Microsoft Defender for Endpoint
Microsoft Defender for Endpoint is an endpoint protection tool that organizations can use to detect malware, block exploits and network-based attacks, and flag phishing sites in their network. You can bring host and security data from Microsoft Defender into Brinqa to help you detect and respond to security threats, and gain a comprehensive view of your attack surface to strengthen your cybersecurity posture.
This document details the information you must provide for the connector to authenticate with Microsoft Defender for Endpoint and how to obtain that information from Microsoft. See create a data integration for step-by-step instructions on setting up the integration.
Required connection settings
When setting up a data integration, select Microsoft Defender for Endpoint from the Connector drop-down. If you cannot find the connector in the drop-down, make sure that you have installed it first. You must provide the following information to authenticate Microsoft Defender for Endpoint with Brinqa:
-
API URL: The Microsoft Defender for Endpoint API URL. The default URL is
https://api.securitycenter.microsoft.com
. -
Login URL: The Microsoft Azure authentication URL. The default URL is
https://login.microsoftonline.com
. -
Client ID and Client secret: The client ID and client secret associated with the service principal, which must have permissions to log in to the Microsoft Azure Active Directory (Active AD) and return data from the Defender API.
-
Tenant ID: The unique identifier for the Active AD tenant associated with the service principal.
Register a Microsoft Azure application
You must create a new application for the Microsoft Defender for Endpoint connector to authenticate with Azure AD and access the Microsoft Defender for Endpoint APIs. To register an application in your Azure AD tenant, follow these steps:
-
Log in to your Microsoft Azure Portal as an administrator.
-
Navigate to and click Microsoft Entra ID.
-
On the left-hand side of the page, click App registrations, and then click New registration.
-
Give your new application a name, select the supported account types, and provide an optional Redirect URI. If you do not have a redirect URI, you can leave the field as is.
-
Click Register.
For additional details about registering an application in Azure AD and creating a service principal, see Microsoft Azure documentation.
Obtain Microsoft Azure credentials
After you have created your new Microsoft Azure application, your client and tenant ID display. Copy the Application (client) ID and Directory (tenant) ID as show below:
To obtain your client secret, follow these steps:
-
Click Certificates & secrets and then click New client secret.
-
Provide a description, set an expiry date, and then click Add.
The new client secret displays. You cannot view the client secret again. There is both a Value and Secret ID. The Value field is what is needed for authentication. Copy the Value field and save it in a secure location.
Assign permissions
After you have created your new Microsoft Azure application and obtained the authentication credentials, you must assign the required permissions for the application to access your data. To do so, follow these steps:
-
Navigate to API permissions > Add a permission > APIs my organization uses and select WindowsDefenderATP.
-
Click Application permissions, grant the following permissions, and then click Add permissions:
-
Machine:
Machine.Read.All
-
Security Recommendation:
SecurityRecommendation.Read.All
-
Software:
Software.Read.All
-
User:
User.Read.All
-
Vulnerability:
Vulnerability.Read.All
-
-
Click Grant admin consent for default directory, and then click Yes in the confirmation dialog. Your API permissions should resemble the following:
For additional information about Azure AD permissions, see Microsoft Azure documentation.
Additional settings
The Microsoft Defender for Endpoint connector contains an additional option for specific configuration:
- Maximum retries: The maximum number of times that the integration attempts to connect to the Microsoft Defender for Endpoint API before giving up and reporting a failure. The default setting is 10.
Types of data to retrieve
The Microsoft Defender for Endpoint connector can retrieve the following types of data from the Microsoft Defender API:
Table 1: Data retrieved from Microsoft Defender
Connector Object | Required | Maps to Data Model |
---|---|---|
Machine | Yes | Host |
Vulnerability | No | Vulnerability |
Vulnerability Definition | No | Vulnerability Definition |
For detailed steps on how to view the data retrieved from Microsoft Defender for Endpoint in the Brinqa Platform, see How to view your data.
Operation options
The Microsoft Defender for Endpoint connector supports the following operation options. See connector operation options for information about how to apply them.
Click the tabs below to view the supported operation options per connector object.
- Machine
- Vulnerability
- Vulnerability Definition
Table 2: Machine operation options
Connector Object | Option | All Possible Values | Description | Example |
---|---|---|---|---|
Machine | computerDnsName | Any fully-qualified name of a machine. | Retrieve machines with the specified DNS name. | Key: computerDnsName Value: desktop-1212.brinqa.com . This key and value combination only retrieves the machine whose DNS name is desktop-1212.brinqa.com . |
exposureLevel | None, Low, Medium, High | Retrieve machines with the specified exposure level as evaluated by Microsoft Defender for Endpoint. | Key: exposureLevel Value: Medium . This key and value combination only retrieves machines with a medium exposure level. | |
healthStatus | Active, Inactive, ImpairedCoummunication, NoSensorData, NoSensorDataImpairedCommunication, Unknown | Retrieve machines with the specified heatlh status as evaluated by Microsoft Defender for Endpoint. | Key: healthStatus Value: Active . This key and value combination only retrieves machines with an active health status. | |
lastSeen | Any date and time value in the ISO 8601 format. | Retrieve machines based on the last time Microsoft Defender for Endpoint received a full device report for the machine. | Key: lastSeen Value: 2023-01-01TO0:00:00Z . This key and value combination only retrieves machines whose full device report was received on January 1st, 2023. | |
machineTags | A comma separated list of machine tags. | Retrieve machines with the specified machine tags. | Key: machineTags Value: Tag3 . This key and value combination only retrieves machines with the tag Tag3 . | |
onboardingStatus | onboarded, CanBeOnboarded, Unsupported, InsufficientInfo | Retrieve machines with the specified onboarding status. | Key: onboardingStatus Value: Unsupported . This key and value combination only retrieves machines that have an unsupported onboarding status. | |
osPlatform | A comma-separated list of operating systems. | Retrieve machines running on the specified operating systems. | Key: osPlatform Value: Windows 11 , macOS . This key and value combination only retrieves machines running on Windows 11 and macOS. | |
rbacGroupId | Any machine group ID | Retrieve machines with the specified machine group ID. | Key: rbacGroupId Value: 7b3f5c5c-c4c4 This key and value combination only retrieves machines with the machine group ID of 7b3f5c5c-c4c4 . | |
riskScore | None, Informational, Low, Medium, High | Retrieve machines with the specified risk score as evaluated by Microsoft Defender for Endpoint. | Key: riskScore Value: High . This key and value combination only retrieves machines with a high risk score. |
Table 3: Vulnerability operation options
Connector Object | Option | All Possible Values | Description | Example |
---|---|---|---|---|
Vulnerability | aadDeviceId | Any AAD (Azure Active Directory) device ID. | Retrieve vulnerabilities from devices with the specified AAD device ID. | Key: aadDeviceId Value: 123e4567-e89b . This key and value combination only retrieves vulnerabilities the device whose AAD device ID is 123e4567-e89b . |
computerDnsName | Any fully qualified name of a machine. | Retrieve vulnerabilities from machines with the specified DNS name. | Key: computerDnsName Value: desktop-1212.brinqa.com . This key and value combination only retrieves vulnerabilities from the machine whose DNS name is desktop-1212.brinqa.com . | |
deviceValue | Normal, Low, High | Retrieve vulnerabilities from devices with the specified device value. | Key: deviceValue Value: High . This key and value combination only retrieves vulnerabilities from devices with a high device value. | |
exposureLevel | None, Low, Medium, High | Retrieve vulnerabilities from machines with the specified exposure level as evaluated by Microsoft Defender for Endpoint. | Key: exposureLevel Value: High . This key and value combination only retrieves vulnerabilities from machines with a high exposure level. | |
id | A comma-separated list of vulnerability IDs. | Retrieve vulnerabilities with the specified IDs. | Key: id Value: CVE-2023-22664 . This key and value combination only retrieves vulnerabilities pertaining to CVE-2023-22664 . | |
healthStatus | Active, Inactive, ImpairedCoummunication, NoSensorData, NoSensorDataImpairedCommunication, Unknown | Retrieve vulnerabilities from machines with the specified heatlh status as evaluated by Microsoft Defender for Endpoint. | Key: healthStatus Value: Inactive . This key and value combination only retrieves vulnerabilities from machines with an inactive health status. | |
lastIpAddress | Any machine IP address. | Retrieve vulnerabilities based on the last IP address associated with them. | Key: lastIpAddress Value: 192.0.2.123 This key and value combination only retrieves vulnerabilities where the last known IP address is 192.0.2.123 . | |
lastSeen | Any date and time value in the ISO 8601 format. | Retrieve vulnerabilities based on the last time they were seen by a Microsoft Defender for Endpoint report. | Key: lastSeen Value: 2023-06-09TO0:00:00Z This key and value combination only retrieves vulnerabilities that were last seen on or before June 9th, 2023. | |
machineTags | A comma separated list of machine tags. | Retrieve vulnerabilities from machines with the specified machine tags. | Key: machineTags Value: Tag5 . This key and value combination only retrieves machines with the tag Tag5 . | |
onboardingStatus | onboarded, CanBeOnboarded, Unsupported, InsufficientInfo | Retrieve vulnerabilities from machines with the specified onboarding status. | Key: onboardingStatus Value: onboarded . This key and value combination only retrieves vulnerabilities from machines that have an onboarded onboarding status. | |
osPlatform | A comma-separated list of operating systems. | Retrieve vulnerabilities from machines running on the specified operating systems. | Key: osPlatform Value: Windows 10 , Linux . This key and value combination only retrieves vulnerabilities from machines running on Windows 10 and Linux. | |
rbacGroupId | Any machine group ID | Retrieve vulnerabilities from machines with the specified machine group ID. | Key: rbacGroupId Value: 7b3f5c5c-c4c4 This key and value combination only retrieves vulnerabilities from machines with the machine group ID of 7b3f5c5c-c4c4 . | |
riskScore | None, Informational, Low, Medium, High | Retrieve vulnerabilities with the specified risk score as evaluated by Microsoft Defender for Endpoint. | Key: riskScore Value: High . This key and value combination only retrieves vulnerabilities with a high risk score. | |
version | Any operating system version. | Retrieves vulnerabilities from machines with the specified operating system version. | Key: version Value: 10.0 . This key and value combination only retrives vulnerabilities from machines running on a operating system with a 10.0 version. |
Table 4: Vulnerability Definition operation options
Connector Object | Option | All Possible Values | Description | Example |
---|---|---|---|---|
Vulnerability Definition | id | A comma-separated list of vulnerability IDs. | Retrieve vulnerabilities with the specified IDs. | Key: id Value: CVE-2023-22664 . This key and value combination only retrieves vulnerabilities pertaining to CVE-2023-22664 . |
cvssV3 | Any CVSS v3 (Common Vulnerability Scoring System) score | Retrieve vulnerabilities with the specified CVSS v3 score. | Key: cvssV3 Value: 6.3 . This key and value combination only retrieves vulnerabilities that have a CVSS v3 score of 6.3 . | |
publishedOn | Any date and time value in the ISO 8601 format | Retrieve vulnerabilities published on the specified date. | Key: publishedOn Value: 2023-02-09TO9:45:00Z . This key and value combination only retrieves vulnerabilities published on February 9th, 2023 at 9:45AM. | |
severity | Low, Medium, High, or Critical | Retrieve vulnerabilities with the specified severity level. | Key: severity Value: Critical . This key and value combination only retrieves the critical vulnerabilities. |
The option keys and values are case-sensitive as they are shown in this documentation.
APIs
The Microsoft defender connector uses the Microsoft Defender for Endpoint API. Specifically, it uses the following endpoints:
Table 5: Microsoft Defender for Endpoint API Endpoints
Connector Object | API Endpoints |
---|---|
Machine | GET https://api.securitycenter.microsoft.com/api/machines |
Vulnerability | GET https://api.securitycenter.microsoft.com/api/machines/SoftwareVulnerabilityChangesByMachine |
GET https://api-us.securitycenter.contoso.com/api/machines/SoftwareVulnerabilitiesExport | |
Vulnerability Definition | GET https://api.securitycenter.microsoft.com/api/recommendations |
GET https://api.securitycenter.microsoft.com/api/recommendations/{id}/vulnerabilities | |
GET https://api.securitycenter.microsoft.com/api/vulnerabilities |
Changelog
The Microsoft Defender for Endpoint connector has undergone the following changes:
3.1.17
-
Added the following attributes to the Machine object:
-
MERGED_INFO_MACHINE_ID
-
POTENTIAL_DUPLICATION
-
SOURCE_STATUS
-
3.1.15
- Fixed an issue where the EXPLOITABILITY attribute in all Vulnerability Definition records was incorrectly set to 'Actively used'.
3.1.14
- Set the INSTANCE_ID attribute in the Machine object if the source specifies a value using the
instanceId
tag.
3.1.13
- Made Vulnerability and Vulnerability Definition objects as optional in data integration.
3.1.9
- Added a delay in deleting temporary storage to avoid syncing issues.
3.1.8
- Used 'updatedOn' instead of 'publishedOn' to fetch updates for the Vulnerability Definition object.
3.1.7
- Enhanced to make concurrent attempts to retrieve recommendations for vulnerabilities. However, in the event of failure, it proceeds without this data.
- Increased the default setting for Maximum Retries to 10.
3.1.6
- Excluded
00000000-0000-0000-0000-000000000000
as a valid Azure Active Directory device ID. - Updated dependencies.
3.1.5
- Fixed a null pointer exception when there's no filter provided.
- Fixed a null pointer exception when the machine is synced from the beginning of time.
3.1.4
- Added filtering capability to the Machine and Vulnerability Definition objects.
3.1.2
- Made the value of the HOSTNAME attribute consistent.
3.1.1
- Tried to generate a name for the Machine object based on its DNS name, IP addresses, or Azure Active Directory device ID.
3.1.0
- Ignored exceptions when downloading export files.
3.0.3
- Initial Integration+ release.