Microsoft Defender for Endpoint

Modified on Wed, 22 May 2024 at 10:41 PM

Our Integration guide was accurate at the time of writing but vendors change things frequently! If you find errors or anything is outdated, let us know by raising a request in the Samurai Help Center and we'll get it updated.

 

This guide describes the steps required to configure Microsoft Defender for Endpoint (MSDE) to allow Samurai XDR to respond, by blocking / isolating (and deisolating) specific hosts in the Response > Endpoints screen.


To receive telemetry (alerts) from Microsoft Defender for Endpoint, simply configure the Samurai  Microsoft 365 Integration from the Telemetry > Integrations menu item.


Prerequisites

The user must have Global administrative access to the Microsoft Defender Security Center and Microsoft Azure Portal.

You must have an Azure Premium P2 plan for the Privileged Identity Management features discussed below.

 

Recommended Advanced Settings for Defender for Endpoint

To facilitate incident response, in the event that you do experience a breach, we also recommend that you enable the following settings in Defender for Endpoint.

  • Live response
  • Live response for servers
  • Live response unsigned script execution

Follow the Microsoft documentation - Configure advanced features in Defender for Endpoint  to enable the features.

 

To complete this Integration you will need to perform actions in both the Azure Portal and Samurai XDR Application:

1. Azure Portal

  • Application Registration
  • Permissions
  • Certificates and Secrets

 

2. Samurai XDR application

  • Configure the Samurai XDR application
    • Response > Integrations

 

Azure Portal

Application Registration

Perform these steps to configure the Application ID for advanced hunting API/exposed API.

  1.  Ensure you are logged into the Azure portal
  2.  From Azure Active Directory, select App Registrations > New registration
  3. The Register an application page appears
  4.  In the Name field, specify an appropriate name
  5.  In Supported account types, select Accounts in this organization only
  6. In Redirect URI (optional), perform the following steps:
    • Select Web
    • Specify https://localhost:5000
  7. To finalize the configuration click Register

Permissions

  1. Click API permission from the Manage section
  2. Click Add a permission(the permissions page should now appear)
  3. Select the APIs my organization uses tab
  4. In the search field, specify Windows
  5. From the results that now appear, click WindowsDefenderATP
  6. Select Application permissions
  7. For Telemetry (Logs / Events):
    • From the Select permissions section, select all the permission items ending with Read.All and select Add permissions
  8. For Response (ability to isolate an endpoint) - Optional
    • From the Select permissions section, select the following permission Machine.Isolate and select Add permissions
  9. From the Configured permissions section, select Grant admin consent for <Your organization tenant name>
  10. The grant consent question will appear, select Yes
  11. Once again the API Permissions page will appear for your review. You should see a green tick against the status of the permissions changed.

 

Certificates and Secrets

  1. While in the created app registration
  2. Select select Certificates & secrets from the Manage section
  3. In the Client secrets sectionclick New client secret
  4. In the Add a client secret section, specify an appropriate name in the Description field
  5. In the Expires section, select the desired expiry, e.g. "24 months" (please take note of this time and mark in your calendar)
  6. Select Add
  7. Make note of the Client secret value since this is only available immediately after creation
  8.  Browse back to the app registration and make note of the Application (client) ID and Directory (tenant) ID. This will be used in the next section.

 

Configure the Samurai XDR Application

You will need to provide the following information in the Samurai web interface.

The following configuration settings to be completed in the following application locations:


Response > Integrations (to perform host isolation)


  1. Login to your Samurai XDR tenant
  2. Select Telemetry | Response > Integrations
  3. Select Create
  4. Locate and click Microsoft Defender for Endpoint
  5. Click Next (we leverage a Samurai XDR Cloud Collector)
  6. Enter a Name of Integration (description of the integration)
  7. Enter a Description (optional)
  8. Enter your Devicename (a name you assign as the source of the alerts)
  9. Enter your Tenant ID
  10. Enter the optional REST Domain
  11. Enter your Client ID
  12. Enter your Client Secret
  13. Click Finish