Microsoft Defender for Endpoint (Microsoft Defender ATP)
  • 24 Mar 2022
  • 4 Minutes to read
  • Dark
    Light
  • PDF

Microsoft Defender for Endpoint (Microsoft Defender ATP)

  • Dark
    Light
  • PDF

Microsoft Defender for Endpoint (Microsoft Defender ATP) helps enterprise networks prevent, detect, investigate, and respond to advanced threats.

Types of Assets Fetched

This adapter fetches the following types of assets:

  • Devices

Parameters

  1. Tenant ID (required) - The Azure Tenant ID.
  2. Client ID (required) - The Application ID of the Axonius application
  3. Client Secret (required) - A user created key for the Axonius application.
  4. Verify SSL (required, default: False) - Verify the SSL certificate offered by Microsoft Defender for Endpoint. For more details, see SSL Trust & CA Settings.
    • If enabled, the SSL certificate offered by Microsoft Defender for Endpoint will be verified against the CA database inside of Axonius. If the SSL certificate can not be validated against the CA database inside of Axonius, the connection will fail with an error.
    • If disabled, the SSL certificate offered by Microsoft Defender for Endpoint will not be verified against the CA database inside of Axonius.
  5. HTTPS Proxy (optional, default: empty) - A proxy to use when connecting to Microsoft Defender for Endpoint.
    • If supplied, Axonius will utilize the proxy when connecting to Microsoft Defender for Endpoint.
    • If not supplied, Axonius will connect directly to Microsoft Defender for Endpoint.
  6. To learn more about common adapter connection parameters and buttons, see Adding a New Adapter Connection.

microsoftDefenderForEndpoint.png

Advanced Settings

Note:

Advanced settings can either apply for all connections for this adapter, or you can set different advanced settings and/or different scheduling for a specific connection, refer to ​Advanced Configuration for Adapters

Note:

Configuring Advanced Settings lengthen the time fetch takes. Fetch vulnerabilities/applications make take an hour or more. All other Advanced settings may take much longer. This is owing to Defender for Endpoint configuration.

  1. Fetch users (required, default: False) - Select whether to fetch information for users associated with fetched devices assets from Microsoft Defender for Endpoint.
    • If enabled, all connections for this adapter will fetch information for users associated with fetched devices from Microsoft Defender for Endpoint.
    • If disabled, all connections for this adapter will not fetch any user data.
  2. Fetch applications (required, default: False) - Select whether to fetch installed application from Microsoft Defender for Endpoint.
    • If enabled, all connections for this adapter will fetch the installed applications on devices.
    • If disabled, all connections for this adapter will not fetch the installed applications on devices.
  3. Fetch vulnerabilities (required, default: False) - Choose whether to fetch devices' vulnerabilities from Microsoft Defender for Endpoint.
    • If enabled, all connections for this adapter will fetch vulnerabilities data from Microsoft Defender for Endpoint.
    • If disabled, all connections for this adapter will not fetch any vulnerability data from Microsoft Defender for Endpoint.
  4. Fetch recommendations (required, default: False) - Choose whether to fetch security recommendations from Microsoft Defender for Endpoint.
    • If enabled, all connections for this adapter will fetch security recommendations data from Microsoft Defender for Endpoint.
    • If disabled, all connections for this adapter will not fetch any security recommendations data from Microsoft Defender for Endpoint.
  5. Fetch only onboarded devices (required, default: False) - Select whether to only fetch devices that were onboarded.
  6. Ignore Offline Interfaces (required, default: False) - Select whether interfaces that have the operational status 'Down' will not be added to devices.
  7. Ignore Inactive Devices (optional, default: False) - Select whether to ignore devices that have an inactive status.
    • If enabled, all devices that have a health status of 'Inactive' will not be fetched.
    • If disabled, all devices are fetched, regardless of active status.
NOTE

For details on general advanced settings under the Adapter Configuration tab, see Adapter Advanced Settings.


Configuring the application in the Microsoft Azure portal

  1. Log in to the Azure Portal with an administrator account.

  2. Select Azure Active Directory. If you have more than one directory, verify that you are logged in to the correct directory. If you are not, select the top-right account logo and then select Switch Directory and select the directory you want Axonius to access.

  3. Select App registrations > New registration. Fill in the details and click Register.

    image.png

  4. After you have created the app, you should see its Application ID and Directory ID. Write down these values in a safe place, These values are known as Client ID and Tenant ID.

    image.png

  5. In the left menu, select Certificates & Secrets > New Client Secret. Click Add and copy the secret.

    image.png

  6. In the left menu, select API Permissions > Add a permission. Then select APIs my organization uses and select the WindowsDefenderATP API.

  7. Add the permissions Machine.Read.All, Vulnerability.Read.All, Software.Read.All, User.Read.All.

  8. To fetch AV information, you also need to add AdvancedQuery.Read.All and AdvancedQuery.Read permissions. Axonius recomends that you assign both application and delegated permissions.

  9. Select Grant admin consent for Default Directory to apply these permissions.
    image.png

Note:

The Defender ATP software inventory only lists and makes available via the API, software that has an official Common Platform Enumeration (CPE). The adapter cannot fetch from ATP software that is not listed in the Software Inventory, as it is not made available via the API.
For more information, see the Microsoft Defender for Endpoint and ATP documentation.



First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.