Team: Huntress Managed Endpoint Detection and Response (EDR)
Product: Managed Defender
Environment: Windows
Summary: The setup process for Defender for Endpoint is simple and only requires limited action for initial setup. This guide will go over the setup processes, and the permissions required to run the application.
Enabling the Integration and Adding the First Tenant
Requirements:
An Account-level admin in the Huntress portal
Global Admin access to the tenant where the Huntress integration will be approved
Defender for Endpoint deployed in the tenant being added to the integration - Microsoft setup guide
Permissions:
Application Permissions - Microsoft Graph
Permission Name | Description |
Organization.Read.All | Read organization information |
SecurityAlert.ReadWrite.All | Read and write to all security alerts |
SecurityEvents.ReadWrite.All | Read and update your organization's security events |
SecurityIncident.ReadWrite.All | Read and write to all security incidents |
User.Read.All | Read all users' full profiles |
Application Permissions - WindowsDefender ATP
Permission Name | Description |
AdvancedQuery.Read.All | Run advanced queries |
Alert.ReadWrite.All | Read and write all alerts |
Event.Write | Write timeline events |
File.Read.All | Read file profiles |
IntegrationConfiguration.ReadWrite.All | Read and write integration settings |
Ip.Read.All | Read IP address profiles |
Library.Manage | Manage live response library files |
Machine.Collectforensics | Collect forensics |
Machine.Isolate | Isolate machine |
Machine.ReadWrite.All | Read and write all machine information |
Machine.RestrictExecution | Restrict code execution |
Machine.scan | Scan machine |
RemediationTasks.Read.All | Read all remediation tasks |
Score.Read.All | Read threat and vulnerability management score |
SecurityBaselinesAssessment.Read.All | Read all security baselines assessment information |
SecurityConfiguration.ReadWrite.All | Read and write all security configurations |
SecurityRecommendations.Read.All | Read threat and vulnerability management security recommendations |
Software.Read.All | Read threat and vulnerability management software information |
Ti.ReadWrite.All | Read and write all IOCs |
Url.Read.All | Read URL profiles |
User.Read.All | Read user profiles |
Vulnerability.Read.All | Read threat and vulnerability information |
Enabling the Integration and Adding the First Tenant
1. In the Huntress portal, select the hamburger menu dropdown in the top right
2. Choose the "Integrations" option
3. Choose the +Add option at the top right of the Integrations console
4. Choose "Microsoft Defender for Endpoint" under Cloud Platforms
5. Choose the +Integrate Tenant option on the integration page that follows
6. Select which Huntress organization to map the tenant to.
> Tenants cannot currently be re-assigned, so if the wrong tenant is selected, please remove the tenant integration. This is being worked on for future developments.
> Only one Microsoft Defender for Endpoint can be enabled per organization.
7. Choose the "Sign in with Microsoft" option to be directed to the Microsoft Integration Settings page
8. Sign in as a Global Admin to the tenant Microsoft portal and Accept (authorize) the Huntress Defender for Endpoint application permissions
9. Once authorization is granted, you will be directed back to the Huntress portal integration. Newly added tenants should begin to appear within an hour (though often much faster). Check the "Last Synced" column to confirm the sync has started. This is refreshed every few minutes.
Settings
By default, Huntress will automatically “Resolve” and comment on Defender for Endpoint alerts. These settings can be managed and either the account or individual tenant level:
The account settings are accessed on the Defender for Endpoint integrations page:
- In the Huntress portal, select the hamburger menu dropdown in the top right
- Choose the "Integrations" option
- Click the drop down menu on the right side under "Microsoft Defender for Endpoint" integration type
- Choose the “Edit Tenant” option
- Click on “Integration Settings”
- Enter your settings selections for the whole Account and choose “Save”
The Tenant level settings are accessed by:
- Choose the dropdown menu icon for your specific tenant under the actions column
- Choose the “Edit Tenant” option
- Enter your tenant level options and choose “Update”