Configure Microsoft Defender for Endpoint for Arctic Wolf Active Response

With the Active Response service, Arctic Wolf® can contain perform host-based response actions in your network using Microsoft Defender for Endpoint®.

Full containment functionality is available for these Microsoft Defender for Endpoint versions:

  • Microsoft Defender for Endpoint Commercial
  • Microsoft Defender for Endpoint for Government Community Cloud (GCC)
Microsoft Defender for Endpoint supports these response actions:
  • Contain a host/Remove from containment

For more information, see Response action descriptions.

Note: Arctic Wolf only supports full containment. Selective containment is unsupported.

These resources are required:

  • Contact your CST to validate the Active Response integration. Have a device or environment ready that Arctic Wolf can use to validate the desired response actions without causing interruptions.

Register the application

  1. Sign in to the Microsoft Entra admin center.
  2. Click Entra ID > App registrations.
  3. Click + New registration.
  4. Configure these settings:
    • Name — Enter a name for the application.
    • Supported account types — From the list, select Single tenant only - <your_organization_name>.
    • For all other fields, keep the default values.
  5. Click Register.
    The page for the newly registered application opens.
  6. Copy the Application (client) ID and Directory (tenant) ID values, and then save them in a safe, encrypted location.
    You will provide them to Arctic Wolf later.
  7. In the navigation menu, in the Manage section, click Certificates & secrets.
  8. In the Client secrets section, click + New client secret, and then configure these settings:
    • Description — Enter a description for the client secret.
    • Expires — Select an expiration date for the client secret.
  9. Click Add.
  10. On the Client secrets tab, verify that your new client secret appears.

    Screenshot of the Certificates and Secrets page on the Microsoft Azure Portal. The Value field and text is highlighted by an orange box.

  11. Copy the Value value to a safe, encrypted location.
    You will provide it to Arctic Wolf later.
    Note:
    • The Value value is only available immediately after creation. Do not exit the Certificates & Secrets page until the value is saved in a safe, encrypted location.
    • The Value value is the Client Secret Value that you must provide to Arctic Wolf later. It is not necessary to copy the Secret ID field.
    • You must provide the updated client secret credentials to Arctic Wolf before the credentials expire.

Configure the API permissions

  1. In the navigation menu, click Manage > API permissions.
  2. Find the User.Read permission, and then click Menu > Remove permission.
  3. Click Yes, remove.
  4. In the Select an API section, click APIs my organization uses.
  5. In the search bar, enter WindowsDefenderATP, and then select it.
  6. Click Application permissions.
  7. In the Machine section, select these permission types:
    • Machine.Isolate
    • Machine.Read.All
  8. Click Add permissions.

    You are redirected to the API permissions page where the new permissions appear in a list.

  9. In the Configured permissions section, click Grant admin consent for <organization_name>, and then click Yes.

Provide Microsoft Defender for Endpoint Active Response credentials to Arctic Wolf

  1. Sign in to the Arctic Wolf Unified Portal.
  2. In the navigation menu, click Organization Profile > Integrations.
  3. On the Active Response tab, click New Active Response Integration +.
  4. Click Microsoft Defender for Endpoint.
  5. On the New Active Response Integration page, configure these settings:
    • Integration Name — Enter a unique and descriptive name for the integration, including the tenant name. For example, <tenant_name> MS Defender Active Response Integration.
    • API Base URL — Enter the API base URL for the the Microsoft Defender for Endpoint version that you are providing credentials for:

      • Commercial — Enter https://api.securitycenter.microsoft.com.

        Alternatively, you can enter a server closer to your region:
        • https://us.api.security.microsoft.com
        • https://eu.api.security.microsoft.com
        • https://uk.api.security.microsoft.com
        • https://au.api.security.microsoft.com
        • https://swa.api.security.microsoft.com

        Region-specific base URLs may provide better region-specific performance.

      • GCC — Enter https://api-gcc.securitycenter.microsoft.us.
    • Client ID — Enter the value obtained in Register the application.
    • Client Secret — Enter the client secret value obtained in Register the application.
    • Tenant ID — Enter the value obtained in Register the application.
    • Detection Results Limit — Enter the maximum number of objects for a query to return. We recommend 100.
    • Endpoint Offline Timeout (Hours) — Enter the number of hours Arctic Wolf should continue checking for a command response from Microsoft Defender for Endpoint. We recommend 1.
    • User defined mapping — (Optional) Keep this field blank.
  6. Click Save Integration.