Microsoft Defender for Endpoint

Our Integration guide was accurate at the time of writing but vendors change things frequently! If you find errors or anything is outdated, let us know by raising a request in the Samurai Help Center and we shall get it updated.

 

Product	Samurai [Local] Collector	Samurai [Cloud] Collector
Microsoft Defender for Endpoint

 

Prerequisites

The user must have Global administrative access to the Microsoft Defender Security Center and Microsoft Azure Portal.

 You must have an Azure Premium P2 plan for the Privileged Identity Management features discussed below.

 

Recommended Advanced Settings for Defender for Endpoint

If you are a customer with the Incident Response (IR) Retainer, in order to ensure an optimal service delivery and a quick turnaround from activation to remediation by the NTT Incident Response team the below features are recommended to be enabled in Defender for Endpoint 

• Live response
• Live response for servers
• Live response unsigned script execution

Follow the Microsoft documentation - Configure advanced features in Defender for Endpoint  to enable the features.

 

To complete this Integration you will need to perform actions in both the Azure Portal and Samurai XDR Application:

1. Azure Portal

• Application Registration
• Permissions
• Certificates and Secrets

For Samurai Managed Detection and Response clients only:

• Enable MDR SOC access to Microsoft Defender for Endpoint

 

2. From the Samurai XDR application

• Complete the Microsoft Defender for Endpoint Integration

 

Application Registration

Perform these steps to configure the Application ID for advanced hunting API/exposed API.

1. Ensure you are logged into the Azure portal
2. From Azure Active Directory, select App Registrations > New registration
3. The Register an application page appears
4. In the Name field, specify an appropriate name
   
5. In Supported account types, select Accounts in this organization only
6. In Redirect URI (optional), perform the following steps:
   • Select Web
   • Specify https://localhost:5000
7. To finalize the configuration click Register

Permissions

1. Click API permission from the Manage section
2. Click Add a permission, (the permissions page should now appear)
3. Select the APIs my organization uses tab
4. In the search field, specify Windows
5. From the results that now appear, click WindowsDefenderATP
   
6. Select Application permissions
7. From the Select permissions section, select all the permission items ending with Read.All and select Add permissions
   
8. From the Configured permissions section, select Grant admin consent for <Your organization tenant name>
9. The grant consent question will appear, select Yes
10. Once again the API Permissions page will appear for your review. You should see a green tick against the status of the permissions changed.

For clients with Remote Isolation and/or Incident Response (IR) Retainer ensure that the Machine.Isolate is given in addition to the above permissions.

 

Certificates and Secrets

1. While in the created app registration
2. Select select Certificates & secrets from the Manage section
3. In the Client secrets section, click New client secret
4. In the Add a client secret section, specify an appropriate name in the Description field
5. In the Expires section, select 24 months
   
6. Select Add
7. Make note of the Client secret value since this is only available immediately after creation
8. Browse back to the app registration and make note of the Application (client) ID and Directory (tenant) ID. This will be used in the next section Complete the Microsoft Defender for Endpoint Integration.

 

Enable MDR SOC access to Microsoft Defender for Endpoint

If you are not a Samurai Managed Detection and Response (MDR) client jump directly to Complete the Microsoft Defender for Endpoint Integration

The steps outlined below are for Samurai MDR clients only. For the NTT SOC to perform remote isolation and further analysis they must have access to Defender for Endpoint. You may also wish to refer to the Microsoft documentation - Granting managed security service provider (MSSP) access 

 

Prerequisites

Ensure role-based access control (RBAC) is enabled in your Microsoft Defender Security Center.

To enable RBAC in Microsoft Defender Security Center, navigate to Settings > Permissions > Roles and Turn on roles from a user account with Global Administrator or Security Administrator rights.

This feature also requires an Azure Premium P2 plan for the Privileged Identity Management feature.

 

Create Azure Active Directory Group

This step requires you to have a P2 license along with enabling the Preview Features. It relies on a new option to assign Active Directory (AD) user groups to role assignments. As a security measure, this can only be enabled on new groups.

To create Azure AD group for NTT, perform the following steps:

1. Log in to Azure AD admin center

2. Navigate to Groups > All groups > New group.

3. The New Group page appears

4. Specify a relevant Group name

For example, Defender-MSSP

Figure 1 - New Group page

 

This group name will be used later when linking AD groups with Microsoft Defender roles.

5. Select Security from the Group type list.

6. Ensure that Azure AD roles can be assigned to the group (Preview) is set to Yes

You cannot change this setting later, so make sure it is enabled. If you do not see this option, check that you have an Azure Premium P2 license and have the preview features enabled

 

Create Role in Windows Defender

Use this information to create a role in Microsoft Defender Security Center. This role will be assigned to all NTT users later.

You must select the View Data and Alerts investigation permission options. In addition you must also select the Active remediation actions permission option as shown in the image below.

For clients with an Incident (IR) Response Retainer ensure Live response capabilities - Advanced is selected.

Figure 2 - Permission options

 

Perform the following steps:

1. In the Microsoft Defender Security Center, click the Assigned user groups tab

2. Select the AD group created in Create Azure Active Directory Group

For example, Defender-MSSP

3. Click Save

 

If group permissions have been assigned in Device groups ensure that the above group is given permissions to the appropriate groups as described in Manage device groups.

 

Add NTT as Connected Organization

Perform the following steps to add NTT as a connected organisation:

1. Log in to the Microsoft Azure AD portal

2. Navigate to Identity Governance

3. The Identity Governance page appears

4. Click Connected organizations

5. Click Add connected organization

Figure 3 - Connected organizations

 

6. The Add connected organization page appears

Figure 4 - Add connected organization page

 

7. On the Basics tab, specify a Name and Description.

8. On the Directory + domain tab, perform the following steps:

Figure 5 - Add connected organization

• Click Add directory + domain
• In the Select directories + domains field, search for global.ntt

 

Define your Sponsors

Sponsors are the people responsible for approving requests made by NTT staff. You may define internal and/or external sponsors.

Internal sponsors are select individuals from within your organization who can approve requests from NTT. External sponsors are select individuals from within NTT who can approve these on your behalf.

NTT recommends selecting external sponsors and obtaining a list of names from your MDR Onboarding team. These names include managers and team leads who support the service.

Setting up sponsors is a time-consuming process as it requires approving access requests from NTT staff. Therefore, NTT recommends you define external sponsors to enable NTT to manage this process.

Obtain a list of names from your Onboarding team and add them as external sponsors. To add sponsors, use the Review + create tab.

Figure 6 - Review + create tab

 

Create a Resource Catalog

Perform the following steps to create a resource catalog:

1. Log in to Microsoft Azure AD portal

2. Navigate to Identity Governance

3. The Identity Governance page appears

4. Click Catalogs

5. The Catalogs page appears

Figure 7 - Catalogs

 

6. Click New catalog

7. The New catalog page appears.

8. Perform the following steps:

• Specify a Name and Description
• Keep the other default values
• Click Create

 

Create an Access Package

An access package enables you to do a one-time set up of resources and policies that automatically administers access for the life of the access package.

To create a new access package, perform the following steps:

1. Log in to the Microsoft Azure AD portal

2. Navigate to Identity Governance

3. The Identity Governance page appears

4. Click Access packages

5. The Access packages page appears

Figure 8 - Access packages page

 

6. Click New access package

7. The New access package page appears

8. Click the Basics tab and perform the following steps:

• Specify a display Name and Description for the access package
• Select the relevant catalog from the Catalog list
• This catalog was created in the previous section - Create a resource catalog

9. Click the Resource roles tab and perform the following steps:

• Click Groups and Teams
• Add the AD group created in Create Azure Active Directory Group

For example, Defender-MSSP
This will link NTT with the AD group used for managing your Windows Defender Security Center

 

10. Click the Requests tab and perform the following steps:

Figure 9 - Requests tab

• In the Users who can request access section, select For users not in your directory
• Click Add directories to select from a list of connected organizations
• Under Select directories, select the connected organization

For example, NTTSOC
For more information, see Add NTT as Connected Organization

• In the Approval section, perform the following steps:

Figure 10 - Approval section

• • Set Require approval to Yes
  • Set Require requestor justification to Yes
  • Set How many stages to 1
  • Select External sponsor from the First Approver list
  • Select Add fallback and assign one or more users

The assigned users will be responsible for approving the initial NTT users, after which the NTT users can be added as external sponsors.

• • Specify 14 in the Decision must be made in how many days field
  • Set Require approver justification to No
• In the Enable section, set Enable new requests and assignments to Yes

 

Add Requestor Information to an Access Package

Perform the following steps to add requestor information to the access package:

1. Navigate to the Requestor information tab and click the Questions sub tab

2. In the Question field, perform the following steps:

Figure 11 - Question information

• Specify what you want to ask the Security Operations Center (SOC) member in the Question field

For example, enter Who is your direct manager?

• Select Short text from the Answer format list
• Select Required

3. Click Next: Lifecycle

4. Perform the following steps to define when the access package expires:

• In the Expiration section, set Access package assignments expires to Never
• Disable Access Reviews

NTT maintains the security of these accounts through their internal AD system and a joiner/leaver process. When an employee leaves NTT, they no longer have access to your account

 

5. Click Next: Review + Create to review your settings and check for any validation errors

6. Click Create to create the access package

 

Provide Tenant ID and URL to NTT

You need to provide the Tenant ID along with the link shown in the My Access portal link field to NTT during onboarding or via a ticket in the Samurai Help Center.

Your Tenant ID can be found on your root Azure AD page, under Overview.

Figure 12 -  NTTSOC access package

 

Thereafter, an email will be sent to the sponsors, who can then review and approve the request. If your sponsors are set to Internal, you will begin to receive emails when any SOC member requests access.

An example of the email is shown below:

Figure 13 - Sample email

 

On clicking Approve or deny request, the Approvals page appears. Review the pending approval request(s) and approve or deny the request(s) as appropriate.

Figure 14 - Approvals page

 

Add external sponsors

Lastly, after the first NTT users have registered through the provided Access Package, perform the following steps to add external sponsors.

1. Navigate to Identity Governance
2. Select Connected Organizations
3. Select the NTT organization added previously
4. Select Sponsors
5. Select External sponsors
6. Click Add external sponsors
7. Search and select the users from the list of external sponsors provided by NTT

 

Complete the Microsoft Defender for Endpoint Integration

You will need to provide the following information:

• Devicename (an arbitrary name defined by you that will appear as source of alerts)
• Tenant ID (captured in section Certificates and Secrets)
• Rest Domain (optional)
  • You can find more information at Microsoft documentation - Supported Microsoft Defender Endpoint APIs
  • We default to: api.securitycenter.microsoft.com however for improved performance use a server closer to your geo location:
    
    • US:  api-us.securitycenter.microsoft.com 
    • Europe: api-eu.securitycenter.microsoft.com
    • UK: api-uk.securitycenter.microsoft.com
• Client ID (captured in section Certificates and Secrets)
• Client Secret (captured in section Certificates and Secrets)

1. Login to your Samurai XDR tenant
2. Select Telemetry > Integrations
3. Select Create
4. Locate and click Microsoft Defender for Endpoint
5. Click Next (we leverage a Samurai XDR Cloud Collector)
6. Enter a Name of Integration
7. Enter a Description (Optional)
8. Enter your Devicename 
9. Enter your Tenant ID
10. Enter the optional REST Domain
11. Enter your Client ID
12. Enter your Client Secret
13. Click Finish

For general information on Integrations refer to the Integrations article.