[Request] MS Defender for Endpoint, third party response integration

[caitlinbetz]

Description

We are releasing our bidirectional capability with Microsoft Defender for Endpoint, which will allow users to execute host isolation / release of a MDE agent through elastic security.

This is similar to the functionality (and docs) we previously added for Sentinel One and Crowdstrike: https://www.elastic.co/guide/en/security/current/response-actions-config.html

Background & resources

• PRs:
• Issues/metas: https://github.com/elastic/security-team/issues/10821
• Point of contact: @caitlinbetz @ashokaditya @paul-tavares
• Test environments:

Which documentation set does this change impact?

ESS and serverless

ESS release

N/A

Serverless release

January 27, 2025

Feature differences

Feature will be the same in serverless/ESS

ESS release: 8.18

API docs impact

TBD

Prerequisites, privileges, feature flags

ESS & Serverless, Kibana privileges:

Security solution privilege: Host Isolation (ALL)

Actions and Connectors privilege:: EDR Connectors

[nicpenning]

👀

[natasha-moore-elastic]

Hi @caitlinbetz @ashokaditya 👋
A few questions about this feature:

• Are isolate and release the only response actions being added for MS Defender?
• What's the process for setting up MS Defender response actions? We’ll need to add those instructions as a new section on this page.
• Is there a test environment we could use to test out (or at least see) these response actions for Defender?

Thanks!

[paul-tavares]

Hi @natasha-moore-elastic ,

RE:
Are isolate and release the only response actions being added for MS Defender?

➡ Yes, these are the only ones with this release.

---

Re:
What's the process for setting up MS Defender response actions? We’ll need to add those instructions as a new section on this page.

➡ The process is similar to Crowstrike and SentinelONe. At a high-level:

1. Generate credentials in MS Defender in order to setup the integration. The privileges needed should be detailed in the integration its self so you likely don't need to do much here other than point at the integration docs.
2. Create integration policy(s) and deploy them (similar to others)
3. Create the Connector and populate the needed info. for access
   1. See this issue on the ResponseOps side to add documentation for Microsoft Defender
   2. The credentials used here for the connector must have privileges to Machine.Isolate and Machine.Read.All at the very least
4. create a SIEM rule to promote events to alerts - perhaps @raqueltabuyo may be able to provide some high-level info here on how to setup the rule, since she has been doing allot of testing with it. For example, a rule could be setup like this:
   1. Index patterns: logs-microsoft_defender_endpoint.log-default* logs-m365_defender.alert-default* logs-m365_defender.incident-default* logs-m365_defender.log-default*
   2. Custom query: cloud.instance.id:*

Screen capture of the integration setup below to give you a quick view on its setup:

---

Re:
Is there a test environment we could use to test out (or at least see) these response actions for Defender?

No, but you can create a 9.0 env. in cloud using the latest snapshot. click below to see some instructions. QASource has started testing this feature and in an issue they opened today, they list an env. you can access - maybe use that? See details here.

But - if you would like to have your own - once you have the stack env. created, I could just run a script against to set it all up. Just send me the env. URL and login credentials and I'll do that for you.

Expand to see instruction

Enable feature flags:

• Stack Connectors: microsoftDefenderEndpointOn
• Security Solution: responseActionsMSDefenderEndpointEnabled

Connector Setup

• Create a new Microsoft Defender for Endpoint connector instance using the information here: https://p.elstc.co/paste/7aH4cegB#fQiR+rcOE6G3YuLGIgHtBK758BYtEe6TNjLhDn2tT6p

Integration Setup

• An "agentless" integration needs to be setup in Fleet for Microsoft Defender for Endpoint. Use the same credentials as the connector (above).

Setup a SIEM rule

A SIEM rule needs to be setup to promote events ingested from Microsoft Defender for Endpoint to SIEM alerts. Use the following information when creating that rule:

• Index patterns: logs-microsoft_defender_endpoint.log-default*
• Custom query: cloud.instance.id:*

Onboard a new host in Microsoft Defender

• Onboard a new host (VM) with Microsoft Defender for Endpoint as detailed here: https://learn.microsoft.com/en-us/defender-endpoint/onboard-client?view=o365-worldwide

You will likely need to login to MS Defender for Endpoint management system to complete the host onboarding process. The following login credentials can used:

• https://p.elstc.co/paste/tJ+J72o5#Wejn0xqQIm0HzA2MIVtSgzVN1LPK+KSSV+AT93192VE

[raqueltabuyo]

@paul-tavares @natasha-moore-elastic yes, those index patterns look good to me, the only thing I would add is: logs-m365_defender.event-*. For the custom query, I think Paul is right as there were some issues with the hostID vs cloudID so better to add what he said.

[natasha-moore-elastic]

Google doc draft shared by @paul-tavares: https://docs.google.com/document/d/1WZXM7R-nfHTLTxoCtYX1lHynoSIABpxjGph2cr9CbUI/edit?tab=t.0#heading=h.ox88sa9izv4a