Microsoft Defender for Endpoint
Connector Category: Endpoint Detection Response (EDR)
About Integration
Microsoft Defender for Endpoint is an advanced threat protection platform designed to safeguard enterprise networks. Using endpoint detection and response (EDR) capabilities, Microsoft Defender for Endpoint helps detect, investigate, and mitigate security breaches efficiently. Microsoft Defender for Endpoint integrates with Intel Exchange (CTIX) to seamlessly share indicators of compromise (IoCs) that are ingested and analyzed on Intel Exchange.
The Microsoft Defender for Endpoint internal application in Intel Exchange supports the following actions:
Action Name | Description |
---|---|
Submit or Update Indicator | This action submits IoCs to Microsoft Defender for Endpoint to perform specific actions such as alert, block, allow, and block and remediate. You can submit the following IoC types from Intel Exchange to Microsoft Defender for Endpoint:
|
Delete Indicators | This action removes indicators from Microsoft Defender for Endpoint. |
Configure Microsoft Defender for Endpoint App in Intel Exchange
Configure the Microsoft Defender for Endpoint internal application in Intel Exchange to establish seamless connectivity with the Microsoft Defender for Endpoint platform.
Before you Start
You must have the View Tool Integrations and Update Tool Integrations permissions in Intel Exchange.
You must have the base URL, client ID, client secret key, and tenant ID of the Microsoft Defender for Endpoint platform.
Note
Ensure that the API credentials include read and write permission to all indicators on the Microsoft Defender for Endpoint platform. For more information, see Submit or Update Indicator API and Batch Delete Indicators.
Steps
To configure a Microsoft Defender for Endpoint internal application instance in Intel Exchange, follow these steps:
Go to Administration > Integration Management, and select Internal Applications under Tool Integrations.
Select Endpoint Detection Response, and then select the Microsoft Defender for Endpoint application.
Click Add Instance and enter the following details:
Instance Name: Enter a unique instance name. For example, Prod_MS_Defender.
Base URL: Enter the base URL of your Microsoft Defender for Endpoint platform. The default base URL is
https://api.securitycenter.microsoft.com
.Client ID: Enter the client ID of your Microsoft Defender for Endpoint account.
Client Secret: Enter the client secret key of your Microsoft Defender for Endpoint account to authenticate communication between Intel Exchange and Microsoft Defender for Endpoint servers.
Tenant ID: Enter the ID of the Microsoft Entra ID group in the managing tenant.
Verify SSL: Enable this option to verify the SSL certificate and secure the connection between the Intel Exchange and Microsoft Defender for Endpoint servers. By default, Verify SSL is enabled.
Note
We recommend you to enable the Verify SSL option. If you choose to disable this option, Intel Exchange may configure an instance for an expired SSL certificate. This may lead to improper connection and you may not receive a notification when the connectivity breaks.
Click Save.
The Microsoft Defender for Endpoint instance is configured and you can view the list of actions available for the integration. You can configure multiple instances of this integration by clicking Manage > Add More.
Enable App Actions
Enable the action of the Microsoft Defender for Endpoint internal application to submit indicators to the Microsoft Defender for Endpoint platform.
Steps
To enable the Submit or Update Indicator action, follow these steps:
Go to Administration > Integration Management and select Internal Applications under Tool Integrations.
Select Endpoint Detection Response, and then select the Microsoft Defender for Endpoint application.
On the upper-right corner, click the vertical ellipsis and click Manage.
Click Manage Actions and select the Submit or Update Indicator action.
Turn on the toggle to enable the action and click Save.
The action is enabled and you can use the action in rules to upload indicators to the Microsoft Defender for Endpoint platform.
Create a Rule to Upload Indicators
Create a rule on Intel Exchange to define the sources of indicators and submit it to the Microsoft Defender for Endpoint platform for further action.
Before you Start
Ensure that the Submit or Update Indicator action of the Microsoft Defender for Endpoint internal application is enabled.
Steps
To create a rule to submit indicators to the Microsoft Defender for Endpoint platform, follow these steps:
Go to Main Menu > Actions > Rules.
Click New Rule.
Enter a rule name within 100 characters and click Submit.
In Source, select the sources and collections from which you want to retrieve IOCs.
In Condition, enter the following details:
Intent Type: Select the intent type as Indicator to retrieve a list of IOCs.
Rule Type: Select a rule type to apply specific conditions.
Select Object for Actioning: Select this option to perform the action of a rule on the selected object. This option ensures that the action is performed only on the selected object when you define multiple conditions with multiple objects.
In Actions, enter the following details:
Actions: Select the Submit or Update Indicator action.
Application: Select the Microsoft Defender for Endpoint application.
Account: Select an instance you have configured for the Microsoft Defender for Endpoint internal application.
Title: Enter a title for the indicator submission.
Description: Enter a description for the indicator submission.
Action to be Taken: Select the action to be performed on the indicators by the Microsoft Defender for Endpoint platform. You can select one of the following actions:
Alert (In MDE documentation, this action is referred to as Audit)
Block (In MDE documentation, this action is referred to as Block execution)
Allowed
Block and Remediate
Note
For limitations and known issues while submitting indicators, see Microsoft Defeneder for Endpoint documentation.
Severity: Select the severity of the submission, such as low, informational, medium, or high.
Set the global conditions from Additional Actions. For more information, see Additional Actions for Rules.
Click Save.
When you run the rule, indicators will be retrieved based on the configured sources and conditions. The retrieved indicators will be submitted to the Microsoft Defender for Endpoint platform for actioning.
Similarly, you can configure a rule using the Delete Indicators action to delete indicators from the Microsoft Defender for Endpoint platform.