Microsoft Defender
To attach a Microsoft Defender account to Detect, you will need:
- The Prelude CLI
- An Azure user with Global Administrator role
In Azure
Create an app
Follow the official Microsoft Defender documentation to create a new app. While you walk through the guide:
- Please take note of your app's TENANT ID (step 7), APP ID (step 7), and APP SECRET (step 6)
- You do not need to create a multi-tenant app (step 8)
- This integration requires the following Application Permissions:
User.ReadMachine.Read.AllThreatHunting.Read.AllCustomDetection.ReadWrite.AllDeviceManagementConfiguration.Read.All
Note: After adding the above permissions ensure you click the "Grant admin consent for user" as in the screenshot below.
In Prelude
Attach the partner via UI
- Navigate to your user name in upper right hand corner and select "Integrations"
- "Connect to Windows Defender"
- Fill out Base URL, Tenant ID, APP ID and App Secret to connect
Attach the partner via CLI
Run the following command to attach the partner
prelude partner attach defender --user <TENANT_ID> --secret <APP_ID>/<APP_SECRET> --api <HOST>
--apiis an required field that should be set tohttps://api.securitycenter.microsoft.com. Optionally can be set to hit one of Microsoft's regional endpoints, examplehttps://api-<REGION>.securitycenter.microsoft.com
Your account credentials are stored, encrypted at REST, behind the Prelude Service API.
After attachment, the Prelude Service will send your Defender account a new IOC every time a probe reports a test in the UNPROTECTED state. Following this report, Defender should start catching the test.
Detach the partner via UI
-
- Navigate to your user name in upper right hand corner and select "Integrations"
- "Disconnect Windows Defender"
Detach the partner via CLI
To detach the partner from your account, run:
Updated about 1 month ago