Connect Microsoft Defender

Elisity supports simple API connectivity to Microsoft Defender as a method to enrich IT device discovery and identity. This enables asset data from Microsoft Defender to be imported into IdentityGraph for all assets that appear on your Elisity-secured network. This enhances the precision and effectiveness of asset classification.

 

Prerequisites

  • Microsoft Defender Tenant ID
  • Microsoft Defender App ID

  • Microsoft Defender App Secret

 

Steps to Connect Microsoft Defender

Step 1. Access the Enterprise Application Registration page in Microsoft Entra.

Step 2. Click on the New Registration button. 

Step 3. Enter a name for the Application: Elisity CCC Defender API Access

Step 4. Select Accounts in this organization only

Step 5. Enter https://portal.azure.com as the Redirect URI. This is only used as a redirect for the application authorization for your Entra tenant. Click Register.

Step 6. After the application is created, navigate to the API Permissions link in the left panel and click on the Add Permission button.

Step 7. Click on the APIs My Organization Uses tab and search for "WindowsDefenderATP"

Step 8. Click on "WindowsDefenderATP" in the list. In the new panel, select Application Permissions then search for “Machine

Step 9. Click the dropdown arrow beside “Machine” then click the checkbox beside “Machine.Read.All” as shown in the below image. 

 

Step 10. After clicking the Add Permissions button, ensure you select the “Grant Admin Consent for {Organization}” to complete the permissions grant process

Step 11. Navigate to the Certificates & Secrets panel in the left side menu.

Step 12. Make sure the Client Secrets pane is selected then click on the +New client secret button

Step 13. Enter “Elisity CCC Defender Connector” as the description for the client secret and choose a suitable expiration interval based on your organizations policies for API credential rotation

Step 14. After the Client Credential is created be sure to copy the “Value” field as it will not be displayed after navigating from this page. An example of a successfully created credential screen is shown below.

Step 15. Navigate to the Overview page in the left side menu

Step 16. Note the “Application (client) ID” and “Directory (tenant) ID” as these will be used with the Client Secret from above to authenticate Elisity CCC for API access.

image-20240610-213508.png

Step 17. Lastly the Application must be authorized in Entra. Navigate to the following URL while logged in as an Entra Administrator.
https://login.microsoftonline.com/common/oauth2/authorize?prompt=consent&client_id=00000000-0000-0000-0000-000000000000&response_type=code&sso_reload=true
where 00000000-0000-0000-0000-000000000000 is the Client ID from the overview page above.

 

Step 18. Log into Elisity Cloud Control Center and navigate to Settings > Connectors and select + Add Connector button. 

 

Step 19. A list of tiles will slide out from the right side of the screen. Select configure on the Microsoft Defender connector. 

 

Step 20. Input the Tenant ID, the App ID and the App Secret and select Submit.

 

Step 21. If all of the required connector values are correct, all checks will pass and the connector will be created. 

 

 

After successfully configuring the Microsoft Defender connector, you should begin to see newly discovered assets enriched with data from Microsoft Defender in IdentityGraph. Any devices learned by Elisity prior to the connector being configured will be automatically scheduled for enrichment during the next 24 hour cycle and based on their attachment timestamp. Alternatively, you can force a refresh by selecting the refresh button next to the Microsoft Defender name under the Trust Attributes section of IdentityGraph.

 

Leveraging Microsoft Defender with Elisity

When Elisity discovers a new asset on the network and the Microsoft Defender connector is active, Cloud Control Center queries the Microsoft Defender platform via API for additional device attributes in order to enrich IdentityGraph. This enriched data is displayed in the IdentityGraph tab of the device and can be leveraged in Policy Group definition. 

 

 

 

If a device discovered by Elisity is also known in Microsoft Defender, the Trust Attribute flag for "Known in Microsoft Defender" will be set to Yes. You can then leverage this trust attribute as match criteria in Policy Group definition. 

To learn more about how to leverage IdentityGraph Trust Attributes review the Leveraging Trust Attributes for Policy Group Definition article.

 

 

 

 

Was this article helpful?
0 out of 0 found this helpful