Login
    Contents x
    Microsoft Defender for Endpoint
    • 05 Sep 2024
    • 2 Minutes to read
    • Contributors
    • Print
    • Dark
      Light
    Contents

    Microsoft Defender for Endpoint

    • Updated on 05 Sep 2024
    • 2 Minutes to read
    • Contributors
    • Print
    • Dark
      Light
    Article summary

    Microsoft Defender for Endpoint protects your Windows and Linux machines whether they are hosted in Azure, hybrid clouds (on-premises), or multi-cloud environments. Its API facilitates a comprehensive integration process, primarily focusing on importing detailed machine data.

    Integration Method: API

    Tables: Device Config State, Device Inventory Info, Scan Activity, Security Finding, Detection Finding, Incident Finding, Vulnerabilities Finding

    Integration Capabilities  

    DataBee leverages Microsoft APIs to get security, vulnerability, and device information. The proper permissions and scope have to be enabled to access these API’s.

    Microsoft Defender for Endpoint Setup

    MDE requires the OAuth 2.0 integration. To set up that integration, start by creating a Microsoft Entra Application. After you log into Azure, register a new application.

    • Log on to Azure with a user account that has the Global Administrator role.

    • Navigate to Microsoft Entra ID > App registrations > New registration. The “Register an application” page window appears.

    • Enter the application's registration information:

      • In the ‘Name’ section, enter a meaningful application name that will be displayed to users.

      • For ‘Supported account types’, click the Accounts in any organizational directory option.

      • Set the ‘Redirect URI’ to http://localhost.

    • Click on Register to create the application.

    • On the app “Overview” page, copy the Application (client) ID and Directory (tenant) ID for later use. The Directory ID is the tenant ID and will be needed when configuring DataBee later.

      Add Endpoint Access

      Once the application is created, appropriate permissions should be provided to get data. The appropriate permissions for the application are needed to configure these endpoints. The following section details how to configure and add permissions to the endpoint.

      You will need to provision read API permissions for WindowsDefenderATP:

      Add Permissions

      To add permissions for the endpoint outlined above, from the Azure Active Directory portal:

    • Select the application whose logs are to be accessed. This is the application registered in the previous section.

    • Click API Permissions, and then click Add a Permission. The “Request API permissions” window appears.

    • Click on APIs my organization uses and then search for WindowsDefenderATP.

    • Click on WindowsDefenderATP then on Application permissions or Delegated Permissions as Permission type in the below table.

    • The following permissions need to be granted.

    Permission type

    Permission

    Permission display name

    Application

    Machine.Read.All

    'Read all machine profiles'

    Application

    Alert.Read.All

    Read all alerts

    Application

    Vulnerability.Read.All

    'Read Threat and Vulnerability Management vulnerability information'

    Application

    Software.Read.All

    'Read Threat and Vulnerability Management software information'

    • In the ‘Select permissions’ search bar, enter the permissions shown above, and check the box to include it.

    • Click the Add permissions button after selecting all required permissions.

    • On the “API permissions” page, click Grant Admin Consent for <tenant>.

    • Click the Yes button on the consent confirmation. The required permissions are now added for the endpoints.

      Create the Client ID and Client Secret:

      Authentication is done with OAuth. To configure OAuth, we required ClientID and Client Secret.

    • Select Application.

    • Click Certificates & Secrets, and then Client Secrets.

    • Click New client secret. The “Add a client secret” window appears.

    • Enter a Description for this client secret.

    • Select the desired expiry period from the ‘Expires’ drop-list.

    • Click Add.

    • Copy the ‘Value’ field, which will be used to initialize the beat.

      Databee Setup

    • In Databee UI, click on the Data tab and click on Add New Data Source.

    • Search for Microsoft Defender for Endpoint and select it

    • Click on API Ingest.

    • Enter the required details in the form.

    • Select the OAuth2 option from the ‘Authorization Method’ dropdown.

    • Provide the above-generated Client Key and Client Secret in the respective text boxes.

    • In the ‘Token URL’, replace <tenant id> with the Tenant ID you obtained from Microsoft Defender for Endpoint Setup.

    • The following API endpoint should be added

      • https://api.securitycenter.microsoft.com/api/machine

      • https://api.securitycenter.microsoft.com/api/alerts?$expand=evidence

      • https://api.securitycenter.microsoft.com/api/deviceavinfo

      • https://api.securitycenter.microsoft.com/api/Vulnerabilities

      • https://api.securitycenter.microsoft.com/api/machines/SoftwareInventoryByMachine

      • https://api.securitycenter.microsoft.com/api/machines/BrowserExtensionsInventoryByMachine

      • https://api.securitycenter.microsoft.com/api/machines/SoftwareVulnerabilitiesByMachine

      • https://api.securitycenter.microsoft.com/api/investigations

      • https://api.securitycenter.microsoft.com/api/machineactions

    Was this article helpful?
    What's Next
    Change password!
    Changing your password will log you out immediately. Use the new password to log back in.
    Change profile
    Success!
    First name must have atleast 2 characters. Numbers and special characters are not allowed.
    Last name must have atleast 1 characters. Numbers and special characters are not allowed.
    Enter a valid email
    Enter a valid password
    Your profile has been successfully updated.
    Logout
    ESC

    Eddy AI, facilitating knowledge discovery through conversational intelligence