Skip to main content

lacework-global-614

Select Microsoft Defender for Endpoint integration with Microsoft Defender for Cloud (Manual)

Profile Applicability

• Level 2

Description

This integration setting enables Microsoft Defender for Endpoint (formerly Advanced Threat Protection (ATP) or Windows Defender Advanced Thread Protection (WDATP) - see additional info) to communicate with Microsoft Defender for Cloud.

IMPORTANT: You must take into account that enabling integration between DfE & DfC may have undesirable side effects.

  1. For server 2019 & higher with defender installed (default for these server SKUs) this triggers a deployment of the new unified agent and link to any of the extended configuration in the Defender portal.
  2. If you require the new unified agent for server SKUs of Win 2016 or Linux and lower there is additional integration that you must enable and you must align agents.

Rationale

Microsoft Defender for Endpoint integration brings comprehensive Endpoint Detection and Response (EDR) capabilities within Microsoft Defender for Cloud. This integration helps to spot abnormalities, as well as detect and respond to advanced attacks on endpoints monitored by Microsoft Defender for Cloud.

MDE works only with Standard Tier subscriptions.

Impact

Microsoft Defender for Endpoint works with Standard pricing tier Subscription. Choosing the Standard pricing tier of Microsoft Defender for Cloud incurs an additional cost per resource.

Audit

From Azure Portal

  1. From Azure Home select the Portal Menu
  2. Select Microsoft Defender for Cloud
  3. Select Environment Settings blade
  4. Click on the subscription name
  5. Select the Integrations blade
  6. Ensure setting Allow Microsoft Defender for Endpoint to access my data is selected.

From Azure CLI

Ensure the output of the below command is True

az account get-access-token --query "{subscription:subscription,accessToken:accessToken}" --out tsv | xargs -L1 bash -c 'curl -X GET -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/<subscriptionID>/providers/Microsoft.Security/settings?api-version=2021-06-01' | jq '.|.value[] | select(.name=="WDATP")'|jq '.properties.enabled'

From Azure PowerShell

Run the following commands to login and audit this check

Connect-AzAccount 
Set-AzContext -Subscription <subscriptionID>
Get-AzSecuritySetting | Select-Object name,enabled |where-object {$_.name -eq "WDATP"}

PowerShell Output - Non-Compliant

Name Enabled
---- -------
WDATP False

PowerShell Output - Compliant

Name Enabled
---- -------
WDATP True

Remediation

From Azure Console

  1. From Azure Home select the Portal Menu.
  2. Go to Microsoft Defender for Cloud.
  3. Select Environment Settings blade.
  4. Select the subscription.
  5. Click Settings & monitoring.
  6. Under Endpoint protection, set the Status to On.
  7. Click Continue.
  8. Click Save.

From Azure CLI

Use the below command to enable Standard pricing tier for Storage Accounts:

az account get-access-token --query "{subscription:subscription,accessToken:accessToken}" --out tsv | xargs -L1 bash -c 'curl -X PUT -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/<subscriptionID>/providers/Microsoft.Security/settings/WDATP?api-version=2021-06-01 -d@"input.json"'

Where input.json contains the Request body json data as mentioned below:

{
"id": "/subscriptions/<Your_Subscription_Id>/providers/Microsoft.Security/settings/WDATP",
"kind": "DataExportSettings",
"type": "Microsoft.Security/settings",
"properties": {
"enabled": true
}
}

References

https://docs.microsoft.com/en-in/azure/defender-for-cloud/integration-defender-for-endpoint?tabs=windows
https://docs.microsoft.com/en-us/rest/api/securitycenter/settings/list
https://docs.microsoft.com/en-us/rest/api/securitycenter/settings/update
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-endpoint-security#es-1-use-endpoint-detection-and-response-edr
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-endpoint-security#es-2-use-modern-anti-malware-software

Additional Information

IMPORTANT: You must take into account that enabling integration between DfE & DfC may have undesirable side effects.

  1. For server 2019 & higher with defender installed (default for these server SKUs) this triggers a deployment of the new unified agent and link to any of the extended configuration in the Defender portal.
  2. If you require the new unified agent for server SKUs of Win 2016 or Linux and lower there is additional integration that you must enable and you must align agents.

NOTE: "Microsoft Defender for Endpoint (MDE)" was formerly known as "Windows Defender Advanced Threat Protection (WDATP)." There are a number of places (for example, Azure CLI) where the "WDATP" acronym is still used within Azure.