Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[8.x] [Jan 28] MS Defender for Endpoint third-party response integration (backport #6478) #6488

Merged
merged 3 commits into from
Jan 28, 2025
Merged

[8.x] [Jan 28] MS Defender for Endpoint third-party response integration (backport #6478) #6488

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
26d14f4
[Jan 28] MS Defender for Endpoint third-party response integration (#…
natasha-moore-elastic Jan 28, 2025
d68d67d
Delete docs/serverless directory and its contents
github-actions[bot] Jan 28, 2025
c7e5414
Merge branch '8.x' into mergify/bp/8.x/pr-6478
natasha-moore-elastic Jan 28, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
58 changes: 58 additions & 0 deletions docs/management/admin/response-actions-config.asciidoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ preview::[]
You can direct third-party endpoint protection systems to perform response actions on enrolled hosts, such as isolating a suspicious endpoint from your network, without leaving the {elastic-sec} UI. This page explains the configuration steps needed to enable response actions for these third-party systems:

* CrowdStrike
* Microsoft Defender for Endpoint
* SentinelOne

Check out <<third-party-actions>> to learn which response actions are supported for each system.
Expand Down Expand Up @@ -80,6 +81,63 @@ IMPORTANT: Do not create more than one CrowdStrike connector.
This gives you visibility into CrowdStrike without needing to leave {elastic-sec}. You can perform supported endpoint response actions directly from alerts that a rule creates, by using the **Take action** menu in the alert details flyout.
====

.**Set up Microsoft Defender for Endpoint response actions**
[%collapsible]
====
// NOTE TO CONTRIBUTORS: These sections have very similar content. If you change anything
// in this section, apply the change to the other sections, too.

. **Create API access information in Microsoft Azure.** Create two new applications in your Azure domain and grant them the following minimum API permissions:
+
--
- Microsoft Defender for Endpoint Fleet integration policy: Permission to read alert data (`Windows Defender ATP: Alert.Read.All`).
- Microsoft Defender for Endpoint connector: Permission to read machine information as well as isolate and release a machine (`Windows Defender ATP: Machine.Isolate and Machine.Read.All`).
--
+
Refer to the {integrations-docs}/microsoft_defender_endpoint[Microsoft Defender for Endpoint integration documentation] or https://learn.microsoft.com/en-us/defender-endpoint/api/exposed-apis-create-app-webapp[Microsoft's documentation] for details on creating a new Azure application.
+
After you create the applications, take note of the client ID, client secret, and tenant ID for each one; you'll need them in later steps when you configure Elastic Security components to access Microsoft Defender for Endpoint.

. **Install the Microsoft Defender for Endpoint integration and {agent}.** Elastic's {integrations-docs}/microsoft_defender_endpoint[Microsoft Defender for Endpoint integration] collects and ingests logs into {elastic-sec}.
+
NOTE: You can also set up the {integrations-docs}/m365_defender[Microsoft M365 Defender integration] as an alternative or additional data source.
+
.. Find **Integrations** in the navigation menu or use the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], search for and select **Microsoft Defender for Endpoint**, then select **Add Microsoft Defender for Endpoint**.
.. Enter an **Integration name**. Entering a **Description** is optional.
.. Ensure that **Microsoft Defender for Endpoint logs** is selected, and enter the required values for **Client ID**, **Client Secret**, and **Tenant ID**.
.. Scroll down and enter a name for the agent policy in **New agent policy name**. If other agent policies already exist, you can click the **Existing hosts** tab and select an existing policy instead. For more details on {agent} configuration settings, refer to {fleet-guide}/agent-policy.html[{agent} policies].
.. Click **Save and continue**.
.. Select **Add {agent} to your hosts** and continue with the <<enroll-agent,{agent} installation steps>> to install {agent} on a resource in your network (such as a server or VM). {agent} will act as a bridge, collecting data from Microsoft Defender for Endpoint and sending it back to {elastic-sec}.

. **Create a Microsoft Defender for Endpoint connector.** Elastic's Microsoft Defender for Endpoint connector enables {elastic-sec} to perform actions on Microsoft Defender–enrolled hosts.
+
IMPORTANT: Do not create more than one Microsoft Defender for Endpoint connector.
+
.. Find **Connectors** in the navigation menu or use the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], then select **Create connector**.
.. Select the Microsoft Defender for Endpoint connector.
.. Enter the configuration information:
- **Connector name**: A name to identify the connector.
- **Application client ID**: The client ID created in step 1.
- **Tenant ID**: The tenant ID created in step 1.
- **Client secret value**: The client secret created in step 1.
.. (Optional) If necessary, adjust the default values populated for the other configuration parameters.
.. Click **Save**.

. **Create and enable detection rules to generate {elastic-sec} alerts.** Create <<rules-ui-create,detection rules>> to generate {elastic-sec} alerts based on Microsoft Defender for Endpoint events and data.
+
This gives you visibility into Microsoft Defender hosts without needing to leave {elastic-sec}. You can perform supported endpoint response actions directly from alerts that a rule creates, by using the **Take action** menu in the alert details flyout.
+
When creating a rule, you can target any event containing a Microsoft Defender machine ID field. Use one or more of these index patterns:
+
--
- `logs-microsoft_defender_endpoint.log-*`
- `logs-m365_defender.alert-*`
- `logs-m365_defender.incident-*`
- `logs-m365_defender.log-*`
- `logs-m365_defender.event-*`
--

====

.**Set up SentinelOne response actions**
[%collapsible]
Expand Down
15 changes: 15 additions & 0 deletions docs/management/admin/third-party-actions.asciidoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,21 @@ Refer to the instructions on <<isolate-a-host,isolating>> and <<release-a-host,r

* **View past response action activity** in the <<response-actions-history,response actions history>> log.

[discrete]
[[defender-response-actions]]
== Microsoft Defender for Endpoint response actions

These response actions are supported for Microsoft Defender for Endpoint–enrolled hosts:

* **Isolate and release a host** using any of these methods:
+
--
** From a detection alert
** From the response console
--
+
Refer to the instructions on <<isolate-a-host,isolating>> and <<release-a-host,releasing>> hosts for more details.

[discrete]
[[sentinelone-response-actions]]
== SentinelOne response actions
Expand Down