Microsoft Defender for Endpoint
Visualize Microsoft Defender for Endpoint resources, map Defender users to employees, and monitor changes through queries and alerts.
- Installation guide
- Microsoft Defender for Endpoint data model
- Microsoft Defender for Endpoint types
Installation
To use this integration, you must have:
- An Azure account with an App Registration to provide credentials for the JupiterOne integration to authenticate with Microsoft Graph APIs. The App Registration also defines the permissions the integration requires and which the target tenant must authorize.
- An Active Directory tenant to target for data ingestion. It is possible to target the Active Directory tenants defined in the Azure account holding the App Registration.
- A Microsoft Defender for Endpoint account to create devices and run attacks via simulation technique, which can track vulnerabilities data, user groups creation and mapping users to devices.
Configuration in Microsoft Defender for Endpoint
In Microsoft Defender for Endpoint:
- Create a Microsoft Defender for Endpoint account.
- Add devices.
In the Azure Portal
- Navigate to App Registrations.
- Click New Registration.
- Enter a name for the app.
- Select the supported account type.
- Click Register.
Add API permissions
In your new app registration, go to API Permissions under Manage in the left-side panel.
- If your app has already been assigned the
User.Read permission
, remove it using the context menu. It is not needed for the integration to run. - If a warning appears saying "This scope is required for proper application functionality.", it can be safely ignored.
- Click Add a permission > Microsoft Graph.
- When presented with "What type of permissions does your application require?", select Application permissions.
- Add the
Organization.Read.All
permission andDirectory.Read.All
permission. - Click Add permissions.
- Click Add a permission again.
- Under APIs my organization uses, search "WindowsDefenderATP" and click the result.
- When presented with "What type of permissions does your application require?", select Application permissions and add the following:
Machine.Read.All
permissionUser.Read.All
permissionVulnerability.Read.All
permission
- Click Add permission.
- Grant admin consent for the API permissions.
Add Client Secret
- In your app registration, click Certificates & secrets.
- Under Client Secrets, click New client secret.
- Add a description for the secret.
- Select a secret expiration that matches your needs for secret rotation.
- Click Add.
- Copy the secret value using the Copy to Clipboard icon (highlighting and copying will not copy the full value).
Granted API Permissions usage
Microsoft Graph
- Organization.Read.All
- Read organization information
- Needed for creating the Account entity
- Directory.Read.All
- Read directory data
- Needed for creating User, Group, and GroupUser entities
WindowsDefenderATP
- Machine.Read.All
- Read machine information
- Needed for creating Device and HostAgent entities
- User.Read.All
- Read user profiles
- Needed for creating User entities
- Vulnerability.Read.All
- Read Threat and Vulnerability Management vulnerability information
- Needed for creating Vulnerability entity
Configuration in JupiterOne
To install the Microsoft Defender for Endpoint integration in JupiterOne, navigate to the Integrations tab in JupiterOne and select Microsoft Defender for Endpoint. Click New Instance to begin configuring your integration.
Creating a configuration requires the following:
The Account Name used to identify the Microsoft Defender for Endpoint account in JupiterOne. Ingested entities will have this value stored in
tag.AccountName
when theAccountName
toggle is enabled.Description to assist in identifying the integration instance, if desired.
Polling Interval that you feel is sufficient for your monitoring needs. You may leave this as
DISABLED
and manually execute the integration.Client Secret value that you copied earlier.
Tenant (Directory ID) and Client ID (Application ID), located in your App Registration's Overview tab.
Click Create once all values are provided to finalize the integration.
Next steps
Now that your integration instance has been configured, it will begin running on the polling interval you provided, populating data within JupiterOne. Continue on to our Instance management guide to learn more about working with and editing integration instances.
Data Model
Entities
The following entities are created:
Resources | Entity _type | Entity _class |
---|---|---|
Account | microsoft_defender_account | Account |
Device/Machine/Host | microsoft_defender_user_endpoint | Device |
Logon User | microsoft_defender_logon_user | User |
Machine | microsoft_defender_machine | HostAgent |
User | microsoft_defender_user | User |
Vulnerability | microsoft_defender_vulnerability | Finding |
Relationships
The following relationships are created:
Source Entity _type | Relationship _class | Target Entity _type |
---|---|---|
microsoft_defender_account | HAS | microsoft_defender_machine |
microsoft_defender_account | HAS | microsoft_defender_user |
microsoft_defender_machine | HAS | microsoft_defender_logon_user |
microsoft_defender_machine | PROTECTS | microsoft_defender_user_endpoint |
microsoft_defender_machine | IDENTIFIED | microsoft_defender_vulnerability |
Mapped Relationships
The following mapped relationships are created:
Source Entity _type | Relationship _class | Target Entity _type | Direction |
---|---|---|---|
microsoft_defender_vulnerability | IS | *cve* | FORWARD |
Microsoft Defender Account
microsoft_defender_account
inherits from Account
Property | Type | Description | Specifications |
---|---|---|---|
organizationName | string | null | ||
defaultDomain | string | ||
verifiedDomains | array of string s |
Microsoft Defender User
microsoft_defender_user
inherits from User
Property | Type | Description | Specifications |
---|---|---|---|
businessPhones | array of string s | ||
givenName | string | null | ||
jobTitle | string | null | ||
mail | string | null | ||
mobilePhone | string | null | ||
officeLocation | string | null | ||
preferredLanguage | string | null | ||
surname | string | null | ||
userPrincipalName | string | null |
Microsoft Defender Machine
microsoft_defender_machine
inherits from HostAgent
Property | Type | Description | Specifications |
---|---|---|---|
firstSeenOn | number | ||
agentVersion * | string | ||
defenderAvStatus * | string | ||
riskScore * | string | ||
computerDnsName * | string | ||
rbacGroupId * | number | ||
rbacGroupName * | string | null | ||
machineTags * | array of string s | ||
onboardingStatus * | string | ||
managedBy * | string | ||
managedByStatus * | string | ||
ipAddress * | array of string s | ||
macAddress * | array of string s | ||
aadDeviceId * | string | null |
Microsoft Defender User Endpoint
microsoft_defender_user_endpoint
inherits from Device
Property | Type | Description | Specifications |
---|---|---|---|
computerDnsName * | string | ||
firstSeenOn | number | ||
osPlatform * | string | ||
osProcessor | string | ||
lastIpAddress * | string | ||
lastExternalIpAddress * | string | ||
agentVersion * | string | ||
osBuild * | number | null | ||
healthStatus * | string | ||
deviceValue * | string | ||
rbacGroupId * | number | ||
rbacGroupName * | string | null | ||
riskScore * | string | ||
exposureLevel * | string | ||
isAadJoined * | boolean | null | ||
aadDeviceId * | string | null | ||
machineTags * | array of string s | ||
defenderAvStatus * | string | ||
onboardingStatus * | string | ||
osArchitecture * | string | ||
managedBy * | string | ||
managedByStatus * | string | ||
vmId | string | ||
cloudProvider | string | ||
resourceId | string | ||
subscriptionId | string | ||
ipAddresses * | array of string s | ||
ipAddress * | array of string s | ||
macAddress * | array of string s |
Microsoft Defender Vulnerability
microsoft_defender_vulnerability
inherits from Finding
Property | Type | Description | Specifications |
---|---|---|---|
id * | string | ||
publishedOn | number | ||
exposedMachines * | number | ||
blocking * | boolean |
Microsoft Defender Logon User
microsoft_defender_logon_user
inherits from User
Property | Type | Description | Specifications |
---|---|---|---|
domain | string | null | ||
firstSeenOn | number | ||
lastSeenOn | number | ||
logonTypes * | string |