[Jan 28] MS Defender for Endpoint third-party response integration #6478
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
natasha-moore-elastic
added
Team: EDR Workflows
|
A documentation preview will be available soon. Request a new doc build by commenting
If your PR continues to fail for an unknown reason, the doc build pipeline may be broken. Elastic employees can check the pipeline status here. |
paul-tavares
previously approved these changes
Jan 24, 2025
| - Tenant ID | ||
| -- | ||
|
|
||
| . **Install the Microsoft Defender for Endpoint integration and {agent}.** Elastic's {integrations-docs}/microsoft_defender_endpoint[Microsoft Defender for Endpoint integration] collects and ingests logs into {elastic-sec}. |
There was a problem hiding this comment.
I'm thinking we should also mention here that a user could also setup the "Microsoft M365 Defender" integration as an alternative (or additional) source for data... We tested this and it seems to work with bi-directional response actions.
I don't think we should have an entire bullet section for it - perhaps just a callout or "note" to indicate we have support for it.
cc/ @raqueltabuyo , @caitlinbetz
jmikell821
reviewed
Jan 24, 2025
|
|
||
| . **Install the Microsoft Defender for Endpoint integration and {agent}.** Elastic's {integrations-docs}/microsoft_defender_endpoint[Microsoft Defender for Endpoint integration] collects and ingests logs into {elastic-sec}. | ||
| + | ||
| NOTE: You can also set up the {integrations-docs}/m365_defender[Microsoft M365 Defender integration] as an alternative or additional source of data. |
There was a problem hiding this comment.
Suggested change
| NOTE: You can also set up the {integrations-docs}/m365_defender[Microsoft M365 Defender integration] as an alternative or additional source of data. | |
| NOTE: You can also set up the {integrations-docs}/m365_defender[Microsoft M365 Defender integration] as an alternative or additional data source. |
| + | ||
| Refer to the {integrations-docs}/microsoft_defender_endpoint[Microsoft Defender for Endpoint integration documentation] or https://learn.microsoft.com/en-us/defender-endpoint/api/exposed-apis-create-app-webapp[Microsoft's documentation] for details. | ||
| + | ||
| After the applications are created, you should have the following 3 pieces of information available for each one: |
There was a problem hiding this comment.
I think per our style guide rules, numerals 1-9 should be written out.
Suggested change
| After the applications are created, you should have the following 3 pieces of information available for each one: | |
| After the applications are created, you should have the following three pieces of information available for each one: |
| .. Ensure that **Microsoft Defender for Endpoint logs** is selected, and enter the required values for **Client ID**, **Client Secret**, and **Tenant ID**. | ||
| .. Scroll down and enter a name for the agent policy in **New agent policy name**. If other agent policies already exist, you can click the **Existing hosts** tab and select an existing policy instead. For more details on {agent} configuration settings, refer to {fleet-guide}/agent-policy.html[{agent} policies]. | ||
| .. Click **Save and continue**. | ||
| .. Select **Add {agent} to your hosts** and continue with the <<enroll-agent,{agent} installation steps>> to install {agent} on a resource in your network (such as a server or VM). {agent} will act as a bridge collecting data from Microsoft Defender for Endpoint and sending it back to {elastic-sec}. |
There was a problem hiding this comment.
Suggested change
| .. Select **Add {agent} to your hosts** and continue with the <<enroll-agent,{agent} installation steps>> to install {agent} on a resource in your network (such as a server or VM). {agent} will act as a bridge collecting data from Microsoft Defender for Endpoint and sending it back to {elastic-sec}. | |
| .. Select **Add {agent} to your hosts** and continue with the <<enroll-agent,{agent} installation steps>> to install {agent} on a resource in your network (such as a server or VM). {agent} will act as a bridge, collecting data from Microsoft Defender for Endpoint and sending it back to {elastic-sec}. |
|
|
||
| . **Create and enable detection rules to generate {elastic-sec} alerts.** Create <<rules-ui-create,detection rules>> to generate {elastic-sec} alerts based on Microsoft Defender for Endpoint events and data. | ||
| + | ||
| This gives you visibility into Microsoft Defender hosts without needing to leave {elastic-sec}. You can perform supported endpoint response actions directly from alerts that a rule creates, by using the **Take action** menu in the alert details flyout. |
There was a problem hiding this comment.
Suggested change
| This gives you visibility into Microsoft Defender hosts without needing to leave {elastic-sec}. You can perform supported endpoint response actions directly from alerts that a rule creates, by using the **Take action** menu in the alert details flyout. | |
| This gives you visibility into Microsoft Defender hosts without needing to leave {elastic-sec}. You can perform supported endpoint response actions directly from alerts that a rule creates by using the **Take action** menu in the alert details flyout. |
| // NOTE TO CONTRIBUTORS: These sections have very similar content. If you change anything | ||
| // in this section, apply the change to the other sections, too. | ||
|
|
||
| . **Create API access information in Microsoft Azure.** You should create two new applications in your Azure domain and grant them the following minimum API permissions: |
There was a problem hiding this comment.
Suggested change
| . **Create API access information in Microsoft Azure.** You should create two new applications in your Azure domain and grant them the following minimum API permissions: | |
| . **Create API access information in Microsoft Azure.** Create two new applications in your Azure domain and grant them the following minimum API permissions: |
| . **Create API access information in Microsoft Azure.** You should create two new applications in your Azure domain and grant them the following minimum API permissions: | ||
| + | ||
| -- | ||
| - For use with the Microsoft Defender for Endpoint Fleet integration policy: Permission to read alert data (`Windows Defender ATP: Alert.Read.All`). |
There was a problem hiding this comment.
This edit and the following one reflect the list structure used in step 1 of the "Set up SentinelOne response actions" section.
Suggested change
| - For use with the Microsoft Defender for Endpoint Fleet integration policy: Permission to read alert data (`Windows Defender ATP: Alert.Read.All`). | |
| - Microsoft Defender for Endpoint Fleet integration policy: Permission to read alert data (`Windows Defender ATP: Alert.Read.All`). |
| + | ||
| -- | ||
| - For use with the Microsoft Defender for Endpoint Fleet integration policy: Permission to read alert data (`Windows Defender ATP: Alert.Read.All`). | ||
| - For use with the Microsoft Defender for Endpoint connector: Permission to read machine information as well as isolate and release a machine (`Windows Defender ATP: Machine.Isolate and Machine.Read.All`). |
There was a problem hiding this comment.
Suggested change
| - For use with the Microsoft Defender for Endpoint connector: Permission to read machine information as well as isolate and release a machine (`Windows Defender ATP: Machine.Isolate and Machine.Read.All`). | |
| - Microsoft Defender for Endpoint connector: Permission to read machine information as well as isolate and release a machine (`Windows Defender ATP: Machine.Isolate and Machine.Read.All`). |
| - For use with the Microsoft Defender for Endpoint connector: Permission to read machine information as well as isolate and release a machine (`Windows Defender ATP: Machine.Isolate and Machine.Read.All`). | ||
| -- | ||
| + | ||
| Refer to the {integrations-docs}/microsoft_defender_endpoint[Microsoft Defender for Endpoint integration documentation] or https://learn.microsoft.com/en-us/defender-endpoint/api/exposed-apis-create-app-webapp[Microsoft's documentation] for details. |
There was a problem hiding this comment.
It might be helpful to explain what users will find if they visit these pages. For example, at the end of step 1 in the "Set up SentinelOne response actions" section, there's this line, which tells users what they can expect to find if they visit the referenced page:
Refer to the SentinelOne integration docs or SentinelOne’s docs for details on generating API tokens.
| + | ||
| After the applications are created, you should have the following 3 pieces of information available for each one: | ||
| + | ||
| -- |
There was a problem hiding this comment.
Do the three items in this list need descriptions?
| NOTE: You can also set up the {integrations-docs}/m365_defender[Microsoft M365 Defender integration] as an alternative or additional source of data. | ||
| + | ||
| .. Find **Integrations** in the navigation menu or use the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], search for and select **Microsoft Defender for Endpoint**, then select **Add Microsoft Defender for Endpoint**. | ||
| .. Configure the integration with an **Integration name** and optional **Description**. |
There was a problem hiding this comment.
This is a bit more direct.
Suggested change
| .. Configure the integration with an **Integration name** and optional **Description**. | |
| .. Enter an **Integration name*. Entering a **Description** is optional. |
mergify bot
pushed a commit
that referenced
this pull request
Jan 28, 2025
…6478) * MS Defender for Endpoint third-party response integration * Address feedback * Address feedback * Address feedback (cherry picked from commit 9148adb) # Conflicts: # docs/serverless/endpoint-response-actions/response-actions-config.asciidoc # docs/serverless/endpoint-response-actions/third-party-actions.asciidoc
natasha-moore-elastic
added a commit
that referenced
this pull request
Jan 28, 2025
…ion (backport #6478) (#6488) * [Jan 28] MS Defender for Endpoint third-party response integration (#6478) * MS Defender for Endpoint third-party response integration * Address feedback * Address feedback * Address feedback (cherry picked from commit 9148adb) # Conflicts: # docs/serverless/endpoint-response-actions/response-actions-config.asciidoc # docs/serverless/endpoint-response-actions/third-party-actions.asciidoc * Delete docs/serverless directory and its contents --------- Co-authored-by: natasha-moore-elastic <[email protected]> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Resolves #6303.
Previews
ESS:
Serverless: