Skip to main content

Microsoft Defender ATP integration guide

The Microsoft Defender Advanced Threat Protection (ATP) is a comprehensive platform that offers preventive protection, post-breach detection, automated investigation, and response. The system is equipped with advanced endpoint detection and response (EDR) features that cater to traditional operating systems such as Windows, Linux, and MacOS.

The aforementioned capabilities offer the ability to detect attacks in a timely manner and provide actionable insights. By utilizing advanced security analysis techniques, analysts are able to efficiently prioritize alerts, gain comprehensive insight into the extent of a security breach, and execute appropriate response measures to mitigate potential threats.

About Defender ATP and the Mobile Security console communication

The Mobile Security console has been set up to enable the sharing of alerts with Microsoft Defender ATP via API access. The console receives threat reports from devices. If the severity of a reported threat meets or exceeds the minimum threshold set up during configuration, the details of the threat are transmitted to the Microsoft Defender ATP integration that has been configured.

The Microsoft Defender ATP console is configured to send only critical severity threats by default. The details of a threat consist of user information, if obtainable, device information, operating system, and threat forensics. Upon resolution of a threat on a mobile device, Microsoft Defender ATP is automatically updated with the latest threat status information.

The Microsoft Defender ATP integration is configured to receive threat details for both MDM managed and non-managed devices. Microsoft Defender ATP receives threat events from all integrated console MDM vendors.

Configuration steps

Perform the following steps to set up the the Mobile Security console Integration:

  1. Login to the Mobile Security Console.

  2. In the navigation panel, select Manage.

  3. When the Manage page opens, select the Integrations tab, select the Threat Reporting tab, and the following window opens:

    Mobile-security-console-manage-SIEM-integration-step-1.PNG
  4. Click on the green Add Integration button, and the following window opens which shows a listing of the integration partners to select.

  5. Select the desired integration.

  6. Click the button to ‘Add to Azure Active Directory’ to authorize the Mobile Secuirty capplication with the required permissions to report alert data to Microsoft Defender ATP.

  7. When the user clicks on the button, the user is taken to the Microsoft Azure Active Directory (AAD) console to accept the connection. Enter the Admin credentials (ensuring Global Administrator Microsoft Defender ATP Integration Guide, Release 4.26.x, January 2020 9 privileges are in place), then click the Accept button to accept all the required permissions.

  8. In the window that opens click the Go On button.

  9. Another window opens to finish setting up the integration. Enter the following information on this window.

    • Name – Enter a unique name for this Integration for Microsoft Azure Sentinel environment

    • Filter Level – Select the severity level from the drop-down menu which is reported from:

      1. Critical – shows only Critical severity levels.

      2. Elevated and Above – shows Elevated and Critical Severity Levels

      3. Low and Above – shows Low, Elevated and Critical Severity Levels

      4. Normal and Above – shows all Levels of severity.

  10. Click on the Finish button and when it is configured and saved correctly, the Main Threat reporting window opens showing the integration is successful.