Microsoft Defender ATP
You can start virus scans, stop execution of malicious code, manage isolation of network resources, get security recommendations in your Microsoft Defender ATP tenant, and trigger workflows on new security alerts with the Microsoft Defender ATP plugin for InsightConnect.
To use the Microsoft Defender ATP plugin, you must create an application in your Azure Active Directory and then configure the connection in InsightConnect. For more information on the functionality of the Microsoft Defender ATP plugin, see the Extension Library listing.
Create an application in Azure Active Directory
- Log in to Azure Portal with a user that has the Global Administrator role.
- Click Azure Active Directory > App Registrations > New Registration.
- Name your Application in a way that indicates its purpose and to help you keep track of it, then click Register.
- Now that your application has been created, you must assign correct permissions to enable it to access Microsoft Defender ATP. To do this, click API Permissions > Add a permission.
- Select the APIs my organization uses tab, then type WindowsDefenderATP in the search box, and select WindowsDefenderATP.
Please note that WindowsDefenderATP does not appear in the original list; you need to start typing the name in the text box for it to appear.
- Click Application permissions and select the appropriate permissions to perform your action, then click Add permissions. The example below shows permissions required for the Isolate Machine action.
Please note that all actions require Machine.Read.All, Alert.ReadWrite.All, and Alert.Read.All permissions. To check what permissions are required for other actions, please refer to the permissions section for the actions in the Microsoft Documentation: https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-list.
- Grant administrator consent to the permissions selected. Please note, every time you add a permission, you must select Grant consent for the new permission to take effect.
- Now that you’ve configured your application, add an Application Secret to it by clicking Certificates & secrets > New client secret.
- Enter an application secret description that indicates its purpose and click Add.
- Copy the generated secret value. You won't be able to retrieve this value after you leave this screen.
- To get your Application ID and your Directory ID, select Overview and copy the values.
Configure the Microsoft Defender ATP Connection in InsightConnect
Now that you’ve created your application in Azure Active Directory, you can configure the Microsoft Defender ATP connection in InsightConnect to use the plugin.
- In InsightConnect, open the connection configuration for the Microsoft Defender ATP plugin. You can do this when selecting the Microsoft Defender ATP plugin during a workflow building session or by creating the connection independently by choosing Plugins & Tools from the Settings tab on the left menu. On the Plugins & Tools page, select the Connections tab and click Add Connection in the upper-right corner.
Configure the connection for the Microsoft Defender ATP plugin. Give the connection a unique and identifiable name, select where the plugin should run, and choose the Microsoft Windows Defender ATP plugin from the list. If it’s not available, then import the plugin from the Installed Plugins tab.
Configure your Microsoft Defender ATP credentials. In the Secret Key field, create a credential and paste in the Microsoft Defender ATP Application Secret that you copied earlier. In addition, add the Application ID and Directory ID you copied earlier.
The Microsoft Defender ATP plugin is ready to use.
Test in Progress
Save the connection, and the connection test will attempt to authenticate to your Azure Active Directory Microsoft Defender ATP application. A blue circle on the Connection tile indicates that the Connection test is in progress.
If there is no circle, the connection succeeded and you're ready to begin orchestrating your processes with Microsoft Defender ATP.
A red circle indicates that the connection test failed. If this occurs, check your connection details (including the Application Secret, Application ID and Directory ID) before trying again.
The log may contain useful troubleshooting information. First, click View to see a list of your recent connection tests.
Under the Test Status tab, expand the dropdown for the test that encountered an error to view its log.