Skip to main content

Microsoft Defender for Endpoints

Workflow for Building Agentless Microsegmentation

Onboarding

Colortokens Xshield supports agentless microsegmentation through integration with Microsoft Defender for Endpoints. This section describes the steps required to activate the integration.

Pre-requisites

The following details need to be available to integrate Microsoft Defender with Xshield:

  • Microsoft Defender API Credentials - For ingesting device metadata from Microsoft Defender platform
  • Azure Storage Account and Azure Storage Queue - For ingesting network flow records from Microsoft Defender platform

The following credentials are required to activate the integration:

  • Tenant ID (Directory ID)
  • Client ID (Application ID)
  • Client Secret
  • Storage Account name
  • Storage Queue name

Generate API Credentials and Azure Storage Account

Follow the steps outlined in the below documents to generate the required credentials for integration with Microsoft Defender

  1. Generate Microsoft Defender API credentials
  2. Generate Azure Storage Account and Azure Storage Queue
tip

ColorTokens provides a terraform script to automate the manual steps outlined in the above documents. To use the terraform script, please follow the instructions in the Generate API Credentials for Integrating Microsoft Defender for Endpoint with Xshield platform using Terraform document

API credentials are used to make programmatic API calls to the Microsoft Defender platform to retrieve the following information:

  • Import Metadata such as Hostname, OS, Tags, IP, Device type

Activate Integration on Xshield

  1. In the Xshield console, navigate to Settings > Integrations > EDR > Microsoft Defender.
  2. Click on Activate button. Provide the API credentials and Storage Account credentials in the pop-over dialogue, Click on Test button to validate the credentials.
  3. Once the test is successful, click on Save button to activate the integration.

Once the integration is activated, Xshield platform will automatically fetch the Machine Tags information from the Microsoft Defender platform. It can take up to 5 minutes for the tags to be fetched. A new menu item EDR Groups will appear in the left navigation bar. EDR Groups displays the list of activated EDR systems, Select Microsoft Defender to view the tags imported from Microsoft Defender platform.

Host Discovery

After successfully activating the Microsoft Defender integration, Xshield will fetch all machine tags and their corresponding devices from the Microsoft Defender platform.

Activate/Deactivate Machine Tags

From the Microsoft Defender tab in Xshield console, select one or more machine tags then choose Active/Inactive option under Change Status. This will open a flyout panel. Review the selected machine tags and click the Confirm button to activate/deactivate the devices associated with the machine tags.

In case of activation, Xshield platform will start fetching devices from the activated machine tags. It can take up to 10 minutes for the devices to be fetched and added to Xshield platform.

In case of deactivation, Xshield platform will remove the devices from the deactivated machine tags. It can take up to 10 minutes for the devices to be removed from Xshield platform. If the devices are that are part of the deactivated machine tag is part of another active machine tag, such devices are not removed from Xshield platform.

View and Explore Assets From the Assets page in Xshield console, you can view and explore the devices imported from Microsoft Defender platform. Click on any asset name to view the details. The asset details page will display information such as IP Address, Operating System, Tags, etc.

The Assets' behavior is similar to the assets created using Xshield agents. Operators can create segments, tags and follow the same process to manage Assets.

Network Visibility

Microsoft Defender for XDR collects rich telemetry data which includes device tags and network activity. To make this data accessible outside of Defender, the enterprise sets up a streaming export from Microsoft Defender XDR to an Azure Blob Storage account. This storage account is owned and managed by the customer.

Considerations:

  • An Azure Blob Storage account is set up and configured for Defender to continuously stream telemetry data as blobs (files) into a designated container in the storage account. Each blob contains a batch of telemetry events, including network flow data.
  • An Azure Storage Queue is created and an event subscription is set up which notifies Xshield for new telemetry data.
  • Xshield monitors the storage queue for new messages from the Azure Storage Queue and extracts the data from the storage account and parses it to provide real-time network visibility.

Segment Definition and Visualization

New Microsoft Defender segments can be created in Xshield for assets imported from Microsoft Defender. This follows the standard segment creation process in Xshield.

Click on Segments menu item in the left navigation bar. Select Microsoft Defender tab and click on Create Segment button. Provide the segment name, description and select the Tag Names of the assets to be associated with the segment. Click on Save button to save the segment

Named Networks can be added to the segment during segment creation time or can be added later. To add named networks after the segment is created, click on More Options button of the segment in the Microsoft Defender segments page and select Manage Named Networks to add appropriate named networks and click Assign button to save the changes.