Skip to main content

Cyware Threat Intelligence eXchange

Microsoft Defender for Endpoint

Notice

This integration is available in Intel Exchange from v3.6.3.3 onwards

Connector Category: Endpoint Detection Response (EDR)

About Integration

Microsoft Defender for Endpoint (MDE) is a comprehensive threat protection platform designed to secure enterprise networks. With advanced endpoint detection and response (EDR) capabilities, Microsoft Defender for Endpoint efficiently detects, investigates, and mitigates security breaches. It also integrates with Intel Exchange (CTIX) to seamlessly share and analyze ingested indicators of compromise (IoCs).

The Microsoft Defender for Endpoint internal application in Intel Exchange supports the following actions:

Action Name

Description

Submit or Update Indicator 

This action submits IoCs to Microsoft Defender for Endpoint to trigger specific actions such as audit, allow, warn, block execution, and block and remediate. You can submit the following IoC types from Intel Exchange to Microsoft Defender for Endpoint:

  • IPv4

  • IPv6

  • URL

  • Domain

  • SHA1

  • SHA256

  • MD5

Delete Indicators 

This action removes indicators from Microsoft Defender for Endpoint.

Configure Microsoft Defender for Endpoint App in Intel Exchange

Configure the Microsoft Defender for Endpoint internal application in Intel Exchange to establish seamless connectivity with the Microsoft Defender for Endpoint platform.

Before you Start 

  • You must have the View Tool Integrations and Update Tool Integrations permissions in Intel Exchange.

  • You must have the base URL, client ID, client secret key, and tenant ID of the Microsoft Defender for Endpoint platform.

    Note

    Ensure that the API credentials include read and write permission to all indicators on the Microsoft Defender for Endpoint platform. For more information, see Submit or Update Indicator API and Batch Delete Indicators.

Steps 

To configure a Microsoft Defender for Endpoint internal application instance in Intel Exchange, follow these steps:

  1. Go to Administration > Integration Management, and select Internal Applications under Tool Integrations.

  2. Select Endpoint Detection Response, and then select the Microsoft Defender for Endpoint application.

  3. Click Add Instance and enter the following details:

    • Instance Name: Enter a unique instance name. For example, Prod_MS_Defender.

    • Base URL: Enter the base URL of your Microsoft Defender for Endpoint platform. The default base URL is https://api.securitycenter.microsoft.com.

    • Client ID: Enter the client ID of your Microsoft Defender for Endpoint account.

    • Client Secret: Enter the client secret key of your Microsoft Defender for Endpoint account to authenticate communication between Intel Exchange and Microsoft Defender for Endpoint servers.

    • Tenant ID: Enter the ID of the Microsoft Entra ID group in the managing tenant.

    • Verify SSL: Enable this option to verify the SSL certificate and secure the connection between the Intel Exchange and Microsoft Defender for Endpoint servers. By default, Verify SSL is enabled. 

      Note

      We recommend you to enable the Verify SSL option. If you choose to disable this option, Intel Exchange may configure an instance for an expired SSL certificate. This may lead to improper connection and you may not receive a notification when the connectivity breaks.

  4. Click Save.

The Microsoft Defender for Endpoint instance is configured and you can view the list of actions available for the integration. You can configure multiple instances of this integration by clicking Manage > Add More.

Enable App Actions

Enable the action of the Microsoft Defender for Endpoint internal application to submit indicators to the Microsoft Defender for Endpoint platform.

Steps 

To enable the Submit or Update Indicator action, follow these steps:

  1. Go to Administration > Integration Management and select Internal Applications under Tool Integrations.

  2. Select Endpoint Detection Response, and then select the Microsoft Defender for Endpoint application.

  3. On the upper-right corner, click the vertical ellipsis and click Manage.

  4. Click Manage Actions and select the Submit or Update Indicator action.

  5. Turn on the toggle to enable the action and click Save.

The action is enabled and you can use the action in rules to upload indicators to the Microsoft Defender for Endpoint platform.

Create a Rule to Upload Indicators

Create a rule on Intel Exchange to define the sources of indicators and submit it to the Microsoft Defender for Endpoint platform for further action.

Before you Start 

Ensure that the Submit or Update Indicator action of the Microsoft Defender for Endpoint internal application is enabled.

Steps 

To create a rule to submit indicators to the Microsoft Defender for Endpoint platform, follow these steps:

  1. Go to  Main Menu > Actions > Rules.

  2. Click New Rule.

  3. Enter a Title name within 100 characters and click Submit.

  4. In Source, select the sources and collections from which you want to retrieve IOCs.

  5. In Condition, enter the following details:

    • Intent Type: Select the intent type as Indicator to retrieve a list of IOCs.

    • Rule Type: Select a rule type to apply specific conditions.

    • Select Object for Actioning: Select this option to perform the action of a rule on the selected object. This option ensures that the action is performed only on the selected object when you define multiple conditions with multiple objects.

  6. In Actions, enter the following details:

    1. Actions: Select the Submit or Update Indicator action.

    2. Application: Select the Microsoft Defender for Endpoint application.

    3. Account: Select an instance you have configured for the Microsoft Defender for Endpoint internal application.

    4. Title: Enter a title for the indicator submission.

    5. Description: Enter a description for the indicator submission.

    6. Action to be Taken: Select the action to be performed on the indicators by the Microsoft Defender for Endpoint platform. You can select one of the following actions:

      • Audit: An alert is triggered when the IoC runs.

      • Allow: The IoC is allowed to run on your devices.

      • Block Execution: The IoC will not be allowed to run.

      • Block and remediate: The IoC will not be allowed to run and a remediation action will be applied to the IoC.

      • Warn: The IoC prompts a warning that you can bypass. When the Warn action is selected, two additional fields are available:

        • Bypass Duration: Enter the duration for which the user can bypass the warning before the block takes effect.

        • User Notification Custom URL: Enter a custom URL that the users can visit to access more information. For example, https://example.com.

      Note

      If the indicator type is a file (SHA1, SHA256, MD5), these two sub-fields are not applicable.

      IoC Type

      Available Actions

      SHA1

      SHA256

      MD5

      Allow

      Audit

      Warn

      Block execution

      Block and remediate

      IPv4

      IPv6

      Allow

      Audit

      Warn

      Block execution

      URL

      Domain

      Allow

      Audit

      Warn

      Block execution

    7. Severity: Select the severity of the submission, such as low, informational, medium, or high.

  7. Set the global conditions from Additional Actions. For more information, see Additional Actions for Rules.

  8. Click Save.

    Note

    For limitations and known issues while submitting indicators, see Microsoft Defender for Endpoint documentation.

When you run the rule, indicators will be retrieved based on the configured sources and conditions. The retrieved indicators will be submitted to the Microsoft Defender for Endpoint platform for actioning.

Similarly, you can configure a rule using the Delete Indicators action to delete indicators from the Microsoft Defender for Endpoint platform.