Our Integration guide was accurate at the time of writing but vendors change things frequently! If you find errors or anything is outdated, let us know by raising a request in the Samurai Help Center and we'll get it updated.
This guide describes the steps required to configure Microsoft Defender for Endpoint (MSDE) to allow Samurai XDR to respond, by blocking / isolating (and deisolating) specific hosts in the Response > Endpoints screen.
To receive telemetry (alerts) from Microsoft Defender for Endpoint, simply configure the Samurai Microsoft 365 Integration from the Telemetry > Integrations menu item.
Prerequisites
The user must have Global administrative access to the Microsoft Defender Security Center and Microsoft Azure Portal.
You must have an Azure Premium P2 plan for the Privileged Identity Management features discussed below.
Recommended Advanced Settings for Defender for Endpoint
To facilitate incident response, in the event that you do experience a breach, we also recommend that you enable the following settings in Defender for Endpoint.
- Live response
- Live response for servers
- Live response unsigned script execution
Follow the Microsoft documentation - Configure advanced features in Defender for Endpoint to enable the features.
To complete this Integration you will need to perform actions in both the Azure Portal and Samurai XDR Application:
1. Azure Portal
- Application Registration
- Permissions
- Certificates and Secrets
2. Samurai XDR application
- Configure the Samurai XDR application
- Response > Integrations
Azure Portal
Application Registration
Perform these steps to configure the Application ID for advanced hunting API/exposed API.
- Ensure you are logged into the Azure portal
- From Azure Active Directory, select App Registrations > New registration
- The Register an application page appears
- In the Name field, specify an appropriate name
- In Supported account types, select Accounts in this organization only
- In Redirect URI (optional), perform the following steps:
- Select Web
- Specify https://localhost:5000
- To finalize the configuration click Register
Permissions
- Click API permission from the Manage section
- Click Add a permission, (the permissions page should now appear)
- Select the APIs my organization uses tab
- In the search field, specify Windows
- From the results that now appear, click WindowsDefenderATP
- Select Application permissions
- For Telemetry (Logs / Events):
- From the Select permissions section, select all the permission items ending with Read.All and select Add permissions
- From the Select permissions section, select all the permission items ending with Read.All and select Add permissions
- For Response (ability to isolate an endpoint) - Optional
- From the Select permissions section, select the following permission Machine.Isolate and select Add permissions
- From the Configured permissions section, select Grant admin consent for <Your organization tenant name>
- The grant consent question will appear, select Yes
- Once again the API Permissions page will appear for your review. You should see a green tick against the status of the permissions changed.
Certificates and Secrets
- While in the created app registration
- Select select Certificates & secrets from the Manage section
- In the Client secrets section, click New client secret
- In the Add a client secret section, specify an appropriate name in the Description field
- In the Expires section, select the desired expiry, e.g. "24 months" (please take note of this time and mark in your calendar)
- Select Add
- Make note of the Client secret value since this is only available immediately after creation
- Browse back to the app registration and make note of the Application (client) ID and Directory (tenant) ID. This will be used in the next section.
Configure the Samurai XDR Application
You will need to provide the following information in the Samurai web interface.
The following configuration settings to be completed in the following application locations:
Response > Integrations (to perform host isolation)
- Login to your Samurai XDR tenant
- Select Telemetry | Response > Integrations
- Select Create
- Locate and click Microsoft Defender for Endpoint
- Click Next (we leverage a Samurai XDR Cloud Collector)
- Enter a Name of Integration (description of the integration)
- Enter a Description (optional)
- Enter your Devicename (a name you assign as the source of the alerts)
- Enter your Tenant ID
- Enter the optional REST Domain
- Enter your Client ID
- Enter your Client Secret
- Click Finish