sevco.io

Microsoft Defender for Endpoints (aka ATP)

Suggest Edits

About

Microsoft Defender for Endpoint delivers preventative protection, post-breach detection, automated investigation, and response.

Why You Should Integrate

Integrating with Microsoft Defender for Endpoint will provide visibility into a collection of Machines that have communicated with Microsoft Defender for Endpoint cloud to identify your endpoint coverage.

How Does the Integration Work

This integration pulls machine objects from Microsoft Defender for Endpoint security console that meet the following criteria.

  • Devices last seen according to your configured retention period
  • Devices, that the user (ApplicationID) has access to, based on device group settings
    This data is only used internally; we do not share it with any parties outside of Sevco. Refer to our privacy policy for details.

Configuration

  1. Configure plugin: Configure the plugin with the required fields.
FieldDescriptionExample
App ID*The unique ID (aka client id) of the app created for access.00000000-0000-0000-0000-000000000000
client_secret*The value of the app secret (aka client secret) used to authenticate with the source.***********************
Tenant ID*The unique tenant ID00000000-0000-0000-0000-000000000000

  1. Configure Name: OPTIONAL: You can give the configuration a name to provide an identifiable attribute of the configuration to delineate other similar configurations.

  2. Activate Config: To enable this configuration and begin pulling data select "Activate". If you wish to save the configuration to come back later to finish, select "Save Draft". This will save the configuration, but keep it disabled until Activated.

Source Documentation

Creating credentials

You'll be asked to provide a app secret (aka client secret) that Sevco will use to connect to Microsoft Defender. This will require the creation of an app in Azure in order to provide API-based access. The following link will step you through creating an account. https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/exposed-apis-create-app-webapp?view=o365-worldwide
NOTE: Ensure to input the App Secret Value, not the ID when configuring the plugin.

Required Permissions

The following permission(s) are required:

  • Machine.Read.All

The following link will step you through editing application permissions. https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/exposed-apis-create-app-webapp?view=o365-worldwide

API Documentation

https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/get-machines?view=o365-worldwide

Contact Us

If you're having problems integrating a source, or if you've found something wrong in this document, please email us at [email protected].

Tags: cloud, epp-edr

Updated 7 months ago