It is time for part 7 of the Microsoft Defender for Endpoint (MDE) series. All previous parts were focused on Defender for Endpoint and additional configurations. Now it is time for the integration part with other products and services.

Microsoft Defender can be used with other products in the Microsoft landscape; for example it can be integrated with Defender for Cloud Apps, Microsoft Sentinel, Defender for Office, and additional products. During the first part, we explained already the Intune integration – which is needed when Intune is the tool for onboarding and configuring Defender.

NOTE: The blog series focuses on features in Microsoft Defender for Endpoint P2 all Microsoft Defender for Endpoint P1 features are available in P2.

Specific question or content idea part of Defender for Endpoint? Use the contact submission form and share the post ideas.

Introduction Integrations

The real power starts when Defender is fully integrated with all components part of the Microsoft portfolio. With the use of multiple security products, there is stronger detection, and capabilities can be shared.

The following integrations are available in Microsoft Defender for Endpoint:

  • Defender for Office
  • Defender for Identity (Legacy)
  • Defender for Cloud Apps
  • Microsoft Sentinel
  • Defender for Cloud/ Defender for Servers

Defender for Office

Integrating Defender for Office 365 enables full protection capabilities and monitoring capabilities.

Important: This feature is only available if you have an active Defender for Office P2 instance. Analysts need to have access to Defender for Endpoint and Defender for Office 365 P2 for showing all data in the Threat Explorer.

Update 17 January 2021: Manual integration is no longer needed

Defender for Endpoint integrates now natively with Defender for Office P2. Both configurations in Advanced Features and Explorer are not needed anymore. The integration is always enabled and an integral part of Microsoft Defender 365.


Defender for Identity

Recently Defender for Identity (MDI) is integrated with the security.microsoft.com portal. Since November 2022 the integration with Defender for Endpoint is no longer supported. The new Microsoft Defender/ security.microsoft.com portal contains a default built-in integration for both products. No additional configuration is required.

Defender for Identity is now fully integrated and available via security.microsoft.com


Defender for Cloud Apps

Microsoft Defender for Endpoint and Defender for Cloud Apps can be integrated for enabling more features and sharing data natively as part of the MDE sensor.

Defender for Cloud Apps uses data from Defender for Endpoint about cloud apps and services being accessed from the device. When enabled the logs will be sent directly to Defender for Cloud Apps for interesting insights.

Before starting with integrating Defender for Cloud Apps validate the needed prerequisites:

  • Microsoft Defender for Cloud Apps license available
  • Microsoft Defender for Endpoint Plan 2
  • Windows 10 version 1709 (OS Build 16299.1085 with KB4493441), Windows 10 version 1803 (OS Build 17134.704 with KB4493464), Windows 10 version 1809 (OS Build 17763.379 with KB4489899) or later Windows 10 and Windows 11 versions

Enable integration in MDE

In MDE we need to enable the integration in the advanced features page. Enable the toggle for Microsoft Defender for Cloud Apps:

In the Defender for Cloud Apps we need to enable the Defender for Endpoint integration for blocking unsanctioned apps. After enabling the integration all apps which are currently unsanctioned will be added to the indicator list of MDE, with the result; the app will be blocked automatically based on the Network Protection feature.

Enable integration in Defender for Cloud Apps

When apps are unsanctioned in Defender for Cloud Apps there is the option for syncing all indicators part of the application directly to Defender for Endpoint.

Important: Indicators will be only blocked when Network protection is configured in block mode. Audit mode is not blocking the URL.

For enabling the indicator integration go to Microsoft 365 Defender (security.microsoft.com) and click Settings -> Cloud Apps -> Microsoft Defender for Endpoint

Under Defender for Endpoint enable the configuration Enforce app accessWhen enabled all apps marked as unsanctioned will be added in the indicator list with the value block.

Important: Before enabling the integration, always verify the current list of apps that are unsanctioned. When enabling the below integration; all URLs of unsanctioned apps will be blocked in Defender for Cloud Apps.

Block apps in Defender for Cloud Apps

When apps are blocked in Defender for Cloud Apps indicators will be added in Defender for Cloud Apps. For example; WhatsApp is blocked in Defender for Cloud Apps:

After some time all indicators will be visible in Defender for Endpoint -> Indicators -> URLs/Domains. Each URL part of the Defender for Cloud Apps sync is created with the following information:

  • Created by: Microsoft Defender for Cloud Apps
  • Title when blocked: Unsanctioned cloud app access was blocked
  • Title when using monitored: Connection to a risky cloud application was detected

By default when apps are blocked the default is based on the All Devices scope. Common question; can we target apps against specific device groups in MDE? The answer is yes, this is possible with scoped profiles.

For configuring scoped profiles open the App Tags page in the Cloud Apps settings overview. Select Scoped profiles and create a new profile.

Scoped entities can be used for including or excluding specific device groups. Exclude can be used for including all devices and excluding specific device groups. Include is only for adding specific device groups.

When tagging apps as unsanctioned in Defender for Cloud Apps select the created profile:

Indicators are now deployed and targeted to the configured scope, with this method it is possible to block apps to specific device groups or exclude groups from the initial scope.

More in-depth information is explained in the following blog. Block apps (discovered/ shadow IT) with Defender for Cloud Apps and Defender for Endpoint | Jeffrey Appel


Microsoft Sentinel

Microsoft Sentinel is a cloud-native security information and event manager (SIEM) which can be integrated easily with Defender for Endpoint via available data connectors. Sentinel supports multiple integrations for event data streaming and alert creation.

The following Defender for Endpoint related connectors are available:

  • Microsoft 365 Defender (preview)
  • Microsoft Defender for Endpoint

When using Microsoft 365 Defender there is some overlap with the Microsoft Defender for Endpoint connector. Each product contains an individual connector. Microsoft 365 Defender is based on the Microsoft 365 Defender instance and brings all incidents from the sources. The advantage of the new Microsoft 365 Defender connector is the possibility of enabling more telemetry, all this is not free.

Bi-directional connector

The Microsoft 365 Defender connector is bi-directional meaning it closes the alert/incident in Sentinel and the Microsoft security products. The new connectors enable streaming based on the incident. The specific standalone connectors are not bi-directional and sync only the alerts.

Recommendation: Use the new Microsoft 365 Defender connector for alert creation. There is always the option for collecting additional raw telemetry/ data.

Microsoft 365 Defender connector

Free data type

The SecurityAlert & SecurityIncident data type is part of the free offering. All additional raw events which can be streamed from Microsoft 365 Defender to Sentinel are not part of the free data type. There is the option for streaming all data in Advanced Hunting into Sentinel, it cost money for ingesting the same data in Microsoft Sentinel. For longer retention or specific use cases the additional telemetry can be used.

How to connect?

Connecting data connectors in Microsoft Sentinel is easy and can be enabled with some clicks via the Microsoft Sentinel portal. For enabling a data connector:

  • Open Microsoft Sentinel and select Data connectors
  • Select the connector you want to connect, and then select Open connector page.
  • Complete the prerequisites and follow the instructions for each specific connector

Integration for longer data retention?

By default, the data retention of Defender for Endpoint is 180 days, and max 30 days for Advanced Hunting. When needed there are multiple ways for saving data for longer retention. The following options are available as part of the Microsoft ecosystem:

  • Microsoft Sentinel
  • Streaming API
    • Storage account
    • Event hub

Microsoft Sentinel

When used the above Microsoft 365 Defender additional events can be forwarded to Sentinel/ Log Analytics using the event log options:

Important: Collecting additional MDE telemetry/ events is not free. MDE generates a load of data which gives high additional cost when enabled for a large set of devices.

Streaming API

With the use of the Streaming API events can be streamed directly to a storage account or event hub. The advantage is longer data retention for each data set, without the ingestion cost of Sentinel. Of course; there is still a cost for the data in the storage account or event hub.

Configuration is easy and possible via the Microsoft 365 Defender settings overview page. Go to; Security.micosoft.com -> Microsoft 365 Defender -> Streaming API

For each event type data can be streamed. All data part of the device type is the actual device info. Alerts can be used when longer retention is needed for all AlertInfo and related AlertEvidence.

More information: Microsoft 365 Defender streaming API


Conclusion

Part 7 of the Microsoft Defender for Endpoint series is completed – focused on the explanation of the integration options with other products.

Searching for specific Defender for Endpoint information? Use the contact submission form and share the post ideas or contact using Linkedin or Twitter. I will take all suggestions into the Defender for Endpoint series and help the community as far as possible.

View previous part – Microsoft Defender for Endpoint series – Validate Defender protection and additional troubleshooting – Part6

View next part – Advanced hunting and custom detections – Part8