All Collections
Integration Guide
Microsoft Defender for Endpoints
Microsoft Defender for Endpoints
Ali Murtaza avatar
Written by Ali Murtaza
Updated over a week ago

About Microsoft Defender for Endpoints (formerly Microsoft Defender ATP)

Windows Defender ATP aka Microsoft Defender for Endpoint is an Advanced Threat Protection (ATP) and enterprise endpoint security platform that helps organizations detect, investigate, prevent, and respond to advanced threats. External alerts that are pushed into the Windows Defender ATP, provide a full context of the generated alert and the complete picture of the attack.

SIRP’s SOAR platform makes use of the Windows Defender ATP to build playbooks and integrate the abundant data models for orchestrating responses such as, getting and updating alerts, obtaining machine information, and pushing IPs, domains, URLs, and hashes.

The integration between SIRP and Windows Defender ATP enhances the organization’s detection, investigation, enrichment, and threat intelligence capabilities. It enables teams to effectively orchestrate, automate, and respond to emerging threats.

Supported Actions

SIRP’s Windows Defender ATP integration app allows you to execute the following actions:

S.no

Action

Description

1

Get Alerts

Get new alerts from Windows Defender ATP

2

Get Machine Information

Get Machine Information from Windows Defender ATP

3

Update Alerts

Change alert status to Closed in Windows Defender ATP

4

Push IP

Push IP to Indicators in Defender from SIRP

5

Push Domain

Push Domain to Indicators in Defender from SIRP

6

Push URL

Push URL to Indicators in Defender from SIRP

7

Push Hash

Push Hash to Indicators in Defender from SIRP

8

Isolate Machine

Isolate machines from the network.

9

Unisolate Machine

Unisolate machines from the network.

10

Remove IP

Remove IP from Indicators in Defender via SIRP

11

Remove Domain

Remove Domain from Indicators in Defender via SIRP

12

Remove URL

Remove URL from Indicators in Defender via SIRP

13

Remove Hash

Remove Hash from Indicators in Defender via SIRP

14

Cancel Machine Action

Cancel a pending Machine action

15

Collect Investigation Package

Collect investigation package from a machine

16

Get Machine Action Status

Retrieve Status of Action Executed

17

Get Investigation Package SAS URI

Get URI for downloading the investigation package.

18

List Pending Machine Actions

List Machine Actions previously Executed

19

Live Response Put File

Puts a file from the library to the device

20

Live Response Get File

Collect file from a device

21

Live Response Run Script

Runs a script from the library on a device.

22

Offboard Machine

Offboard machine from Microsoft Defender for Endpoint

23

Remove App Restriction

Remove application execution restriction.

24

Restrict App Execution

Restrict application execution

25

Run Full Scan

Perform AV full scan on the device

26

Run Quick Scan

Perform AV quick scan on the device

27

Quarantine and Stop File

Stop the execution of a file on a machine and delete it.

Enable and Configure Windows Defender ATP API

To integrate Windows Defender ATP with SIRP:

  • Log in to your Windows Defender ATP instance at Azure Active Directory admin center.

  • Go to the Azure Active Directory tab.

  • Go to the App registrations option.

  • Click on Add

Application Registration

Follow the below-mentioned steps to register the application.

  • Set the Name of the application <Configured by the user>.

  • Set the Supported Account type as “Accounts in this organizational directory only.”

  • Set Redirect URL as web> https://security.microsoft.com/.

  • Click on Register.

API Generation

From the application created using the steps mentioned above, copy and save the following IDs from the application Overview:

  • Application (client) ID

  • Directory (tenant) ID

Next, go to the Certificates & Secrets tab and:

  • Add a new client secret.

  • Enter the description.

A new Token Value will be created that proves the identity of the application when requesting a token. Token Value (App Secret) should be copied from the Azure portal which then be used in SIRP app configuration.

Access the API permission tab to request the API permission. Take the following steps:

  • Click on the Add permission option.

  • Select an API from the APIs your organization uses.

  • Add the Windows Defender ATP application created using the above steps.

  • Enable the following permissions:

    • AdvancedQuery.Read.All

    • Alert.Read.All

    • Alert.ReadWrite.All

    • File.Read.All

    • IntegrationConfiguration.ReadWrite

    • Ip.Read.All

    • Machine.CollectForensics

    • Machine.Isolate

    • Machine.LiveResponse

    • Machine.Offboard

    • Machine.Read.All

    • Machine.ReadWrite.All

    • Machine.RestrictExecution

    • Machine.Scan

    • Machine.StopAndQuarantine

    • RemediationTasks.Read.All

    • Score.Read.All

    • SecurityConfiguration.Read.All

    • SecurityConfiguration.ReadWrite.All

    • SecurityRecommendation.Read.All

    • Software.Read.All

    • Ti.Read.All

    • Ti.ReadWrite

    • Ti.ReadWrite.All

    • Url.Read.All

    • User.Read.All

    • Vulnerability.Read.All

  • Induct the permissions by clicking on Add permission.

Finally, select the “Grant admin consent for <your organization>” and click on yes.

Configure The SIRP App

  • Next, log in to SIRP, then go to Apps from the left navigation bar

  • Locate the Windows Defender ATP App.

  • Click on the Toggle button to enable the app.

When you enable the App, you will get an option to add the configuration details. Add the following details and click Save:

  • Host api.securitycenter.windows.com

  • Tenant ID <Generated earlier at Windows Defender ATP instance>

  • App ID <Generated earlier at Windows Defender ATP instance>

  • App-Secret <Generated earlier at Windows Defender ATP instance>

The token will look something like this:

eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Im5PbzNaRHJPRFhFSzFqS1doWHNsSFJfS1hFZyIsImtpZCI6Im5PbzNaRHJPRFhFSzFqS1doWHNsSFJfS1hFZyJ9.eyJhdWQiOiJodHRwczovL2FwaS5zZWN1cml0eWNlbnRlci53aW5kb3dzLmNvbSIsImlzcyI6Imh0dHBzOi8vc3RzLndpbmRvd3MubmV0L2MyZGE0ZmM1LTQyOGItNDgyOS1hZTc1LWE5NzU5OGNkMTYxZC8iLCJpYXQiOjE2Mjc1NTk0ODQsIm5iZiI6MTYyNzU1OTQ4NCwiZXhwIjoxNjI3NTYzMzg0LCJhaW8iOiJFMlpnWUVpb1lYay9yWGRKNVA4Y1JqVlRmcE96QUE9PSIsImFwcGlkIjoiY2I4ZWJjMjctMTEwZi00ZmQ4LTgyYzctNWUzYjFiNmViOWM2IiwiYXBwaWRhY3IiOiIxIiwiaWRwIjoiaHR0cHM6Ly9zdHMud2luZG93cy5uZXQvYzJkYTRmYzUtNDI4Yi00ODI5LWFlNzUtYTk3NTk4Y2QxNjFkLyIsIm9pZCI6IjI3YmI0ZWQyLWI1NjYtNGRiZi04NTIwLTk4MGYyNGY2OTVjZCIsInJoIjoiMC5BUzhBeFVfYXdvdENLVWl1ZGFsMW1NMFdIU2U4anNzUEVkaFBnc2RlT3h0dXVjWXZBQUEuIiwicm9sZXMiOlsiTWFjaGluZS5Jc29sYXRlIiwiSW50ZWdyYXRpb25Db25maWd1cmF0aW9uLlJlYWRXcml0ZSIsIk1hY2hpbmUuU2NhbiIsIlVybC5SZWFkLkFsbCIsIklwLlJlYWQuQWxsIiwiVGkuUmVhZC5BbGwiLCJVc2VyLlJlYWQuQWxsIiwiU2VjdXJpdHlSZWNvbW1lbmRhdGlvbi5SZWFkLkFsbCIsIk1hY2hpbmUuU3RvcEFuZFF1YXJhbnRpbmUiLCJBbGVydC5SZWFkLkFsbCIsIlNvZnR3YXJlLlJlYWQuQWxsIiwiU2VjdXJpdHlDb25maWd1cmF0aW9uLlJlYWQuQWxsIiwiRmlsZS5SZWFkLkFsbCIsIk1hY2hpbmUuQ29sbGVjdEZvcmVuc2ljcyIsIlZ1bG5lcmFiaWxpdHkuUmVhZC5BbGwiLCJNYWN*****************************************

After the last step, you should be able to execute the Windows Defender ATP actions on-demand or through Playbooks.

Windows Defender ATP In Action

Once the integration between SIRP and Windows Defender ATP is complete, you can execute all the supported actions. For example, click on a hash then select Windows Defender ATP > get machine information or push IP.

Additional Inputs

While executing blocking actions (e.g. push_ip, push_domain, push_hash, etc.), you will be asked to provide some additional inputs.

Click on the + icon to provide a new value.

Every time you add a value for Additional inputs, it's stored in the database and available for you to select from during the next execution. So if in the future if you execute the same action, you can select the same value using the available dropdown rather than adding a new value.

Action Type (One of the following values that are used to define what ATP should do when it sees this particular IOC):

  • Alert

  • Warn

  • Block

  • Audit

  • BlockAndRemediate

  • AlertAndBlock

  • Allowed

Title: Any string or keyword
Description: Any string or keyword

Did this answer your question?