Microsoft Defender for Endpoint - Monitoring

Configuration Guide

Updated May 26, 2023

Microsoft Defender for Endpoint - Monitoring

Microsoft Defender for Endpoint Containment Direct link to this section

Arctic Wolf® monitors Microsoft Defender for Endpoint logs to alert you about suspicious or malicious activity. When required, the Active Response service can then contain compromised hosts using Microsoft Defender for Endpoint containment. Containment functionality is available for the following operating systems:

Note: The Microsoft Defender for Endpoint containment integration is different from the Endpoint Detection and Response (EDR) integration. You only need to complete these steps if you want to enable Arctic Wolf to contain your endpoints. For more information on EDR configuration, see Configuring Microsoft Defender for Endpoint.

To implement this functionality, you must provide the following information about your Microsoft Defender for Endpoint application from the Microsoft Azure Portal to Arctic Wolf® using the Arctic Wolf Portal:

Note: The Client Secret is only available to view during the application registration. If this information is lost before it is submitted to Arctic Wolf, you must create a new Client Secret for the application.

Configure Microsoft Defender for Endpoint Containment Direct link to this section

Once successfully configured, Arctic Wolf can use the active response integration to contain compromised hosts.

Requirements Direct link to this section

Before you begin Direct link to this section

Steps Direct link to this section

  1. Register the application.
  2. Configure API permissions.
  3. Provide credentials to Arctic Wolf.

Step 1: Register the application Direct link to this section

  1. Sign in to the Microsoft Azure Portal.

  2. Open the navigation menu, and then select Azure Active Directory.

  3. Select App registrations from the navigation pane.

  4. Select + New registration.

  5. Enter a memorable name for the application in the Name field.

  6. In the Supported Account types section, confirm that Accounts in this organizational directory only (<Organization-Name> only - Single Tenant) is selected.

    Note: Leave all other fields as their defaults.

  7. Click Register. This opens the page for the newly registered application.

  8. Record the Application (client) ID and Directory (tenant) ID values to provide to Arctic Wolf in a later step.

  9. In the navigation pane, under Manage, select Certificates & secrets.

  10. In the Client secrets section, select + New client secret, and then create the secret:

    1. Enter a meaningful description for the Client Secret.

    2. Select your desired option for the Expires field.

      Tip: You must submit updated credentials to Arctic Wolf before the credentials expire.

    3. Click Add.

  11. Verify that your new Client Secret appears in the Client secrets section, and then copy the Value field to a secure location. You must provide this value to Arctic Wolf later.

Screenshot of the Certificates and Secrets page on the Microsoft Azure Portal. The Value field and text is highlighted by an orange box.

Note: Ensure that you copy the Value field before exiting the page, as this value is only viewable immediately after creation. Do not copy the Secret ID field.

Step 2: Configure API permissions Direct link to this section

To configure API permissions for the registered application:

  1. In the navigation pane, under Manage, click API permissions.

  2. Find the User.Read permission which is enabled by default, and then click Menu to open the menu.

  3. Click Remove permission and then click Yes, remove.

  4. In the Configured permissions section, click + Add a permission.

  5. In the Select an API section, click APIs my organization uses.

  6. In the search bar, search for and click WindowsDefenderATP.

  7. Click Application permissions to open the permission type list.

  8. Under Machine, select the following permission types:

    • Machine.Isolate
    • Machine.Read.All
  9. Click Add permissions to apply. This returns you to the API permissions page where the new permissions appear in a list.

  10. In the Configured permissions section, click Grant admin consent for <Organization Name>, and then click Yes to confirm the change.

Step 3: Provide credentials to Arctic Wolf Direct link to this section

Note: If API credentials fail, for example, due to expired credentials, we notify you and request a new set of credentials. After a polling failure, we cannot perform actions such as containment until the updated credentials are provided.

  1. Sign in to the Arctic Wolf Portal.

  2. Select Connected Accounts in the banner menu to open the Connected Accounts page.

    Connected Accounts menu

  3. Select +Add Account to open the Add Account page.

  4. Select Cloud Detection and Response as the Account Type.

  5. In the Cloud Applications section, click Microsoft Defender for Endpoint CONTAINMENT, and then fill in the form:

    1. In the Account Name field, enter a descriptive name for the credentials.
    2. For each of these fields, paste the appropriate value from Register the application:
      • Application (client) ID
      • Directory (tenant) ID
      • Client Secret
  6. Select Submit to CST.

  7. When prompted with the confirmation message, review your submission, and then select Done. You are returned to the Connected Accounts page.

  8. Verify that the newly-submitted credential entry appears in the cloud services list with the status Connection Pending.

    After your Concierge Security® Team provisions security monitoring for your account, the status of your credentials changes to Connected.