Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable Defender for Endpoint Integration with Microsoft Defender for Cloud

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: SecurityCenter-030

Ensure that Microsoft Defender for Endpoint integration with Microsoft Defender for Cloud is enabled to allow the Defender for Endpoint security service to access your data in order to help prevent, detect, investigate, and respond to advanced security threats.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

To allow Microsoft Defender for Cloud to integrate with other cloud services such as Defender for Endpoint, you must allow those services to access your data. The Defender for Endpoint – Defender for Cloud integration brings comprehensive Endpoint Detection and Response (EDR) capabilities to Microsoft Defender for Cloud. This integration helps to spot abnormalities, detect, and respond to advanced attacks on VM server endpoints monitored by Defender for Cloud. Once the integration is active, Defender for Endpoint's sensors collect a vast array of behavioral signals from your Azure virtual machines. The security service begins to generate alerts when the built-in sensors identify attacker tools, techniques, and procedures.


Audit

To determine if the Microsoft Defender for Endpoint security service is allowed to access your data, perform the following actions:

Using Azure Portal

01 Sign in to the Microsoft Azure Portal.

02 Navigate to Microsoft Defender for Cloud blade at https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0.

03 In the main navigation panel, under Management, choose Environment settings.

04 Click on the name (link) of the Azure subscription that you want to examine.

05 In the navigation panel, under Settings, choose Integrations to access the integration settings of Defender for Cloud with other Microsoft security services.

06 Under Enable integrations, check the Allow Microsoft Defender for Endpoint to access my data setting status. If the Allow Microsoft Defender for Endpoint to access my data setting is disabled (i.e. the setting checkbox is not selected), the Defender for Endpoint integration with Microsoft Defender for Cloud is not enabled in the selected subscription.

07 Repeat steps no. 4 – 6 for each Microsoft Azure subscription created within your Azure account.

Using Azure CLI

01 Run account get-access-token command (Windows/macOS/Linux) with custom query filters to describe the configuration status of the Defender for Endpoint – Defender for Cloud service integration, within the current subscription:

az account get-access-token
  --query "{subscription:subscription,accessToken:accessToken}"
  --out tsv | xargs -L1 bash -c 'curl -X GET -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/settings?api-version=2019-01-01' | jq '.|.value[] | select(.name=="WDATP")'|jq '.properties.enabled'

02 The command output should return the status of the requested service integration (true for enabled, false for disabled):

false

If the account get-access-token command output returns false, as shown in the example above, the Defender for Endpoint integration with Microsoft Defender for Cloud is not enabled within the current subscription.

03 Repeat steps no. 1 and 2 for each Microsoft Azure subscription available in your Azure cloud account.

Remediation / Resolution

To enable the Microsoft Defender for Endpoint – Microsoft Defender for Cloud integration, perform the following actions:

Using Azure Portal

01 Sign in to the Microsoft Azure Portal.

02 Navigate to Microsoft Defender for Cloud blade at https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0.

03 In the main navigation panel, under Management, choose Environment settings.

04 Click on the name (link) of the Azure subscription that you want to access.

05 In the navigation panel, under Settings, choose Integrations to access the integration settings of Defender for Cloud with other Microsoft security services.

06 Under Enable integrations, select Allow Microsoft Defender for Endpoint to access my data setting checkbox to enable the Defender for Endpoint – Defender for Cloud integration by allowing the security service to access your data in the selected subscription. Choose Save to apply the changes.

07 Repeat steps no. 4 – 6 for each Microsoft Azure subscription available within your Azure account.

Using Azure CLI

01 Define the configuration parameters for the account get-access-token command. Set "properties" to "enabled": true in order to allow Microsoft Defender for Endpoint to access your data. Save the configuration document to a JSON file named enable-defender-wdatp-integration.json and replace the highlighted details, i.e. <azure-subscription-id>, with your own Azure account subscription ID:

{
  "id": "/subscriptions/<azure-subscription-id>/providers/Microsoft.Security/settings/WDATP",
  "kind": "DataExportSettings",
  "type": "Microsoft.Security/settings",
  "properties": {
    "enabled": true
  }
}

02 Run account get-access-token command (Windows/macOS/Linux) using the configuration document defined at the previous step (i.e. enable-defender-wdatp-integration.json configuration file), to enable Microsoft Defender for Endpoint – Microsoft Defender for Cloud integration by allowing the security service to access your data in the selected subscription:

az account get-access-token
  --query "{subscription:subscription,accessToken:accessToken}"
  --out tsv | xargs -L1 bash -c 'curl -X PUT -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/settings/WDATP?api-version=2019-01-01 -d@"enable-defender-wdatp-integration.json"'

03 The output should return the account get-access-token command request metadata:

{
  "id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/providers/Microsoft.Security/settings/WDATP",
  "name": "WDATP",
  "type": "Microsoft.Security/settings",
  "kind": "DataExportSettings",
  "properties": {
    "enabled": true
  }
}

04 Repeat steps no. 1 – 3 for each Microsoft Azure subscription available in your Azure cloud account.

References

Publication date Feb 19, 2022