Description
Microsoft Defender Advanced Threat Protection (ATP) is a unified endpoint security platform for preventative protection, post-breach detection, automated investigation, and response. In addition, Microsoft Defender ATP can isolate machines from the network. This action can help prevent the attacker from controlling the compromised machine and performing further activities such as data exfiltration and lateral movement. Machine isolation disconnects the potentially compromised machine from the network while retaining connectivity to the Microsoft Defender ATP service, which continues to monitor the machine.
By integrating with the Reveal(x) system, users can automatically collect investigation packages, run antivirus scans, and isolate machines that meet certain conditions and thresholds found in Reveal(x) detections. The details of every machine isolation are stored within the Reveal(x) system for further analysis and auditing. In addition, the integration tracks the list of high risk offender devices where an associated Defender ATP machine was not found, and therefore the offender could not be isolated.
The following figures show an example of a detection found by the Reveal(x) system that resulted in the offending endpoint being network isolated through Microsoft Defender ATP.
Figure 1. Reveal(x) dashboard for Microsoft Defender ATP Machine Isolation
Figure 2. Reveal(x) record entry for a successful Microsoft Defender ATP Machine Isolation event
Figure 3. Action center of a Windows 10 machine successfully isolated in the Microsoft Defender Security Center UI
Bundle Contents
(1) Application
- MS Defender ATP
(1) Dashboard
- Microsoft Defender ATP
(1) Record Format
- MS Defender ATP
(1) Trigger
- Microsoft Defender ATP Machine Isolation
Requirements
You must have an ExtraHop Discover or Command appliance with version 8.0 or later and a user account that has Unlimited privileges
You must have access to Azure with a user account that has the Global Administrator role to create an Azure Active Directory application
You must have access to the Microsoft Defender Advanced Threat Protection Platform
Installation Instructions
Create an Azure Active Directory Application
Log into Azure and create an application to access Microsoft Defender ATP with the following Machine API permissions:
Note: You do not need the Alert.Read.All permission that is provided as an example in the tutorial.
Store your application client secret, application ID, and tenant ID somewhere safe. You will need this information when you configure the Reveal(x) Open Data Stream (ODS) target.
Note: After storing your application details you can skip the last step in the Create an app instructions, which is only required for Microsoft Defender ATP partners, and begin configuring Reveal(x).
Onboard Machines to Microsoft Defender ATP
- Log into Microsoft Defender Security Center and onboard your machines to Microsoft Defender ATP, if you haven't already.Note: For more information, see onboarding machines to the Microsoft Defender ATP service.
Configure ExtraHop Reveal(x)
Install the bundle
When installing the bundle on a Command appliance, select the option to install the bundle on all of the connected Discover appliances that should participate in this integration.
Download the bundle on this page.
Configure ODS targets
When installing this bundle on a Command appliance, configure the open data stream (ODS) targets on each connected Discover appliance that the bundle was installed on.
Log into the Admin UI on the Discover appliance.
Configure an HTTP target for an open data stream with the following parameters:
In the Name field, type defender
In the Host field, type api.securitycenter.windows.com
In the Port field, type 443
From the Type drop-down list, select HTTPS
From the Authentication drop-down list, select Microsoft Azure Active Directory
From the OAuth2 grant type drop-down list, select Client Credentials
In the Client ID field, enter the value of the application ID that you stored previously from Azure Active Directory when creating the application
In the Client key field, enter the value of the application client secret that you stored previously from Azure Active Directory when creating the application
In the Resource URI field, type https://api.securitycenter.windows.com
In the OAuth2 token endpoint field, type https://login.windows.net/<tenant-id>/oauth2/token, replacing <tenant-id> with your tenant ID that you stored previously from Azure Active Directory when creating the application
From the Method drop-down list, select GET
In the Options field, enter the following:
{ "path": "/api/" }
The completed form should look similar to the following figure.
Note: There is currently an API rate limit of 100 calls per minute and 1500 calls per hour on all Microsoft Defender ATP API endpoints. If you are having trouble with these API rate limitations, please contact your Microsoft Representative for more information.
Configure the trigger
In the Web UI on the Command or Discover appliance where you installed the bundle, click the System Settings icon
, and then click Triggers.
In the list of triggers, click Microsoft Defender ATP Machine Isolation.
In the right pane, click Edit Trigger Script.
In the left pane in the Options section, select the Enable trigger checkbox.
For Command appliances only, configure
EH_HOSTNAME
with the hostname or IP address of the Command appliance, otherwise leave this setting as is.(Optional) Customize the detection risk score threshold by setting
RISK_THRESHOLD
to the desired minimum risk score that results in isolation.(Optional) Filter which detections automatically result in isolation by adding specific detection types to the
DETECTION_TYPES
array and all other detection types will be ignored.(Optional) Customize the set of actions taken by the trigger by setting enabled to either true or false for each action within
DEFENDER_ATP_ACTIONS
.Click Save, then click Done.
Note: The Microsoft Defender ATP Machine Isolation trigger does not accept assignments.