Team: Huntress Managed Endpoint Detection and Response (EDR)
Product: Managed Defender
Environment: Windows
Summary: The setup process for Defender for Endpoint is simple and only requires limited action for initial setup. This guide will go over the setup processes, and the permissions required to run the application.
*As of 7/13/2024: Note that this is currently in Beta. If you would like to try out the integration, please reach out to your Huntress account manager.
Enabling the Integration and Adding the First Tenant
Requirements:
An Account-level admin in the Huntress portal
Global Admin access to the tenant where the Huntress integration will be approved
Defender for Endpoint deployed in the tenant being added to the integration - Microsoft setup guide
Permissions:
Application Permissions - Microsoft Graph
Permission Name | Description |
Organization.Read.All | Read organization information |
SecurityAlert.ReadWrite.All | Read and write to all security alerts |
SecurityEvents.ReadWrite.All | Read and update your organization's security events |
SecurityIncident.ReadWrite.All | Read and write to all security incidents |
User.Read.All | Read all users' full profiles |
Application Permissions - WindowsDefender ATP
Permission Name | Description |
AdvancedQuery.Read.All | Run advanced queries |
Alert.ReadWrite.All | Read and write all alerts |
Event.Write | Write timeline events |
File.Read.All | Read file profiles |
IntegrationConfiguration.ReadWrite.All | Read and write integration settings |
Ip.Read.All | Read IP address profiles |
Library.Manage | Manage live response library files |
Machine.Collectforensics | Collect forensics |
Machine.Isolate | Isolate machine |
Machine.ReadWrite.All | Read and write all machine information |
Machine.RestrictExecution | Restrict code execution |
Machine.scan | Scan machine |
RemediationTasks.Read.All | Read all remediation tasks |
Score.Read.All | Read threat and vulnerability management score |
SecurityBaselinesAssessment.Read.All | Read all security baselines assessment information |
SecurityConfiguration.ReadWrite.All | Read and write all security configurations |
SecurityRecommendations.Read.All | Read threat and vulnerability management security recommendations |
Software.Read.All | Read threat and vulnerability management software information |
Ti.ReadWrite.All | Read and write all IOCs |
Url.Read.All | Read URL profiles |
User.Read.All | Read user profiles |
Vulnerability.Read.All | Read threat and vulnerability information |
Enabling the Integration and Adding the First Tenant
1. In the Huntress portal, select the hamburger menu dropdown in the top right
2. Choose the "Integrations" option
3. Choose the +Add option at the top right of the Integrations console
4. Choose "Microsoft Defender for Endpoint" under Cloud Platforms
5. Choose the +Integrate Tenant option on the integration page that follows
6. Select which Huntress organization to map the tenant to.
> Tenants cannot currently be re-assigned, so if the wrong tenant is selected, please remove the tenant integration. This is being worked on for future developments.
> Only one Microsoft Defender for Endpoint can be enabled per organization.
7. Choose the "Sign in with Microsoft" option to be directed to the Microsoft Integration Settings page
8. Sign in as a Global Admin to the tenant Microsoft portal and Accept (authorize) the Huntress Defender for Endpoint application permissions
9. Once authorization is granted, you will be directed back to the Huntress portal integration. Newly added tenants should begin to appear within an hour (though often much faster). Check the "Last Synced" column to confirm the sync has started. This is refreshed every few minutes.
Comments
0 comments
Article is closed for comments.