# Microsoft Defender

The NetSPI Platform has a broad integration with Microsoft Defender.

This integration supports the Microsoft Defender product, which must be properly licensed in order for the integration to work.

Similar to our other integrations, the Microsoft Defender integration is read-only and does not perform actions to configure systems or otherwise change anything about your Microsoft Defencer system.

# Supported asset types

The Microsoft Defender integration provides the NetSPI Platform visibility into the following asset types:

• Applications
• IPV4 Addresses
• Systems
• Users

# Endpoints used

This integration needs access to the following API endpoints:

• https://graph.microsoft.com/v1.0/devices
• https://graph.microsoft.com/v1.0/devices/{device['id']}/registeredUsers
• https://api.securitycenter.microsoft.com/api/machines
• https://graph.microsoft.com/v1.0/deviceManagement
• https://graph.microsoft.com/v1.0/deviceManagement/detectedApps/{application['id']}/managedDevices/
• https://graph.microsoft.com/v1.0/deviceManagement/managedDevices
• https://graph.microsoft.com/v1.0/deviceManagement/detectedApps/
• https://graph.microsoft.com/v1.0/deviceManagement/deviceCompliancePolicies//assignments
• https://graph.microsoft.com/v1.0/groups//members
• https://graph.microsoft.com/beta/deviceManagement/managedDevices/{system['id']}
• https://graph.microsoft.com/v1.0/deviceManagement/deviceCompliancePolicies//assignments
• https://api.securitycenter.microsoft.com/api/machines
• https://api.securitycenter.microsoft.com/api/machines//logonusers
• https://api.securitycenter.microsoft.com/api/machines//recommendations
• https://api.securitycenter.microsoft.com/api/machines/SoftwareInventoryByMachine
• https://api.securitycenter.microsoft.com/api/machines/SoftwareVulnerabilitiesByMachine

# Required permissions

This integration needs an API key with the following access permissions:

• Device.Read.All
• DeviceManagementConfiguration.Read.All
• DeviceManagementManagedDevices.Read.All
• DeviceManagementApps.Read.All
• DeviceManagementRBAC.Read.All
• DeviceManagementServiceConfig.Read.All
• Directory.Read.All
• User.Read
• User.Read.All
• AuditLogs.Read.All
• UserAuthenticationMethod.Read.All
• Vulnerability.Read.All
• Software.Read.All
• Machine.Read.All (for DefenderATP only)
• Machine.Read.All
• User.Read.All
• SecurityRecommendation.Read.All
• Software.Read.All
• Vulnerability.Read.All

# Configuration steps

Use the section below for configuring Microsoft Defender to integrate with the NetSPI Platform.

# Step one: Microsoft Defender system configuration

1. Sign in to the Microsoft Entra ID portal (https://portal.azure.com/), and select View for the Manage Microsfot Entra ID option.

   

2. Select App registrations in the left pane.

   

3. Select New registration along the top row of tabs.

   

4. Provide a descriptive name for the registration and select Register at the bottom.

   

5. Copy the values for Application (client) ID and Directory (tenant) ID as they will be needed when configuring the integration in the NetSPI Platform. Once copied, select Certificates & secrets in the left pane.

   

6. On the Client secrets tab, select New client secret.

   

7. Select an appropriate expiration period for the client secret and then select the Add button.

   

8. Once the client secret has been created, select the Copy icon to the right of the Value field and record the value as it will be needed when configuring the integration in the NetSPI Platform.

   

   Don't forget

   Make a note of the Client ID, Tenant ID, and Secret Value during the app registration process to be used when configuring the Microsoft Defender integration in the NetSPI Platform.

9. When completing steps 9 - 12, use the appropriate API permissions to add:

   * Microsoft Defender permissions required for "Devices and Users", "Applications" and "Intune Compliance" checkboxes on the NetSPI Platform integration configuration page:

   • Device.Read.All
   • DeviceManagementConfiguration.Read.All
   • DeviceManagementManagedDevices.Read.All
   • DeviceManagementApps.Read.All
   • DeviceManagementRBAC.Read.All
   • DeviceManagementServiceConfig.Read.All
   • Directory.Read.All
   • User.Read
   • User.Read.All
   • AuditLogs.Read.All
   • UserAuthenticationMethod.Read.All
   • Vulnerability.Read.All
   • Software.Read.All
     
     

   * WindowsDefenderATP permission required for "Defender Devices" checkbox on the NetSPI Platform integration configuration page:
   

   • Machine.Read.All

10. Repeat the steps, granting both application permissions and delegated permissions to the application.

11. When complete, the permissions list should look like the following:

12. Select the Grant admin consent for <your domain> button and then select yes.

# Step two: NetSPI Platform CAASM module configuration

Use the steps below to configure the Microsoft Defender Integration in the NetSPI Platform.

1. Log into the NetSPI Platform as a Client Admin user.

2. Navigate to Settings -> CAASM Integrations to display the Integrations page.

   

3. Select the Integration Library tab -> Integration Categories / Managed Detection and Response (MDR) -> Microsoft Defender Integration.

   

   This brings the Microsoft Defender integration card into focus.

   Note

   You can also locate the integration card by:

   • Scrolling down the page on the Integration Library tab
   • Filter the integration options displayed by selecting any of the other left navigation choices besides Integration Categories, e.g., by Modules or Integration Scopes (cloud or on premise)
   • Enter the integration name in the Search integration bar

4. Select the Add button on the Microsoft Defender card to display the Microsoft Defender integration configuration page.

   

5. Select and enter values for the following fields.

   1. Select the integration type from the Integration drop-down list. In this case, Microsoft Defender Integration, which is already selected by default.

   2. Select the integration scope from the Scope drop-down list. The Microsoft Defender integration can only run on a cloud scope, which was configured by NetSPI and Cloud displays as the default value.

   3. Enter an integration name and description in the Integration Name and Description fields.

   4. Select the Enabled slider button to display as either on (blue) or off (light gray).

   5. In the Microsoft Defender Parameters field group, enter or select the following in the corresponding fields:

      Field	Value
      Tenant ID	The Directory (tenant) ID from step 5 in the section above
      Client ID	the Application (client) ID from step 5 in the section above
      OAuth2 Secret	The client secret generated in step 8 in the section above
      Ingest logged on users? drop-down list	Select Yes or No to pull in data from logged-in users
      Ingest security recommendations? drop-down list	Select Yes or No to pull in data from Microsoft Defender security recommendations
      Ingest vulnerabilities?	Select Yes or No to pull in data from Microsoft Defender vulnerabilities

6. Select Create to create the integration. The new integration now displays on the Applied Integrations tab with its statuses: current and last run, last run time, and status (enabled/disabled).