Enable Microsoft Defender for Endpoint Integration with Security Center

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Medium (should be achieved)
Rule ID: SecurityCenter-030

Ensure that Microsoft Defender for Endpoint integration with Azure Security Center is enabled to allow the Defender for Endpoint service to access your data in order to help prevent, detect, investigate, and respond to advanced security threats.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

To enable Azure Security Center (ASC) to integrate with other Azure security services such as Microsoft Defender for Endpoint, you must allow those services to access your data. The Microsoft Defender for Endpoint – Security Center integration brings comprehensive Endpoint Detection and Response (EDR) capabilities to Security Center. This integration helps to spot abnormalities, detect, and respond to advanced attacks on VM server endpoints monitored by Azure Security Center. Once the integration is active, Microsoft Defenders for Endpoint's sensors collect a vast array of behavioral signals from your Azure virtual machines. When the security service identifies attacker tools, techniques, and procedures, begins to generate alerts, which are highlighted in the Security Center portal.


Audit

To determine if the Microsoft Defender for Endpoint service is allowed to access your data, perform the following actions:

Using Azure Portal

01 Sign in to the Azure Management Console.

02 Navigate to Azure Security Center blade at https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/.

03 In the blade navigation panel, under Management, choose Pricing & Settings.

04 On the Pricing & Settings page, click on the name of the Azure subscription that you want to examine, to access the Azure Security Center pricing and settings.

05 In the left navigation panel, under Settings, choose Integrations to access the integration settings available for Azure Security Center with other Microsoft services.

06 Under Enable integrations, check the Allow Microsoft Defender for Endpoint to access my data setting status. If the Allow Microsoft Defender for Endpoint to access my data setting is disabled (i.e. the checkbox is not selected), the Microsoft Defender for Endpoint integration with Security Center is not enabled in the selected subscription.

07 Repeat step no. 4 – 6 for each Microsoft Azure subscription available within your cloud account.

Using Azure CLI

01 Run account get-access-token command (Windows/macOS/Linux) with custom query filters to describe the configuration status of the Microsoft Defender for Endpoint – Azure Security Center integration in the current subscription:

az account get-access-token
  --query "{subscription:subscription,accessToken:accessToken}"
  --out tsv | xargs -L1 bash -c 'curl -X GET -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/settings?api-version=2019-01-01' | jq '.|.value[] | select(.name=="WDATP")'|jq '.properties.enabled'

02 The command output should return the status of the requested service integration:

"false"

If the account get-access-token command output returns false, as shown in the example above, the Microsoft Defender for Endpoint integration with Security Center is not enabled within the current subscription.

03 Repeat step no. 1 and 2 for each Microsoft Azure subscription available in your cloud account.

Remediation / Resolution

To enable the Microsoft Defender for Endpoint – Azure Security Center integration, perform the following actions:

Using Azure Portal

01 Sign in to the Azure Management Console.

02 Navigate to Azure Security Center blade at https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/.

03 In the blade navigation panel, under Management, choose Pricing & Settings.

04 On the Pricing & Settings page, click on the name of the Azure subscription that you want to access.

05 In the left navigation panel, under Settings, choose Integrations to access the integration settings available for Azure Security Center with other Microsoft security services.

06 Under Enable integrations, select the Allow Microsoft Defender for Endpoint to access my data checkbox to enable the Microsoft Defender for Endpoint – Azure Security Center integration by allowing Microsoft Defender for Endpoint to access your data. Choose Save to apply the configuration changes.

07 Repeat step no. 4 – 6 for each Microsoft Azure subscription available within your cloud account.

Using Azure CLI

01 Define the specifications required for the account get-access-token command. Set "properties" to "enabled": true in order to enable Microsoft Defender for Endpoint to access your data. Replace the highlighted information, i.e. <azure-subscription-id>, with your own Azure subscription ID and save the content to a JSON file named enable-wdatp-security-center-integration.json:

{
  "id": "/subscriptions/<azure-subscription-id>/providers/Microsoft.Security/settings/WDATP",
  "kind": "DataExportSettings",
  "type": "Microsoft.Security/settings",
  "properties": {
    "enabled": true
  }
}

02 Run account get-access-token command (Windows/macOS/Linux) using the specifications defined at the previous step (i.e. enable-wdatp-security-center-integration.json file) to enable the Microsoft Defender for Endpoint – Azure Security Center integration by allowing Microsoft Defender for Endpoint to access your data:

az account get-access-token
  --query "{subscription:subscription,accessToken:accessToken}"
  --out tsv | xargs -L1 bash -c 'curl -X PUT -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/settings/WDATP?api-version=2019-01-01 -d@"enable-wdatp-security-center-integration.json"'

03 The output should return the account get-access-token command request metadata:

{
  "id": "/subscriptions/<azure-subscription-id>/providers/Microsoft.Security/settings/WDATP",
  "name": "WDATP",
  "type": "Microsoft.Security/settings",
  "kind": "DataExportSettings",
  "properties": {
    "enabled": true
  }
}

04 Repeat steps no. 1 – 3 for each Microsoft Azure subscription available in your cloud account.

References

Publication date Sep 19, 2021

Unlock the Remediation Steps


Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

Enable Microsoft Defender for Endpoint Integration with Security Center

Risk level: Medium