About Microsoft Defender for Endpoints (formerly Microsoft Defender ATP)
Windows Defender ATP aka Microsoft Defender for Endpoint is an Advanced Threat Protection (ATP) and enterprise endpoint security platform that helps organizations detect, investigate, prevent, and respond to advanced threats. External alerts that are pushed into the Windows Defender ATP, provide a full context of the generated alert and the complete picture of the attack.
SIRP’s SOAR platform makes use of the Windows Defender ATP to build playbooks and integrate the abundant data models for orchestrating responses such as, getting and updating alerts, obtaining machine information, and pushing IPs, domains, URLs, and hashes.
The integration between SIRP and Windows Defender ATP enhances the organization’s detection, investigation, enrichment, and threat intelligence capabilities. It enables teams to effectively orchestrate, automate, and respond to emerging threats.
Supported Actions
SIRP’s Windows Defender ATP integration app allows you to execute the following actions:
S.no | Action | Description |
1 | Get Alerts | Get new alerts from Windows Defender ATP |
2 | Get Machine Information | Get Machine Information from Windows Defender ATP |
3 | Update Alerts | Change alert status to Closed in Windows Defender ATP |
4 | Push IP | Push IP to Indicators in Defender from SIRP |
5 | Push Domain | Push Domain to Indicators in Defender from SIRP |
6 | Push URL | Push URL to Indicators in Defender from SIRP |
7 | Push Hash | Push Hash to Indicators in Defender from SIRP |
8 | Isolate Machine | Isolate machines from the network. |
9 | Unisolate Machine | Unisolate machines from the network. |
10 | Remove IP | Remove IP from Indicators in Defender via SIRP |
11 | Remove Domain | Remove Domain from Indicators in Defender via SIRP |
12 | Remove URL | Remove URL from Indicators in Defender via SIRP |
13 | Remove Hash | Remove Hash from Indicators in Defender via SIRP |
14 | Cancel Machine Action | Cancel a pending Machine action |
15 | Collect Investigation Package | Collect investigation package from a machine |
16 | Get Machine Action Status | Retrieve Status of Action Executed |
17 | Get Investigation Package SAS URI | Get URI for downloading the investigation package. |
18 | List Pending Machine Actions | List Machine Actions previously Executed |
19 | Live Response Put File | Puts a file from the library to the device |
20 | Live Response Get File | Collect file from a device |
21 | Live Response Run Script | Runs a script from the library on a device. |
22 | Offboard Machine | Offboard machine from Microsoft Defender for Endpoint |
23 | Remove App Restriction | Remove application execution restriction. |
24 | Restrict App Execution | Restrict application execution |
25 | Run Full Scan | Perform AV full scan on the device |
26 | Run Quick Scan | Perform AV quick scan on the device |
27 | Quarantine and Stop File | Stop the execution of a file on a machine and delete it. |
Enable and Configure Windows Defender ATP API
To integrate Windows Defender ATP with SIRP:
Log in to your Windows Defender ATP instance at Azure Active Directory admin center.
Go to the Azure Active Directory tab.
Go to the App registrations option.
Click on Add
Application Registration
Follow the below-mentioned steps to register the application.
Set the Name of the application <Configured by the user>.
Set the Supported Account type as “Accounts in this organizational directory only.”
Set Redirect URL as web> https://security.microsoft.com/.
Click on Register.
API Generation
From the application created using the steps mentioned above, copy and save the following IDs from the application Overview:
Application (client) ID
Directory (tenant) ID
Next, go to the Certificates & Secrets tab and:
Add a new client secret.
Enter the description.
A new Token Value will be created that proves the identity of the application when requesting a token. Token Value (App Secret) should be copied from the Azure portal which then be used in SIRP app configuration.
Access the API permission tab to request the API permission. Take the following steps:
Click on the Add permission option.
Select an API from the APIs your organization uses.
Add the Windows Defender ATP application created using the above steps.
Enable the following permissions:
AdvancedQuery.Read.All
Alert.Read.All
Alert.ReadWrite.All
File.Read.All
IntegrationConfiguration.ReadWrite
Ip.Read.All
Machine.CollectForensics
Machine.Isolate
Machine.LiveResponse
Machine.Offboard
Machine.Read.All
Machine.ReadWrite.All
Machine.RestrictExecution
Machine.Scan
Machine.StopAndQuarantine
RemediationTasks.Read.All
Score.Read.All
SecurityConfiguration.Read.All
SecurityConfiguration.ReadWrite.All
SecurityRecommendation.Read.All
Software.Read.All
Ti.Read.All
Ti.ReadWrite
Ti.ReadWrite.All
Url.Read.All
User.Read.All
Vulnerability.Read.All
Induct the permissions by clicking on Add permission.
Finally, select the “Grant admin consent for <your organization>” and click on yes.
Configure The SIRP App
Next, log in to SIRP, then go to Apps from the left navigation bar
Locate the Windows Defender ATP App.
Click on the Toggle button to enable the app.
When you enable the App, you will get an option to add the configuration details. Add the following details and click Save:
Host api.securitycenter.windows.com
Tenant ID <Generated earlier at Windows Defender ATP instance>
App ID <Generated earlier at Windows Defender ATP instance>
App-Secret <Generated earlier at Windows Defender ATP instance>
The token will look something like this:
eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Im5PbzNaRHJPRFhFSzFqS1doWHNsSFJfS1hFZyIsImtpZCI6Im5PbzNaRHJPRFhFSzFqS1doWHNsSFJfS1hFZyJ9.eyJhdWQiOiJodHRwczovL2FwaS5zZWN1cml0eWNlbnRlci53aW5kb3dzLmNvbSIsImlzcyI6Imh0dHBzOi8vc3RzLndpbmRvd3MubmV0L2MyZGE0ZmM1LTQyOGItNDgyOS1hZTc1LWE5NzU5OGNkMTYxZC8iLCJpYXQiOjE2Mjc1NTk0ODQsIm5iZiI6MTYyNzU1OTQ4NCwiZXhwIjoxNjI3NTYzMzg0LCJhaW8iOiJFMlpnWUVpb1lYay9yWGRKNVA4Y1JqVlRmcE96QUE9PSIsImFwcGlkIjoiY2I4ZWJjMjctMTEwZi00ZmQ4LTgyYzctNWUzYjFiNmViOWM2IiwiYXBwaWRhY3IiOiIxIiwiaWRwIjoiaHR0cHM6Ly9zdHMud2luZG93cy5uZXQvYzJkYTRmYzUtNDI4Yi00ODI5LWFlNzUtYTk3NTk4Y2QxNjFkLyIsIm9pZCI6IjI3YmI0ZWQyLWI1NjYtNGRiZi04NTIwLTk4MGYyNGY2OTVjZCIsInJoIjoiMC5BUzhBeFVfYXdvdENLVWl1ZGFsMW1NMFdIU2U4anNzUEVkaFBnc2RlT3h0dXVjWXZBQUEuIiwicm9sZXMiOlsiTWFjaGluZS5Jc29sYXRlIiwiSW50ZWdyYXRpb25Db25maWd1cmF0aW9uLlJlYWRXcml0ZSIsIk1hY2hpbmUuU2NhbiIsIlVybC5SZWFkLkFsbCIsIklwLlJlYWQuQWxsIiwiVGkuUmVhZC5BbGwiLCJVc2VyLlJlYWQuQWxsIiwiU2VjdXJpdHlSZWNvbW1lbmRhdGlvbi5SZWFkLkFsbCIsIk1hY2hpbmUuU3RvcEFuZFF1YXJhbnRpbmUiLCJBbGVydC5SZWFkLkFsbCIsIlNvZnR3YXJlLlJlYWQuQWxsIiwiU2VjdXJpdHlDb25maWd1cmF0aW9uLlJlYWQuQWxsIiwiRmlsZS5SZWFkLkFsbCIsIk1hY2hpbmUuQ29sbGVjdEZvcmVuc2ljcyIsIlZ1bG5lcmFiaWxpdHkuUmVhZC5BbGwiLCJNYWN***************************************** |
After the last step, you should be able to execute the Windows Defender ATP actions on-demand or through Playbooks.
Windows Defender ATP In Action
Once the integration between SIRP and Windows Defender ATP is complete, you can execute all the supported actions. For example, click on a hash then select Windows Defender ATP > get machine information or push IP.
Additional Inputs
While executing blocking actions (e.g. push_ip, push_domain, push_hash, etc.), you will be asked to provide some additional inputs.
Click on the + icon to provide a new value.
Every time you add a value for Additional inputs, it's stored in the database and available for you to select from during the next execution. So if in the future if you execute the same action, you can select the same value using the available dropdown rather than adding a new value.
Action Type (One of the following values that are used to define what ATP should do when it sees this particular IOC):
Alert
Warn
Block
Audit
BlockAndRemediate
AlertAndBlock
Allowed
Title: Any string or keyword
Description: Any string or keyword