205

  6. The system adds the Client Secret and displays the details on the same page.

  7. The Value field is the secret created. Copy and save the Client Secret on your system for later usage while configuring the Azure in SAFE.

    End%206

Configure API permissions on the Application

  1. Open the app and navigate to API permissions.

  2. Select + Add a permission.

    End%207

  3. Click on the APIs my organization uses.

    End%208

  4. Search for WindowsDefenderATP.

    End%209

  5. Choose Application Permissions > Expand the Alert section and check Alert.Read.All.

    End%2010

  6. Under Machine, check Machine.Read.All.

    End%2011

  7. Under SecurityRecommendation, check SecurityRecommendation.Read.All.

  8. Under vulnerability, check Vulnerability.Read.All.

    End%2012

  9. Click Add Permissions.

    End13

  10. Grant admin consent by clicking this button.

    End%2014

  11. Post this the following permissions should be visible for the application.

    End%2015

Configure Microsoft Defender for Endpoint in SAFE


  1. Go to the Integrations and click the "Microsoft Defender for Endpoint" card.

  2. On the Configure page, enter the TenantID, ClientID, and Client Secret generated above.

  3. [Optional] Excluded Finding Types: This option can be used to exclude sync for Vulnerability (Security Recommendations) OR EDR (Malware Alerts) assessment data between SAFE and Microsoft Defender for Endpoint. If both data are needed, then this option can be left blank and nothing will be excluded from sync.
    Note: At least one of the products should be enabled for a successful sync.

  4. Enter a value for the Auto-Sync Frequency. This controls how often SAFE will synchronize with Integration for the most recent data.

  5. If needed, uncheck the "Update Existing Assets Metadata" checkbox.
    Update Existing Assets Metadata: If this checkbox is marked, the asset's metadata, such as asset name, IP address, etc., will get updated based on the data pulled from CrowdStrike. 

  6. If needed, mark the Auto Onboard New Assets checkbox.
    Onboard Assets - By default, any assets in CrowdStrike that are not found in SAFE will be onboarded. This option can be unchecked to limit the integration to pull in findings of only the assets present in SAFE.

  7. Click the Test Connection button.

  8. Once the connection is validated, click the Save button.

  9. Once the configuration is saved, click the Sync Now button to trigger the on-demand sync outside the scheduled auto sync.

End%2021

 Import for Tags via Custom-fields


Microsoft Defender for endpoint integration supports importing Tags by creating a custom-field in SAFE.

Go to Settings > Custom Fields in SAFE and add a new custom field with the name ms-defender-endpoint-tags

The next scheduled sync will import the Tag values for assets and populate them into the above custom field.

View Result


Click on the AWS integration for the Finding View and Asset View.

Findings View: This tab displays all the findings details pulled from Microsoft Defender for Endpoint.

End%2022

Assets View: This tab displays all the assets pulled from Microsoft Defender for Endpoint.

FAQs


1. What assessment data does SAFE pull from Microsoft Defender for Endpoint, and which type of assets?

SAFE does not perform any native assessment of the Microsoft Defender for Endpoint assets. SAFE pulls the security recommendations and/or Alerts from the tool and adds/updates them as VA and/or EDR findings in SAFE.


Was this article helpful?

What's Next