This document applies to Classic/Legacy Integrations. You may continue to use these integration configurations. While no active development is happening for these integrations, we continue to provide Classic/Legacy Integrations in the product. You do not have to move to MSI Integrations. If your support engineer or TSC recommends or you choose to move to MSI Integrations, you can take advantage of the latest features and functionality. For more information, see the MSI Integration documentation in the Integrations Overview.
This integration is remote capable.
Update Defender ATP
- Identify or create credentials to access integration with read access, at minimum.
- Identify the following values in the Azure Web portal:
Refer to the Microsoft documentation for instructions on creating an app to get this information.
- Client ID
- Client Secret
- Authorization URL
- Tenant ID
API Calls
The following API calls are used by the Validation Platform.
Purpose | Call |
|---|---|
| Get alerts for the Actor | /api/alerts |
| Get authorization token | Authorization URL provided by Defender ATP |
Update the Validation Platform
Prerequisites
Information to gather before you start:
- Identify the host, or geographic region, of your Defender ATP instance (US, UK, or EU).
- Identify the Port used for Defender ATP communication (this defaults to 443).
- Identify the Client ID unique to your application.
- Identify the Client Secret unique to your application.
- Identify the Authorization URL unique to your application.
- Identify the Tenant ID unique to your application.
Microsoft SIEM API is being replaced with Microsoft Graph for accessing Defender events. If your system employs Microsoft Graph, the settings shown here will need to be configured before you can successfully integrate with Microsoft Defender ATP.
To add the Defender ATP integration
Go to Settings > Integrations.
- Click Add Integration > Defender ATP.
You can add this as either a Local or Remote Integration.
Enter information for the Host, Port, and Protocol.
- If using an alternate hostname, that needs to be defined on Windows Actors for MS Defender ATP to make a hostname-based match.
- The host is auto-populated with the required info for the current API version but can be changed to one of the options listed that follow the Host text box.
- Enter information for the Client ID and Client Secret.
- (Optional) Update the API Version. This is set to the current supported API by default.
- Update the Auth URL.
This is set correctly for MS Defender for Endpoint API. Update this if you are not using the MS Defender for Endpoint API.
- Add the Tenant ID.
This is necessary if you're using the MS Defender for Endpoint API.
- Add the Resource.
This is necessary if you are using the Legacy SIEM API.
Expand Advanced options and update the information if necessary.
Click Submit.
Set up Proxy Assignment
If all outbound connections go through a proxy, you may want to set up a proxy definition and assignment for your integration. For information on setting up your proxy rules, see Proxy Rules.
Verify connectivity
To verify connectivity to Defender ATP
Click Test to verify that:
- The Director can communicate with the integration host on the port and protocol specified.
- The integration credentials are valid and working.