Skip to main content

Cyware Threat Intelligence eXchange

Microsoft Defender for Endpoint

Connector Category: Endpoint Detection Response (EDR)

About Integration

Microsoft Defender for Endpoint is an advanced threat protection platform designed to safeguard enterprise networks. Using endpoint detection and response (EDR) capabilities, Microsoft Defender for Endpoint helps detect, investigate, and mitigate security breaches efficiently. Microsoft Defender for Endpoint integrates with Intel Exchange (CTIX) to seamlessly share indicators of compromise (IoCs) that are ingested and analyzed on Intel Exchange. 

The Microsoft Defender for Endpoint internal application in Intel Exchange supports the following actions:

Action Name

Description

Submit or Update Indicator

This action submits IoCs to Microsoft Defender for Endpoint to perform specific actions such as alert, block, allow, and block and remediate. You can submit the following IoC types from Intel Exchange to Microsoft Defender for Endpoint:

  • IPv4

  • IPv6

  • URL

  • Domain

  • SHA1

  • SHA256

  • MD5

Delete Indicators

This action removes indicators from Microsoft Defender for Endpoint.

Configure Microsoft Defender for Endpoint App in Intel Exchange

Configure the Microsoft Defender for Endpoint internal application in Intel Exchange to establish seamless connectivity with the Microsoft Defender for Endpoint platform.

Before you Start 

  • You must have the View Tool Integrations and Update Tool Integrations permissions in Intel Exchange.

  • You must have the base URL, client ID, client secret key, and tenant ID of the Microsoft Defender for Endpoint platform.

    Note

    Ensure that the API credentials include read and write permission to all indicators on the Microsoft Defender for Endpoint platform. For more information, see Submit or Update Indicator API and Batch Delete Indicators.

Steps 

To configure a Microsoft Defender for Endpoint internal application instance in Intel Exchange, follow these steps:

  1. Go to Administration > Integration Management, and select Internal Applications under Tool Integrations.

  2. Select Endpoint Detection Response, and then select the Microsoft Defender for Endpoint application.

  3. Click Add Instance and enter the following details:

    • Instance Name: Enter a unique instance name. For example, Prod_MS_Defender.

    • Base URL: Enter the base URL of your Microsoft Defender for Endpoint platform. The default base URL is https://api.securitycenter.microsoft.com.

    • Client ID: Enter the client ID of your Microsoft Defender for Endpoint account.

    • Client Secret: Enter the client secret key of your Microsoft Defender for Endpoint account to authenticate communication between Intel Exchange and Microsoft Defender for Endpoint servers.

    • Tenant ID: Enter the ID of the Microsoft Entra ID group in the managing tenant.

    • Verify SSL: Enable this option to verify the SSL certificate and secure the connection between the Intel Exchange and Microsoft Defender for Endpoint servers. By default, Verify SSL is enabled. 

      Note

      We recommend you to enable the Verify SSL option. If you choose to disable this option, Intel Exchange may configure an instance for an expired SSL certificate. This may lead to improper connection and you may not receive a notification when the connectivity breaks.

  4. Click Save.

The Microsoft Defender for Endpoint instance is configured and you can view the list of actions available for the integration. You can configure multiple instances of this integration by clicking Manage > Add More.

Enable App Actions

Enable the action of the Microsoft Defender for Endpoint internal application to submit indicators to the Microsoft Defender for Endpoint platform.

Steps 

To enable the Submit or Update Indicator action, follow these steps:

  1. Go to Administration > Integration Management and select Internal Applications under Tool Integrations.

  2. Select Endpoint Detection Response, and then select the Microsoft Defender for Endpoint application.

  3. On the upper-right corner, click the vertical ellipsis and click Manage.

  4. Click Manage Actions and select the Submit or Update Indicator action.

  5. Turn on the toggle to enable the action and click Save.

The action is enabled and you can use the action in rules to upload indicators to the Microsoft Defender for Endpoint platform.

Create a Rule to Upload Indicators

Create a rule on Intel Exchange to define the sources of indicators and submit it to the Microsoft Defender for Endpoint platform for further action.

Before you Start 

Ensure that the Submit or Update Indicator action of the Microsoft Defender for Endpoint internal application is enabled.

Steps 

To create a rule to submit indicators to the Microsoft Defender for Endpoint platform, follow these steps:

  1. Go to  Main Menu > Actions > Rules.

  2. Click New Rule.

  3. Enter a rule name within 100 characters and click Submit.

  4. In Source, select the sources and collections from which you want to retrieve IOCs.

  5. In Condition, enter the following details:

    • Intent Type: Select the intent type as Indicator to retrieve a list of IOCs.

    • Rule Type: Select a rule type to apply specific conditions.

    • Select Object for Actioning: Select this option to perform the action of a rule on the selected object. This option ensures that the action is performed only on the selected object when you define multiple conditions with multiple objects.

  6. In Actions, enter the following details:

    1. Actions: Select the Submit or Update Indicator action.

    2. Application: Select the Microsoft Defender for Endpoint application.

    3. Account: Select an instance you have configured for the Microsoft Defender for Endpoint internal application.

    4. Title: Enter a title for the indicator submission.

    5. Description: Enter a description for the indicator submission.

    6. Action to be Taken: Select the action to be performed on the indicators by the Microsoft Defender for Endpoint platform. You can select one of the following actions:

      • Alert (In MDE documentation, this action is referred to as Audit)

      • Block (In MDE documentation, this action is referred to as Block execution)

      • Allowed

      • Block and Remediate

      Note

      For limitations and known issues while submitting indicators, see Microsoft Defeneder for Endpoint documentation.

    7. Severity: Select the severity of the submission, such as low, informational, medium, or high.

  7. Set the global conditions from Additional Actions. For more information, see Additional Actions for Rules.

  8. Click Save.

When you run the rule, indicators will be retrieved based on the configured sources and conditions. The retrieved indicators will be submitted to the Microsoft Defender for Endpoint platform for actioning.

Similarly, you can configure a rule using the Delete Indicators action to delete indicators from the Microsoft Defender for Endpoint platform.