What is Microsoft Defender for Endpoint? #
Microsoft Defender for Endpoint (formerly Microsoft Defender Advanced Threat Protection (ATP)) is an enterprise endpoint security platform that helps defend against advanced persistent threats.
Why Should You use the Microsoft Defender for Endpoint Connector? #
The Microsoft Defender for Endpoint connector provides visibility into the software and hardware in your environment. You can use this visibility to:
-
monitor vulnerabilities affecting applications
-
ensure assets are managed per your security policies
-
monitor each endpoint and its status
-
ensure each asset is running the latest version of the Microsoft Defender for Endpoint
How Does This Connector Work? #
Lucidum executes read-only requests to the REST API for Microsoft Defender for Endpoint and ingests only meta-data about Microsoft Defender. Lucidum does not retrieve any data stored on your assets.
Creating an Application in Microsoft Azure #
Before configuring the Microsoft Defender Advanced Threat Protection connector in Lucidum, you must first create an application in Azure. Lucidum will use the application to access the Microsoft Defender Advanced Threat Protection.
-
Log in to the Azure Portal (https://portal.azure.com/ ) with an Azure AD global administrator account.
NOTE: Do not log in with the Application Administrator account. The Application Administrator account does not have the required privileges.
-
Select Azure Active Directory.
-
If you have more than one directory, make sure you are logged in to the directory you want to access with Lucidum.
-
If you want to change directories, click on the top-right account icon and then click Switch Directory.
-
In the left menu, select App registrations. In the main pane, click New registration. The Register an application page appears.
-
In the Register Applications page, enter values in these fields:
-
Name. Enter Lucidum.
-
Support account types. Select Accounts in this organizational directory only.
-
-
Click Register.
-
After you have created the application, the Azure portal displays the Application (client) ID and Directory (tenant) ID. Copy and save these values. You will need these values later to configure the Microsoft Azure connector in Lucidum.
-
In the left menu, click Certificates & Secrets. In the main pane, click New Client Secret. The Add a client secret pane appears on the right.
-
Supply values in the Add a client secret pane:
-
Description. Provide a description of the secret.
-
Expires. Select 24 months.
-
Click Add.
-
-
Copy and save the secret value and the secret ID. You will need these values later to configure the Microsoft Azure connector in Lucidum.
-
In the left menu, click API Permissions. In the main pane, click Add a permission. In the right pane, select Microsoft Graph.
-
Select APIs my organization uses and select WindowsDefenderATP API.
-
Click Application permissions. The Request API Permissions pane appears.
-
In the Request API permission pane, select:
-
Machine > Machine.Read.All
-
Software > Software.Read.All
-
User > User.Read.All
-
Vulnerability > Vulnerability.Read.All
-
Alert > Alert.Read.All
-
-
Click Add permissions.
-
In the main pane, click Grant admin consent for Default Directory and then click yes.
-
You can now configure the Microsoft Azure connector in Lucidum.
Configuring the Connector for Microsoft Defender for Endpoint #
To configure Lucidum to ingest data from Microsoft Defender for Endpoint :
-
Log in to Lucidum.
-
In the left pane, click Connector.
-
In the Connector page, click Add Connector.
-
Scroll until you find the Connector you want to configure. Click Connect. The Settings page appears.
|
Field |
Description |
Example |
|---|---|---|
|
URL |
The base URL for the Microsoft Defender API. If you select the KMS checkbox, Lucidum will use the URL specified in Settings > System Settings, in the Key Management page. |
https://api.securitycenter.microsoft.com |
|
Client ID |
Enter the Client ID for the Lucidum application in Azure. Client ID is the unique identifier for the Lucidum application in Azure Active Directory. Client ID is also called Application ID. You captured this value in step #8 in the previous section. If you select the KMS checkbox, Lucidum will use the URL specified in Settings > System Settings, in the Key Management page. |
33333333-0000-0000-0000-123456789123 |
|
Client Secret |
Enter the Client Secret ID for the Lucidum application in Azure. You captured this value in step #11 in the previous section. If you select the KMS checkbox, Lucidum will use the URL specified in Settings > System Settings, in the Key Management page. |
************ |
|
Tenant ID |
Enter the tenant ID. Tenant ID is a unique identifier for your instance of Azure. ou captured this value in step #8 in the previous section. If you select the KMS checkbox, Lucidum will use the URL specified in Settings > System Settings, in the Key Management page. |
x0xxx10-00×0-0x01-0xxx-x0x0x01xx100 |
-
If the connector is configured correctly, Lucidum displays a list of services that are accessible with the connector.
-
If the connector is not configured correctly, Lucidum displays an error message.
Source Documentation #
Creating an Application in Azure #
API Documentation #
https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/user?view=o365-worldwide
