Application Integrations
      Back to home
      1. Help Center
      2. Application Integrations

      Microsoft Defender for Endpoint

      AgileBlue can provide a central pane of glass for your cyber security posture by ingesting alerts from various applications, including Microsoft Defender for Endpoint.

      Overview

      The AgileBlue Cyber SOC has the ability to collect alerts from Microsoft Defender for Endpoint. These logs empower AgileBlue to monitor and alert on potentially suspicious activity happening in your environment. For this to work, you will need to configure a few things within your Azure tenant. This document will walk you through that process.

      Please note: Auditing must be enabled for your organization in order to ensure data collection. For more information, click here.

      Configure a New Azure Application

      1. Log in to https://portal.azure.com using your Office365 Global Administrator credentials. (E.g. an account that is marked as Global Administrator.)
      2. Navigate to the Azure Active Directory option in the menu
      3. Click App Registrations option in the left-hand menu
      4. Next, click New registration in the top menu
      5. Configure the options for this App Registration as shown below:
        1. Name: AgileBlue Collection Service (Defender for Endpoint)
        2. Supported account types: Accounts in this organizational directory only (Your tenant only - Single tenant)
        3. Redirect URI: No value, not needed

      Configure permissions for your app registrations

      1. Select View API permissions
      2. Click Add a permission and then APIs my organization uses
      3. Type WindowsDefenderATP in the search and select WindowsDefenderATP

      4. Select Application permissions  and grant Alert.Read.All access

      5. Click Add permissions

      6. Now that permissions are configured, click on Grant admin consent for [your tenant name]

      Create client secret keys & collect necessary IDs

      1. Select Certificates & secrets from the left-hand menu
      2. Once the page loads, click New client secret
      3. On the pop out that appears, provide a Description of AgileBlue Collection Service (Defender for Endpoint) and select the longest available expiration option (NOTE: Take note of this expiration date - a new key will need to be provided to AgileBlue at that time)
      4. Collect the value of the client secret that you created. To do this, copy and paste the value into a secure location – this will be your only chance to collect this information (NOTE: AgileBlue will need the secret value, not the secret ID)
      5. Navigate back to the Overview
      6. Copy your Application (client) ID and Directory (tenant) ID to a secure location

      Submitting Sensitive Data

      The final step is to submit these sensitive details to AgileBlue. Once ready, please email support@agileblue.com and a specialist will send back an encrypted message. You will be able to respond to that message with the following values:

        1. Secret Value
        2. Application (client) ID
        3. Directory (tenant) ID
        4. Tenant Name (Ex. Agileblue.onmicrosoft.com)

      Questions? Contact AgileBlue Support.

      Email: support@agileblue.com
      Phone: (216) 606-9400