[Jan 28] MS Defender for Endpoint third-party response integration #6478
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -35,6 +35,21 @@ These response actions are supported for CrowdStrike-enrolled hosts: | |
| + | ||
| Refer to the instructions on <<isolate-a-host,isolating>> and <<release-a-host,releasing>> hosts for more details. | ||
|
|
||
| [discrete] | ||
| [[defender-response-actions]] | ||
| == Microsoft Defender for Endpoint response actions | ||
|
|
||
| These response actions are supported for Microsoft Defender for Endpoint–enrolled hosts: | ||
|
|
||
| * **Isolate and release a host** using any of these methods: | ||
| + | ||
| -- | ||
| ** From a detection alert | ||
| ** From the response console | ||
| -- | ||
| + | ||
| Refer to the instructions on <<isolate-a-host,isolating>> and <<release-a-host,releasing>> hosts for more details. | ||
|
|
||
| [discrete] | ||
| [[sentinelone-response-actions]] | ||
| == SentinelOne response actions | ||
|
|
||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -10,6 +10,7 @@ preview::[] | |
| You can direct third-party endpoint protection systems to perform response actions on enrolled hosts, such as isolating a suspicious endpoint from your network, without leaving the {elastic-sec} UI. This page explains the configuration steps needed to enable response actions for these third-party systems: | ||
|
|
||
| * CrowdStrike | ||
| * Microsoft Defender for Endpoint | ||
| * SentinelOne | ||
|
|
||
| Check out <<security-third-party-actions>> to learn which response actions are supported for each system. | ||
|
|
@@ -30,6 +31,9 @@ Select a tab below for your endpoint security system: | |
| <button role="tab" aria-selected="true" aria-controls="endpoint-response-actions-response-actions-config-crowdstrike-panel" id="endpoint-response-actions-response-actions-config-crowdstrike-button"> | ||
| CrowdStrike | ||
| </button> | ||
| <button role="tab" aria-selected="false" aria-controls="endpoint-response-actions-response-actions-config-defender-panel" id="endpoint-response-actions-response-actions-config-defender-button" tabindex="-1"> | ||
| Microsoft Defender for Endpoint | ||
| </button> | ||
| <button role="tab" aria-selected="false" aria-controls="endpoint-response-actions-response-actions-config-sentinelone-panel" id="endpoint-response-actions-response-actions-config-sentinelone-button" tabindex="-1"> | ||
| SentinelOne | ||
| </button> | ||
|
|
@@ -86,6 +90,67 @@ Do not create more than one CrowdStrike connector. | |
| + | ||
| This gives you visibility into CrowdStrike without needing to leave {elastic-sec}. You can perform supported endpoint response actions directly from alerts that a rule creates, by using the **Take action** menu in the alert details flyout. | ||
|
|
||
| ++++ | ||
| </div> | ||
| <div tabindex="0" role="tabpanel" id="endpoint-response-actions-response-actions-config-defender-panel" aria-labelledby="endpoint-response-actions-response-actions-config-defender-button" hidden=""> | ||
| ++++ | ||
| //// | ||
| /* NOTE TO CONTRIBUTORS: These DocTabs have very similar content. If you change anything | ||
| in this tab, apply the change to the other tabs, too. */ | ||
| //// | ||
|
|
||
| To configure response actions for Microsoft Defender for Endpoint–enrolled hosts: | ||
|
|
||
| . **Create API access information in Microsoft Azure.** Create two new applications in your Azure domain and grant them the following minimum API permissions: | ||
| + | ||
| -- | ||
| - Microsoft Defender for Endpoint Fleet integration policy: Permission to read alert data (`Windows Defender ATP: Alert.Read.All`). | ||
| - Microsoft Defender for Endpoint connector: Permission to read machine information as well as isolate and release a machine (`Windows Defender ATP: Machine.Isolate and Machine.Read.All`). | ||
| -- | ||
| + | ||
| Refer to the {integrations-docs}/microsoft_defender_endpoint[Microsoft Defender for Endpoint integration documentation] or https://learn.microsoft.com/en-us/defender-endpoint/api/exposed-apis-create-app-webapp[Microsoft's documentation] for details on creating a new Azure application. | ||
| + | ||
| After you create the applications, take note of the client ID, client secret, and tenant ID for each one; you'll need them in later steps when you configure Elastic Security components to access Microsoft Defender for Endpoint. | ||
|
|
||
| . **Install the Microsoft Defender for Endpoint integration and {agent}.** Elastic's {integrations-docs}/microsoft_defender_endpoint[Microsoft Defender for Endpoint integration] collects and ingests logs into {elastic-sec}. | ||
| + | ||
| NOTE: You can also set up the {integrations-docs}/m365_defender[Microsoft M365 Defender integration] as an alternative or additional data source. | ||
| + | ||
| .. Find **Integrations** in the navigation menu or use the global search field, search for and select **Microsoft Defender for Endpoint**, then select **Add Microsoft Defender for Endpoint**. | ||
| .. Enter an **Integration name**. Entering a **Description** is optional. | ||
| .. Ensure that **Microsoft Defender for Endpoint logs** is selected, and enter the required values for **Client ID**, **Client Secret**, and **Tenant ID**. | ||
| .. Scroll down and enter a name for the agent policy in **New agent policy name**. If other agent policies already exist, you can click the **Existing hosts** tab and select an existing policy instead. For more details on {agent} configuration settings, refer to {fleet-guide}/agent-policy.html[{agent} policies]. | ||
| .. Click **Save and continue**. | ||
| .. Select **Add {agent} to your hosts** and continue with the <<enroll-agent,{agent} installation steps>> to install {agent} on a resource in your network (such as a server or VM). {agent} will act as a bridge, collecting data from Microsoft Defender for Endpoint and sending it back to {elastic-sec}. | ||
|
|
||
| . **Create a Microsoft Defender for Endpoint connector.** Elastic's Microsoft Defender for Endpoint connector enables {elastic-sec} to perform actions on Microsoft Defender–enrolled hosts. | ||
| + | ||
| IMPORTANT: Do not create more than one Microsoft Defender for Endpoint connector. | ||
| + | ||
| .. Find **Connectors** in the navigation menu or use the global search field, then select **Create connector**. | ||
| .. Select the Microsoft Defender for Endpoint connector. | ||
| .. Enter the configuration information: | ||
| - **Connector name**: A name to identify the connector. | ||
| - **Application client ID**: The client ID created in step 1. | ||
| - **Tenant ID**: The tenant ID created in step 1. | ||
| - **Client secret value**: The client secret created in step 1. | ||
| .. (Optional) If necessary, adjust the default values populated for the other configuration parameters. | ||
| .. Click **Save**. | ||
|
|
||
| . **Create and enable detection rules to generate {elastic-sec} alerts.** Create <<security-rules-create,detection rules>> to generate {elastic-sec} alerts based on Microsoft Defender for Endpoint events and data. | ||
| + | ||
| This gives you visibility into Microsoft Defender hosts without needing to leave {elastic-sec}. You can perform supported endpoint response actions directly from alerts that a rule creates, by using the **Take action** menu in the alert details flyout. | ||
| + | ||
| When creating a rule, you can target any event containing a Microsoft Defender machine ID field. Use one or more of these index patterns: | ||
| + | ||
| -- | ||
| - `logs-microsoft_defender_endpoint.log-*` | ||
| - `logs-m365_defender.alert-*` | ||
| - `logs-m365_defender.incident-*` | ||
| - `logs-m365_defender.log-*` | ||
| - `logs-m365_defender.event-*` | ||
| -- | ||
|
|
||
| ++++ | ||
| </div> | ||
| <div tabindex="0" role="tabpanel" id="endpoint-response-actions-response-actions-config-sentinelone-panel" aria-labelledby="endpoint-response-actions-response-actions-config-sentinelone-button" hidden=""> | ||
|
|
||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -29,6 +29,9 @@ The following third-party response actions are supported for CrowdStrike and Sen | |
| <button role="tab" aria-selected="true" aria-controls="endpoint-response-actions-third-party-actions-crowdstrike-panel" id="endpoint-response-actions-third-party-actions-crowdstrike-button"> | ||
| CrowdStrike | ||
| </button> | ||
| <button role="tab" aria-selected="false" aria-controls="endpoint-response-actions-third-party-actions-defender-panel" id="endpoint-response-actions-third-party-actions-defender-button" tabindex="-1"> | ||
| Microsoft Defender for Endpoint | ||
| </button> | ||
| <button role="tab" aria-selected="false" aria-controls="endpoint-response-actions-third-party-actions-sentinelone-panel" id="endpoint-response-actions-third-party-actions-sentinelone-button" tabindex="-1"> | ||
| SentinelOne | ||
| </button> | ||
|
|
@@ -44,6 +47,18 @@ These response actions are supported for CrowdStrike-enrolled hosts: | |
| + | ||
| Refer to the instructions on <<isolate-a-host,isolating>> and <<release-a-host,releasing>> hosts for more details. | ||
|
|
||
| ++++ | ||
| </div> | ||
| <div tabindex="0" role="tabpanel" id="endpoint-response-actions-third-party-actions-defender-panel" aria-labelledby="endpoint-response-actions-third-party-actions-defender-button" hidden=""> | ||
| ++++ | ||
| These response actions are supported for Microsoft Defender for Endpoint–enrolled hosts: | ||
|
|
||
| * **Isolate and release a host** using any of these methods: | ||
| + | ||
| ** From a detection alert | ||
| ** From the response console | ||
| + | ||
| Refer to the instructions on <<isolate-a-host,isolating>> and <<release-a-host,releasing>> hosts for more details. | ||
| ++++ | ||
| </div> | ||
| <div tabindex="0" role="tabpanel" id="endpoint-response-actions-third-party-actions-sentinelone-panel" aria-labelledby="endpoint-response-actions-third-party-actions-sentinelone-button" hidden=""> | ||
|
|
||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm thinking we should also mention here that a user could also setup the "Microsoft M365 Defender" integration as an alternative (or additional) source for data... We tested this and it seems to work with bi-directional response actions.
I don't think we should have an entire bullet section for it - perhaps just a callout or "note" to indicate we have support for it.
cc/ @raqueltabuyo , @caitlinbetz