Skip to main content
Skip table of contents

Microsoft Defender for Endpoint

Introduction

This guide explains how to setup Microsoft Azure for use with Cyclr, as well as installing a Microsoft Defender for Endpoint Connector.


Setup & Authentication

Overview

You must create a Microsoft Azure application to obtain credentials to install a Microsoft Defender for Endpoint Connector.

Two different authentication methods can be used:

  • Application permissions

  • Delegated permissions

You can find an overview of the differences between these authentication methods here.

Remote Setup in Microsoft Azure - performed by Cyclr Partner

You must create a Microsoft Azure application to obtain an Application (client) ID, Client Secret, and Directory (tenant) ID.

The Application (client) ID and Directory (tenant) ID can be found on the Overview screen and the Client Secret can be created and found on the Manage > Certificates & secrets screen:

Application permissions

Microsoft’s guide on creating a Microsoft Azure application with application permissions can be found here. Step 9 of the guide should be skipped. The following permissions should be added depending on which Connector methods you wish to use:

Method

Permission

Alerts

Get Alert Related Machine Information

Machine.Read.All or Machine.ReadWrite.All

List Alerts

Alert.Read.All or Alert.ReadWrite.All

Browser Extensions

List Browser Extensions Permission Information

Software.Read.All

Device Health

List Antivirus Health Report

Machine.Read.All

Machines

Get Machine

Machine.Read.All or Machine.ReadWrite.All

List Machine Discovered Vulnerabilities

Vulnerability.Read.All

List Machine Installed Software

Software.Read.All

List Machine Logon Users

User.Read.All

List Machine Related Alerts

Alert.Read.All or Alert.ReadWrite.All

List Machine Security Recommendations

SecurityRecommendation.Read.All

List Machines

Machine.Read.All or Machine.ReadWrite.All

Delegated permissions

Microsoft’s guide on creating a Microsoft Azure application with delegated permissions can be found here.

The following permissions should be added depending on which Connector Methods you wish to use:

Method category

Method

Permission

Alerts

Get Alert Related Machine Information

Machine.Read or Machine.ReadWrite

List Alerts

Alert.Read or Alert.ReadWrite

Browser Extensions

List Browser Extensions Permission Information

Software.Read

Device Health

List Antivirus Health Report

Machine.Read

Machines

Get Machine

Machine.Read or Machine.ReadWrite

List Machine Discovered Vulnerabilities

Vulnerability.Read

List Machine Installed Software

Software.Read

List Machine Logon Users

User.Read.All

List Machine Related Alerts

Alert.Read or Alert.ReadWrite

List Machine Security Recommendations

SecurityRecommendation.Read

List Machines

Machine.Read or Machine.ReadWrite

Partner Setup in Cyclr Console

Having created an application within Microsoft Azure, go into your Cyclr Partner Console:

  1. Go to Connectors > Application Connector Library.

  2. Use the search box to locate the Microsoft Defender for Endpoint Connector entry.

  3. Select the Pencil button.

  4. Select the Settings tab.

  5. Enter the below values:

Value

Description

Client ID

The Application (client) ID from the Overview page of your Microsoft Azure application.

Client Secret

The Client secret from the Manage > Certificates & secrets page of your Microsoft Azure application.

  1. Select Save Changes.

If you leave these values blank, they must be provided each time the Connector is installed.

Cyclr Connector Installation

When installing the Microsoft Defender for Endpoint Connector, the following values are used:

Value

Description

Client ID

The Application (client) ID from the Overview page of your Microsoft Azure application.

Only required if not set in your Cyclr Partner Console.

Client Secret

The Client secret from the Manage > Certificates & secrets page of your Microsoft Azure application.

Only required if not set in your Cyclr Partner Console.

Username

The Username of the Microsoft Azure account to authenticate with.

Delegated permissions only.

Password

The Password of the Microsoft Azure account to authenticate with.

Delegated permissions only.

Tenant ID

The Directory (tenant) ID from the Overview page of your Microsoft Azure application.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.