Leverage you Microsoft Defender service for host isolation and enable bi-directional incident communication with the AgileBlue platform.
Overview
AgileBlue's bi-directional integration with Microsoft Defender allows for streamlined alert management and expanded containment options. By leveraging this integration, any Defender incident which generates an alert in the AgileBlue platform will be closed in both systems simultaneously.
Additionally, the integration allows customers to designate which system is used for host isolation - the Cerulean Agent or Microsoft Defender.
Configure Application Permissions
AgileBlue recommends leveraging a single Azure Application to register the permissions for all integrations monitored by our system, including Microsoft Defender. The full guide to enabling the application and related permissions can be found here.
If you have previously configured an application in Microsoft for AgileBlue monitoring, the specific permissions required for this integration are:
- WindowsDefenderATP Permissions: Machine.ReadWrite.All
- WindowsDefenderATP Permissions: Machine.Isolate
- Microsoft 365 Defender Permissions: Incident.ReadWrite.All
Please follow the guide linked above to ensure the necessary data is communicated back to AgileBlue.
Enable Host Isolation With Defender
- Log in to the AgileBlue Portal
- Navigate to Settings > Alert Playbook > Host Isolation System
- Toggle the selection to Defender (Note: Cerulean will always be the default system for Host Isolation)
- A popup will appear showing the Application ID registered to the AgileBlue Portal. Before enabling the integration, verify that this application holds the required permissions detailed on this popup.
- Click Continue with Defender
Questions? Contact AgileBlue Support.
Email: support@agileblue.com
Phone: (216) 606-9400