- 15 Aug 2024
- 4 Minutes to read
- Print
- DarkLight
- PDF
Microsoft Defender for Endpoint (Microsoft Defender ATP)
- Updated on 15 Aug 2024
- 4 Minutes to read
- Print
- DarkLight
- PDF
Microsoft Defender for Endpoint (Microsoft Defender ATP) helps enterprise networks prevent, detect, investigate, and respond to advanced threats.
Related Enforcement Actions
Types of Assets Fetched
This adapter fetches the following types of assets:
- Devices
- Users
- Vulnerabilities
- Software
- SaaS Applications
- Alerts/Incidents
Parameters
- Source Host Name (required, default: api.securitycenter.microsoft.com) - Select the domain field configuration. If you access the Azure US government environment, select api-gcc.securitycenter.microsoft.us
- Tenant ID (required) - The Azure Tenant ID.
- Client ID (required) - The Application ID of the Axonius application
- Client Secret (required) - A user created key for the Axonius application.
- Verify SSL - Select to verify the SSL certificate offered by Microsoft Defender for Endpoint. For more details, see SSL Trust & CA Settings.
- HTTPS Proxy (optional) - A proxy to use when connecting to Microsoft Defender for Endpoint.
To learn more about common adapter connection parameters and buttons, see Adding a New Adapter Connection.
Advanced Settings
Advanced settings can either apply for all connections for this adapter, or you can set different advanced settings and/or different scheduling for a specific connection, refer to Advanced Configuration for Adapters.
Configuring Advanced Settings lengthens the time fetches take. Fetch vulnerabilities/applications might take an hour or more. All other Advanced settings might take much longer. This is due to the Defender for Endpoint configuration.
- Fetch users - Toggle on to fetch information for users associated with fetched devices assets from Microsoft Defender for Endpoint.
- Fetch only interactive users - Select whether to fetch only users that match the description of interactive in the MDE documentation.
- Username regex search - Enter one or more regex strings that can be used to identify users apart from other accounts.
- Fetch applications - Select whether to fetch installed applications from Microsoft Defender for Endpoint.
- Fetch vulnerabilities - Select whether to fetch devices' vulnerabilities from Microsoft Defender for Endpoint.
- Fetch vulnerability changes - Select whether to fetch vulnerability changes from Microsoft Defender for Endpoint.
- Fetch recommendations - Select whether to fetch security recommendations from Microsoft Defender for Endpoint.
- Fetch missing KBs - Select whether to fetch missing KBs (security updates).
- Fetch alerts - Select whether to fetch API DeviceAlertEvents.
- Fetch device AV info - Select this option to fetch additional information about the Anti-Virus status for each device.
- Fetch only onboarded devices - Select whether to only fetch devices that were onboarded.
- Fetch only devices with hostname - Select this option to only fetch devices with hostname values (the field
computerDnsName
in Defender for Endpoint). - Ignore offline interfaces - Select whether interfaces that have the operational status 'Down' will not be added to devices.
- Ignore inactive devices (optional) - Select whether to ignore devices that have an inactive status.
- If enabled, all devices that have a health status of 'Inactive' won't be fetched.
- If disabled, all devices are fetched, regardless of active status.
- Fetch Devices by tag - Toggle on this option to enter a comma separated list of tags by which to fetch devices. Only devices with the tags in the list will be fetched.
- Filter last logged users by domain - Toggle on this option to filter the last logged users by domain.
- Allowed domains list - Enter a comma separated list of domains from which to fetch the last logged users. This option is only available when Filter last logged users by domain is enabled.
- Fetch discovered devices information - Select this option to fetch information on devices discovered by installed agents.
- Fetch exploited vulnerabilities - Select this option to fetch the fields related to vulnerability exploitation from Defender for Endpoints Plan 1 & 2.
- Avoid duplicate hostnames - Select this option to consider only the latest hostname field data received by Microsoft Defender for Endpoint to avoid duplicating hostnames.
For details on general advanced settings under the Adapter Configuration tab, see Adapter Advanced Settings.
Required Permissions
The AdvancedQuery.Read.All permissions are required for Microsoft Defender for Endpoint configuration.
Configuring the application in the Microsoft Azure portal
Log in to the Azure Portal with an administrator account.
Select Azure Active Directory. If you have more than one directory, verify that you are logged in to the correct directory. If you are not, select the top-right account logo and then select Switch Directory and select the directory you want Axonius to access.
Select App registrations > New registration. Fill in the details and click Register.
After you have created the app, you should see its Application ID and Directory ID. Write down these values in a safe place, These values are known as Client ID and Tenant ID.
In the left menu, select Certificates & Secrets > New Client Secret. Click Add and copy the secret.
In the left menu, select API Permissions > Add a permission. Then select APIs my organization uses and select the WindowsDefenderATP API.
Add the permissions Machine.Read.All, Vulnerability.Read.All, Software.Read.All, User.Read.All.
To fetch AV information, you also need to add AdvancedQuery.Read.All and AdvancedQuery.Read permissions. Application permissions are required.
To fetch recommendations you also need to add SecurityRecommendation.Read.All.
To fetch Alerts you need to add Alert.Read.All permissions.
Select Grant admin consent for Default Directory to apply these permissions.
The Defender ATP software inventory only lists and makes available via the API, software that has an official Common Platform Enumeration (CPE). The adapter cannot fetch from ATP software that is not listed in the Software Inventory, as it is not made available via the API.
For more information, see the Microsoft Defender for Endpoint and ATP documentation.