Microsoft Defender for Endpoints (aka ATP)
About
Microsoft Defender for Endpoint delivers preventative protection, post-breach detection, automated investigation, and response.
Why You Should Integrate
Integrating with Microsoft Defender for Endpoint will provide visibility into a collection of Machines that have communicated with Microsoft Defender for Endpoint cloud to identify your endpoint coverage.
How Does the Integration Work
This integration pulls machine objects from Microsoft Defender for Endpoint security console that meet the following criteria.
- Devices last seen according to your configured retention period
- Devices, that the user (ApplicationID) has access to, based on device group settings
This data is only used internally; we do not share it with any parties outside of Sevco. Refer to our privacy policy for details.
Configuration
- Configure plugin: Configure the plugin with the required fields.
Field | Description | Example |
---|---|---|
App ID * | The unique ID (aka client id) of the app created for access. | 00000000-0000-0000-0000-000000000000 |
client_secret * | The value of the app secret (aka client secret) used to authenticate with the source. | *********************** |
Tenant ID * | The unique tenant ID | 00000000-0000-0000-0000-000000000000 |
-
Configure Name: OPTIONAL: You can give the configuration a name to provide an identifiable attribute of the configuration to delineate other similar configurations.
-
Activate Config: To enable this configuration and begin pulling data select "Activate". If you wish to save the configuration to come back later to finish, select "Save Draft". This will save the configuration, but keep it disabled until Activated.
Source Documentation
Creating credentials
You'll be asked to provide a app secret (aka client secret) that Sevco will use to connect to Microsoft Defender. This will require the creation of an app in Azure in order to provide API-based access. The following link will step you through creating an account. https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/exposed-apis-create-app-webapp?view=o365-worldwide
NOTE: Ensure to input the App Secret Value, not the ID when configuring the plugin.
Required Permissions
The following permission(s) are required:
- Machine.Read.All
The following link will step you through editing application permissions. https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/exposed-apis-create-app-webapp?view=o365-worldwide
API Documentation
Contact Us
If you're having problems integrating a source, or if you've found something wrong in this document, please email us at [email protected].
Tags: cloud, epp-edr
Updated about 1 month ago