Microsoft Defender for Endpoint
Introduction
This guide explains how to setup Microsoft Azure for use with Cyclr, as well as installing a Microsoft Defender for Endpoint Connector.
Setup & Authentication
Overview
You must create a Microsoft Azure application to obtain credentials to install a Microsoft Defender for Endpoint Connector.
Two different authentication methods can be used:
Application permissions
Delegated permissions
You can find an overview of the differences between these authentication methods here.
Remote Setup in Microsoft Azure - performed by Cyclr Partner
You must create a Microsoft Azure application to obtain an Application (client) ID, Client Secret, and Directory (tenant) ID.
The Application (client) ID and Directory (tenant) ID can be found on the Overview screen and the Client Secret can be created and found on the Manage > Certificates & secrets screen:
Application permissions
Microsoft’s guide on creating a Microsoft Azure application with application permissions can be found here. Step 9 of the guide should be skipped. The following permissions should be added depending on which Connector methods you wish to use:
Method | Permission | |
---|---|---|
Alerts | Get Alert Related Machine Information |
|
List Alerts |
| |
Browser Extensions | List Browser Extensions Permission Information |
|
Device Health | List Antivirus Health Report |
|
Machines | Get Machine |
|
List Machine Discovered Vulnerabilities |
| |
List Machine Installed Software |
| |
List Machine Logon Users |
| |
List Machine Related Alerts |
| |
List Machine Security Recommendations |
| |
List Machines |
|
Delegated permissions
Microsoft’s guide on creating a Microsoft Azure application with delegated permissions can be found here.
The following permissions should be added depending on which Connector Methods you wish to use:
Method category | Method | Permission |
---|---|---|
Alerts | Get Alert Related Machine Information |
|
List Alerts |
| |
Browser Extensions | List Browser Extensions Permission Information |
|
Device Health | List Antivirus Health Report |
|
Machines | Get Machine |
|
List Machine Discovered Vulnerabilities |
| |
List Machine Installed Software |
| |
List Machine Logon Users |
| |
List Machine Related Alerts |
| |
List Machine Security Recommendations |
| |
List Machines |
|
Partner Setup in Cyclr Console
Having created an application within Microsoft Azure, go into your Cyclr Partner Console:
Go to Connectors > Application Connector Library.
Use the search box to locate the Microsoft Defender for Endpoint Connector entry.
Select the Pencil button.
Select the Settings tab.
Enter the below values:
Value | Description |
---|---|
Client ID | The Application (client) ID from the Overview page of your Microsoft Azure application. |
Client Secret | The Client secret from the Manage > Certificates & secrets page of your Microsoft Azure application. |
Select Save Changes.
If you leave these values blank, they must be provided each time the Connector is installed.
Cyclr Connector Installation
When installing the Microsoft Defender for Endpoint Connector, the following values are used:
Value | Description |
---|---|
Client ID | The Application (client) ID from the Overview page of your Microsoft Azure application. Only required if not set in your Cyclr Partner Console. |
Client Secret | The Client secret from the Manage > Certificates & secrets page of your Microsoft Azure application. Only required if not set in your Cyclr Partner Console. |
Username | The Username of the Microsoft Azure account to authenticate with. Delegated permissions only. |
Password | The Password of the Microsoft Azure account to authenticate with. Delegated permissions only. |
Tenant ID | The Directory (tenant) ID from the Overview page of your Microsoft Azure application. |