Documentation Index

Fetch the complete documentation index at: https://help.nucleussec.com/llms.txt

Use this file to discover all available pages before exploring further.

Enabling Microsoft Defender for Endpoint

  • 2 minute(s) read
Prev Next

Overview

This functionality requires permissions
The user enabling Microsoft Defender for Endpoint in VIP must be an Organization Admin


Microsoft Defender ATP, now named Microsoft Defender for Endpoint (MDE) is an endpoint solution used by large enterprises to defend and scan their endpoints for vulnerabilities. MDE has many modules, including threat intel, EDR, email inbox monitoring, and vulnerability scanning. Follow this procedure to to sync the CVE intelligence found in MDE (specifically, vulnerability exploit status) into VIP in an automated way. 

Set up Azure AD App

Microsoft requires an app registration in order to set up the Feed in VIP. To set up the app, do the following:

Step 1: Register app

  1. Log on to Azure through a user account that has the "Global Administrator" role.
  2. Go to Azure Active Directory > App registrations > + New registration.
  3. Enter in a descriptive name for this app, such as "Nucleus VRM".
    • Leave the rest as defaults
  4. Click Register to complete the registration.

Step 2: Allow API permissions to Defender endpoints

  1. On the new page shown after you register the Azure app, go to API Permissions.

  2. Click + Add a permission.
    Screen Shot 2021-01-08 at 4.09.06 PM.png

  3. Click on the tab APIs my organization uses.

  4. In the search bar below, type in "Windows" and look for the item "WindowsDefenderATP" in the list below.

Screen Shot 2021-01-08 at 4.11.29 PM.png

  1. Click on "WindowsDefenderATP".
  2. Click "Application permissions".
  3. In the list, select the following permissions:
Microsoft PermissionUse
Vulnerability.Read.AllUsed by VIP to pull down the vulnerability information from Microsoft Defender.
  1. Click Add permissions.

Step 3: Grant Admin consent for app

You now need to go to a different section in Microsoft to grant admin permission for this registered application.

  1. After granting the above permissions, your API permissions page will look like this:
    image.png

  2. Click on the hyperlink Enterprise applications as noted in the screenshot above.

  3. Click Grant admin consent for Nucleus. This will enable the permissions you set up in Step 2.

Step 4: Configure client secret and gather authentication information

  1. Still in Microsoft, go to Azure portal > Azure App directory > App registrations > Nucleus (or the name of the application you registered in step 1 of the Microsoft setup).
  2. Copy the following information from the "Overview" page:
  • Application (client) ID
  • Directory (tenant) ID
  1. Go to "Certificates & secrets" page.
  2. Click "New client secret".
  3. Add a description for the client secret to remember, such as "Secret for Nucleus to authenticate to Microsoft Defender ATP".
  4. Set expiration date. Note that you will need to renew this client secret and the Nucleus connector will stop working if this secret expires.

image.png
7. Click "Add".
8. Copy the Client Secret "Value".

All done! You have completed the configuration on the Microsoft side. Now you'll move to the Nucleus configuration.

Microsoft Documentation

For more information and screenshots on this process, use this Microsoft Guide: Microsoft Defender App Registration

Enable Defender in VIP

Head over to the Store page and click the Enable button in the Microsoft Defender card. Once you enter the Client ID, Client Secret and Tenant ID discussed in the steps above, you can press Enable.

That's it! Defender data for CVEs is now available for viewing and searching on in VIP. Woohoo!