Microsoft Defender ATP

You can start virus scans, stop execution of malicious code, manage isolation of network resources, get security recommendations in your Microsoft Defender ATP tenant, and trigger workflows on new security alerts with the Microsoft Defender ATP plugin for InsightConnect.

To use the Microsoft Defender ATP plugin, you must create an application in your Azure Active Directory and then configure the connection in InsightConnect. For more information on the functionality of the Microsoft Defender ATP plugin, see the Extension Library listing.

Create an application in Azure Active Directory

  1. Log in to Azure Portal with a user that has the Global Administrator role.
  2. Click Azure Active Directory > App Registrations > New Registration.

Azure Portal New Registration

  1. Name your Application in a way that indicates its purpose and to help you keep track of it, then click Register.

Register an application

  1. Now that your application has been created, you must assign correct permissions to enable it to access Microsoft Defender ATP. To do this, click ​API Permissions ​>​ Add a permission​.

API Permissions

  1. Select the​ APIs my organization uses​ tab, then type WindowsDefenderATP in the search box, and select ​WindowsDefenderATP​.

Please note that WindowsDefenderATP does not appear in the original list; you need to start typing the name in the text box for it to appear.

APIs WindowsDefenderATP

  1. Click ​Application permissions​ and select the appropriate permissions to perform your action, then click ​Add permissions​. The example below shows permissions required for the ​Isolate Machine​ action.

Please note that all actions require ​Machine.Read.All, Alert.ReadWrite.All, and Alert.Read.All​ permissions. To check what permissions are required for other actions, please refer to the permissions section for the actions in the Microsoft Documentation: https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-list.

Isolate Machine Example

Permissions

  1. Grant administrator consent to the permissions selected. Please note, every time you add a permission, you must select ​Grant consent​ for the new permission to take effect.

Grant consent for new permission

  1. Now that you’ve configured your application, add an ​Application Secret​ to it by clicking Certificates & secrets​ > ​New client secret​.

New client secret

  1. Enter an application secret description that indicates its purpose and click ​Add​.

Add a client secret

  1. Copy the generated secret value. You won't be able to retrieve this value after you leave this screen.

Copy generated secret value

  1. To get your ​Application ID​ and your ​Directory ID,​ select ​Overview ​and copy the values.

Application ID and Directory ID

Configure the Microsoft Defender ATP Connection in InsightConnect

Now that you’ve created your application in Azure Active Directory, you can configure the Microsoft Defender ATP connection in InsightConnect to use the plugin.

  1. In InsightConnect, open the connection configuration for the Microsoft Defender ATP plugin. You can do this when selecting the Microsoft Defender ATP plugin during a workflow building session or by creating the connection independently by choosing Plugins & Tools​ from the Settings tab on the left menu. On the ​Plugins & Tools​ page, select the ​Connections​ tab and click ​Add Connection​ in the upper-right corner.

Add connection in InsightConnect

  1. Configure the connection for the Microsoft Defender ATP plugin. Give the connection a unique and identifiable name, select the orchestrator the plugin should run on, and choose the Microsoft Windows Defender ATP plugin from the list. If it’s not available, then import the plugin from the ​Installed Plugins​ tab.

  2. Configure your Microsoft Defender ATP credentials. In the ​Secret Key field​, create a credential and paste in the Microsoft Defender ATP Application Secret that you copied earlier. In addition, add the ​Application ID​ and ​Directory ID​ you copied earlier.

Success!

The Microsoft Defender ATP plugin is ready to use.

Microsoft Defender ATP Connection

Test in Progress

Save the connection, and the connection test will attempt to authenticate to your Azure Active Directory Microsoft Defender ATP application. A blue circle on the Connection tile indicates that the Connection test is in progress.

In Progress

Success

If there is no circle, the connection succeeded and you're ready to begin orchestrating your processes with Microsoft Defender ATP.

Success

Failed

A red circle indicates that the connection test failed. If this occurs, check your connection details (including the Application Secret, Application ID and Directory ID) before trying again.

Failed

The log may contain useful troubleshooting information. First, click ​View​ to see a list of your recent connection tests.

View recent connection test

Under the ​Test Status​ tab, expand the dropdown for the test that encountered an error to view its log.

View security team log