About Microsoft Defender for Endpoints (formerly Microsoft Defender ATP)
Windows Defender ATP aka Microsoft Defender for Endpoint is an Advanced Threat Protection (ATP) and enterprise endpoint security platform that helps organizations detect, investigate, prevent, and respond to advanced threats. External alerts that are pushed into the Windows Defender ATP, provide a full context of the generated alert and the complete picture of the attack.
SIRP’s SOAR platform makes use of the Windows Defender ATP to build playbooks and integrate the abundant data models for orchestrating responses such as, getting and updating alerts, obtaining machine information, and pushing IPs, domains, URLs, and hashes.
The integration between SIRP and Windows Defender ATP enhances the organization’s detection, investigation, enrichment, and threat intelligence capabilities. It enables teams to effectively orchestrate, automate, and respond to emerging threats.
SIRP’s Windows Defender ATP integration app allows you to execute the following actions:
Get new alerts from Windows Defender ATP
Get Machine Information
Get Machine Information from Windows Defender ATP
Change alert status to Closed in Windows Defender ATP
Push IP to Indicators in Defender from SIRP
Push Domain to Indicators in Defender from SIRP
Push URL to Indicators in Defender from SIRP
Push Hash to Indicators in Defender from SIRP
Isolate machines from the network.
Unisolate machines from the network.
Remove IP from Indicators in Defender via SIRP
Remove Domain from Indicators in Defender via SIRP
Remove URL from Indicators in Defender via SIRP
Remove Hash from Indicators in Defender via SIRP
Cancel Machine Action
Cancel a pending Machine action
Collect Investigation Package
Collect investigation package from a machine
Get Machine Action Status
Retrieve Status of Action Executed
Get Investigation Package SAS URI
Get URI for downloading the investigation package.
List Pending Machine Actions
List Machine Actions previously Executed
Live Response Put File
Puts a file from the library to the device
Live Response Get File
Collect file from a device
Live Response Run Script
Runs a script from the library on a device.
Offboard machine from Microsoft Defender for Endpoint
Remove App Restriction
Remove application execution restriction.
Restrict App Execution
Restrict application execution
Run Full Scan
Perform AV full scan on the device
Run Quick Scan
Perform AV quick scan on the device
Quarantine and Stop File
Stop the execution of a file on a machine and delete it.
Enable and Configure Windows Defender ATP API
To integrate Windows Defender ATP with SIRP:
Log in to your Windows Defender ATP instance at Azure Active Directory admin center.
Go to the Azure Active Directory tab.
Go to the App registrations option.
Click on Add
Follow the below-mentioned steps to register the application.
Set the Name of the application <Configured by the user>.
Set the Supported Account type as “Accounts in this organizational directory only.”
Set Redirect URL as web> https://security.microsoft.com/.
Click on Register.
From the application created using the steps mentioned above, copy and save the following IDs from the application Overview:
Application (client) ID
Directory (tenant) ID
Next, go to the Certificates & Secrets tab and:
Add a new client secret.
Enter the description.
A new Token Value will be created that proves the identity of the application when requesting a token. Token Value (App Secret) should be copied from the Azure portal which then be used in SIRP app configuration.
Access the API permission tab to request the API permission. Take the following steps:
Click on the Add permission option.
Select an API from the APIs your organization uses.
Add the Windows Defender ATP application created using the above steps.
Enable the following permissions:
Induct the permissions by clicking on Add permission.
Finally, select the “Grant admin consent for <your organization>” and click on yes.
Configure The SIRP App
Next, log in to SIRP, then go to Apps from the left navigation bar
Locate the Windows Defender ATP App.
Click on the Toggle button to enable the app.
When you enable the App, you will get an option to add the configuration details. Add the following details and click Save:
Tenant ID <Generated earlier at Windows Defender ATP instance>
App ID <Generated earlier at Windows Defender ATP instance>
App-Secret <Generated earlier at Windows Defender ATP instance>
The token will look something like this:
After the last step, you should be able to execute the Windows Defender ATP actions on-demand or through Playbooks.
Windows Defender ATP In Action
Once the integration between SIRP and Windows Defender ATP is complete, you can execute all the supported actions. For example, click on a hash then select Windows Defender ATP > get machine information or push IP.
While executing blocking actions (e.g. push_ip, push_domain, push_hash, etc.), you will be asked to provide some additional inputs.
Click on the + icon to provide a new value.
Every time you add a value for Additional inputs, it's stored in the database and available for you to select from during the next execution. So if in the future if you execute the same action, you can select the same value using the available dropdown rather than adding a new value.
Action Type (One of the following values that are used to define what ATP should do when it sees this particular IOC):
Title: Any string or keyword
Description: Any string or keyword