Microsoft Defender for Endpoint Containment

Updated Nov 20, 2023

Configure Microsoft Defender for Endpoint for Arctic Wolf containment

With the Active Response service, Arctic Wolf® can contain hosts in your network using Microsoft Defender for Endpoint® containment, if you configured the Microsoft Defender for Endpoint API to send the necessary logs to Arctic Wolf for security monitoring.

Containment functionality is available for these Microsoft Defender for Endpoint versions:

Note: The Microsoft Defender for Endpoint containment integration is different from the Endpoint Detection and Response (EDR) integration. These steps are only required if you want Arctic Wolf to contain your endpoints using Microsoft Defender for Endpoint. For more information, see Configuring Microsoft Defender for Endpoint Monitoring.

Caution:  You can only configure one containment sensor. Configuring multiple containment sensors may prevent successful containment.

Requirements

Before you begin

Steps

  1. Register the application.
  2. Configure the API permissions.
  3. Provide your Microsoft Defender credentials to Arctic Wolf.
  4. Test Microsoft Defender for Endpoint containment

Step 1: Register the application

  1. Sign in to the Microsoft Entra ID (formerly Azure AD) admin center.

  2. In the navigation menu, click Microsoft Entra ID (Azure AD) > App registrations.

  3. Click + New registration.

  4. Configure these settings:

    • Name — Enter a name for the application.
    • Supported Account Types — Select the Accounts in this organizational directory only (<Organization-Name> only - Single Tenant) checkbox.
    • For all other fields, keep the default values.
  5. Click Register.

    The page for the newly registered application opens.

  6. Copy the Application (client) ID and Directory (tenant) ID values, and then save them in a safe, encrypted location. You will provide them to Arctic Wolf later.

  7. In the navigation menu, click Manage > Certificates & secrets.

  8. In the Client secrets section, click + New client secret, and then configure these settings:

    • Description — Enter a description for the client secret.
    • Expires — Select an expiration date for the client secret.
  9. Click Add.

  10. On the Client secrets tab, verify that your new client secret appears.

    Screenshot of the Certificates and Secrets page on the Microsoft Azure Portal. The Value field and text is highlighted by an orange box.
  11. Copy the Value value, and then save it in a safe, encrypted location. You will provide it to Arctic Wolf later.

    Notes:

    • The Value value is only available immediately after creation. Do not exit the Certificates & Secrets page until the value is saved in a safe, encrypted location.
    • The Value value is the secret ID or client secret. You will provide the value to Arctic Wolf later. You do not need to copy the Secret ID field.
    • You must submit the updated client secret credentials to Arctic Wolf before the credentials expire.

Step 2: Configure the API permissions

  1. In the navigation menu, click Manage > API permissions.

  2. Find the User.Read permission, and click Menu > Remove permission.

  3. Click Yes, remove.

  4. In the Select an API section, click APIs my organization uses.

  5. In the search bar, enter WindowsDefenderATP, and then select it.

  6. Click Application permissions.

  7. In the Machine section, select these permission types:

    • Machine.Isolate
    • Machine.Read.All
  8. Click Add permissions.

    You are redirected to the API permissions page where the new permissions appear in a list.

  9. In the Configured permissions section, click Grant admin consent for <Organization Name>, and then click Yes.

Step 3: Provide your Microsoft Defender credentials to Arctic Wolf

Note: If API credentials fail, for example due to expired credentials, Arctic Wolf will notify you and request a new set of credentials. After a polling failure, Arctic Wolf cannot perform actions such as containment until the updated credentials are provided.

  1. Sign in to the Arctic Wolf Unified Portal.

  2. In the menu bar, click Telemetry Management > Connected Accounts.

  3. Click Add Account +.

  4. On the Add Account page, in the Account Type list, select Cloud Detection and Response.

  5. From the list of cloud services, select Microsoft Defender for Endpoint Containment.

  6. On the Add Account page, complete these steps:

    1. Account Name — Enter a unique and descriptive name for the account.
    2. For each of these fields, paste the appropriate value from Register the application:
      • Application (client) ID
      • Directory (tenant) ID
      • Client Secret Value
    3. In the API Base URL list, select the Microsoft Defender for Endpoint version that you are providing credentials for:
      • Commercial — Select https://api.securitycenter.microsoft.com.
      • GCC — Select https://api-gcc.securitycenter.microsoft.us.
    4. Credential Expiry — (Optional) Enter the expiration date if the credentials have an expiry date.
  7. Click Test and submit credentials.

    After your Concierge Security® Team (CST) enables security monitoring for this account, the connected account status changes to Healthy.

Step 4: Test Microsoft Defender for Endpoint containment

  1. Schedule a call with your CST for containment testing.

  2. An hour or more before the scheduled call with your CST, to generate a test observation, do one of these actions:

    • If you can access the EICAR file website — Download the eicar.com.txt file from Anti malware testfile to the host that you want to contain.

      Tip: If you are unable to download the eicar.com.txt file because of browser security, try downloading one of the zip files, and then extract the eicar.com.txt file.

    • If you are unable to access the EICAR file website or download the EICAR file — Create the eicar.com.txt file on the host you want to contain, with this content:

      X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

    Contact your CST if these actions are unsuccessful.

  3. Directly before your call with your CST, turn off your auto-mitigation policy. Arctic Wolf is unable to contain a host if the relevant application already addressed the possible threat.

  4. Have the scheduled call with your CST. During this call, your CST:

    • Promotes the test observation to an incident, making it eligible for containment.
    • Contains the affected host to make sure that the containment works as expected.
    • Resolves issues that may arise. For example, misconfigured containment permissions.
    • Lifts containment from the host.