Microsoft Defender for Endpoint

Visualize Microsoft Defender for Endpoint resources, map Defender users to employees, and monitor changes through queries and alerts.

Installation guide

Installation

To use this integration, you must have:

• An Azure account with an App Registration to provide credentials for the JupiterOne integration to authenticate with Microsoft Graph APIs. The App Registration also defines the permissions the integration requires and which the target tenant must authorize.
• An Active Directory tenant to target for data ingestion. It is possible to target the Active Directory tenants defined in the Azure account holding the App Registration.
• A Microsoft Defender for Endpoint account to create devices and run attacks via simulation technique, which can track vulnerabilities data, user groups creation and mapping users to devices.

Configuration in Microsoft Defender for Endpoint

In Microsoft Defender for Endpoint:

1. Create a Microsoft Defender for Endpoint account.
2. Add devices.

In the Azure Portal

1. Navigate to App Registrations.
2. Click New Registration.
3. Enter a name for the app.
4. Select the supported account type.
5. Click Register.

Add API permissions

In your new app registration, go to API Permissions under Manage in the left-side panel.

1. If your app has already been assigned the User.Read permission, remove it using the context menu. It is not needed for the integration to run.
2. If a warning appears saying "This scope is required for proper application functionality.", it can be safely ignored.
3. Click Add a permission > Microsoft Graph.
4. When presented with "What type of permissions does your application require?", select Application permissions.
5. Add the Organization.Read.All permission and Directory.Read.All permission.
6. Click Add permissions.
7. Click Add a permission again.
8. Under APIs my organization uses, search "WindowsDefenderATP" and click the result.
9. When presented with "What type of permissions does your application require?", select Application permissions and add the following:
   • Machine.Read.All permission
   • User.Read.All permission
   • Vulnerability.Read.All permission
10. Click Add permission.
11. Grant admin consent for the API permissions.

Add Client Secret

1. In your app registration, click Certificates & secrets.
2. Under Client Secrets, click New client secret.
3. Add a description for the secret.
4. Select a secret expiration that matches your needs for secret rotation.
5. Click Add.
6. Copy the secret value using the Copy to Clipboard icon (highlighting and copying will not copy the full value).

Granted API Permissions usage

Microsoft Graph

1. Organization.Read.All
   • Read organization information
   • Needed for creating the Account entity
2. Directory.Read.All
   • Read directory data
   • Needed for creating User, Group, and GroupUser entities

WindowsDefenderATP

1. Machine.Read.All
   • Read machine information
   • Needed for creating Device and HostAgent entities
2. User.Read.All
   • Read user profiles
   • Needed for creating User entities
3. Vulnerability.Read.All
   • Read Threat and Vulnerability Management vulnerability information
   • Needed for creating Vulnerability entity

Configuration in JupiterOne

To install the Microsoft Defender for Endpoint integration in JupiterOne, navigate to the Integrations tab in JupiterOne and select Microsoft Defender for Endpoint. Click New Instance to begin configuring your integration.

Creating a configuration requires the following:

• The Account Name used to identify the Microsoft Defender for Endpoint account in JupiterOne. Ingested entities will have this value stored in tag.AccountName when the AccountName toggle is enabled.

• Description to assist in identifying the integration instance, if desired.

• Polling Interval that you feel is sufficient for your monitoring needs. You may leave this as DISABLED and manually execute the integration.

• Client Secret value that you copied earlier.

• Tenant (Directory ID) and Client ID (Application ID), located in your App Registration's Overview tab.

Click Create once all values are provided to finalize the integration.

Next steps

Now that your integration instance has been configured, it will begin running on the polling interval you provided, populating data within JupiterOne. Continue on to our Instance management guide to learn more about working with and editing integration instances.

Microsoft Defender for Endpoint data model

Data Model

Entities

The following entities are created:

Resources	Entity _type	Entity _class
Account	microsoft_defender_account	Account
Device/Machine/Host	user_endpoint	Device
Logon User	microsoft_defender_logon_user	User
Machine	microsoft_defender_machine	HostAgent
User	microsoft_defender_user	User
Vulnerability	microsoft_defender_vulnerability	Finding

Relationships

The following relationships are created:

Source Entity _type	Relationship _class	Target Entity _type
microsoft_defender_account	HAS	microsoft_defender_machine
microsoft_defender_account	HAS	microsoft_defender_user
microsoft_defender_machine	HAS	microsoft_defender_logon_user
microsoft_defender_machine	IDENTIFIED	microsoft_defender_vulnerability
microsoft_defender_machine	MANAGES	user_endpoint

Mapped Relationships

The following mapped relationships are created:

Source Entity _type	Relationship _class	Target Entity _type	Direction
microsoft_defender_vulnerability	IS	*cve*	FORWARD

Microsoft Defender for Endpoint types

Microsoft Defender Account

microsoft_defender_account inherits from Account

Property	Type	Description	Specifications
organizationName	string | null
defaultDomain	string
verifiedDomains	array of strings

---

Microsoft Defender User

microsoft_defender_user inherits from User

Property	Type	Description	Specifications
businessPhones	array of strings
givenName	string | null
jobTitle	string | null
mail	string | null
mobilePhone	string | null
officeLocation	string | null
preferredLanguage	string | null
surname	string | null
userPrincipalName	string | null

---

Microsoft Defender Machine

microsoft_defender_machine inherits from HostAgent

Property	Type	Description	Specifications
firstSeenOn	number
agentVersion *	string
defenderAvStatus *	string
riskScore *	string
computerDnsName *	string
rbacGroupId *	number
rbacGroupName *	string | null
machineTags *	array of strings
onboardingStatus *	string
managedBy *	string
managedByStatus *	string
ipAddress *	array of strings
macAddress *	array of strings
aadDeviceId *	string | null

---

User Endpoint

user_endpoint inherits from Device

Property	Type	Description	Specifications
computerDnsName *	string
firstSeenOn	number
osPlatform *	string
osProcessor	string
lastIpAddress *	string
lastExternalIpAddress *	string
agentVersion *	string
osBuild *	number | null
healthStatus *	string
deviceValue *	string
rbacGroupId *	number
rbacGroupName *	string | null
riskScore *	string
exposureLevel *	string
isAadJoined *	boolean | null
aadDeviceId *	string | null
machineTags *	array of strings
defenderAvStatus *	string
onboardingStatus *	string
osArchitecture *	string
managedBy *	string
managedByStatus *	string
vmId	string
cloudProvider	string
resourceId	string
subscriptionId	string
ipAddresses *	array of strings
ipAddress *	array of strings
macAddress *	array of strings

---

Microsoft Defender Vulnerability

microsoft_defender_vulnerability inherits from Finding

Property	Type	Description	Specifications
id *	string
publishedOn	number
exposedMachines *	number
blocking *	boolean

---

Microsoft Defender Logon User

microsoft_defender_logon_user inherits from User

Property	Type	Description	Specifications
domain	string | null
firstSeenOn	number
lastSeenOn	number
logonTypes *	string

---