Integrating with Microsoft

Microsoft Defender for Endpoint Integration Guide for SecurityCoach

In this article, you will learn how to integrate Microsoft Defender for Endpoint, formally Microsoft Defender ATP, with SecurityCoach. Once you set up this integration, data provided by Microsoft Defender for Endpoint will be available under the SecurityCoach tab of your KSAT console. This data can be viewed in SecurityCoach reports and used to create detection rules for real-time coaching campaigns.

For general information about SecurityCoach, see our SecurityCoach Product Manual. If you would like to learn how to integrate other Microsoft products with SecurityCoach, see the vendor integration guides in our Knowledge Base.

Set Up the Integration in Your Microsoft Azure Portal

Before you can set up the SecurityCoach integration in your KSAT console, you will need to register the SecurityCoach application, add API permissions, and create a client secret in your Microsoft Azure portal.

Important:To integrate Microsoft Defender for Endpoint with the KSAT console, you will need a unique API permission and client secret.

To jump to the article subsection for each of these steps, click the links below:

Register the Application

First, you will need to register the SecurityCoach application in your Microsoft Azure portal.

Note:If you have already registered an application for Microsoft 365 or Microsoft Cloud Access Security (MCAS), you can skip this section and go to the Add API Permissions section below.

To register the application, follow the steps below:

  1. Log in to your Microsoft Azure portal and navigate to your Azure Active Directory.
  2. From the sidebar on the left side of the page, select App registrations.
  3. Click + New registration and enter a name for your application, such as “KB4-DefenderATPAPP”.
  4. Click Register.

Add API Permissions

After you have registered the SecurityCoach application, you can add API permissions. To add API permissions, follow the steps below:

  1. Log in to your Microsoft Azure portal and navigate to your Microsoft Entra ID.
  2. From the sidebar on the left side of the page, select App registrations.
  3. Select the registered application for Microsoft Defender for Endpoint, Microsoft 365, or MCAS. In the example below, the registered application is titled “MS-Alert”.
  4. From the sidebar on the left side of the page, select API permissions.
  5. Click + Add a permission.
  6. Enter “windowsdefender” in the the Start typing an API name or Application ID search bar.
  7. Then, select WindowsDefenderATP from the APIs my organization uses subtab.
  8. Click Application permissions.

  9. Click the Alert drop-down menu and select the check box next to Alert.Read.All.
  10. Click Grant admin consent for [your active directory name]. Once permission is granted, the triangle symbol on the right side of the page will change to a green check mark.

Create a Client Secret

After you have registered the SecurityCoach application and added API permissions, you can create a client secret. To create a client secret, follow the steps below:

Note:If you integrated the Microsoft 365 or MCAS product, you can skip this section and use the same client secret and expiration date. If you do not remember the client secret or expiration date, follow the steps below to create a new client secret.
  1. Log in to your Microsoft Azure portal and navigate to your Microsoft Entra ID.
  2. From the sidebar on the left side of the page, select App registrations and click on the registered application you added permissions to in the Add API Permissions section of this article. When you click on the registered application, the application’s overview page will display.
  3. From the sidebar on the left side of the page, select Certificates & secrets.
  4. Click + New client secret.
  5. Enter a description for the client secret and select an expiry window.
  6. Click Add. Once you click Add, the client secret Value and Expires date will display.
  7. Copy and save client secret Value and Expires date somewhere that you can easily access. You will need these credentials to complete the integration setup in the Set Up the Integration in Your KSAT Console section below.

Set Up the Integration in Your KSAT Console

Once you've set up the integration in your Microsoft Azure portal, you can set up the integration in your KSAT console.

Note:To complete these steps, you will need to have both your Microsoft Azure portal and your KSAT console open in your browser.

To set up the integration in your KSAT console, follow the steps below:

  1. Log in to your KSAT console and navigate to SecurityCoach > Setup.
  2. In the Available Integrations section, locate the card for the Microsoft Defender for Endpoint application.
  3. At the bottom of the card, click Configure.

  4. In a separate browser window, log in to your Microsoft Azure portal and navigate to your Microsoft Entra ID.
  5. From the Overview page, scroll down to the Tenant information section. Then, copy the Primary domain.
  6. Navigate back to your KSAT console. In the Tenant field, paste your Primary domain.
  7. To get your client ID, navigate to your Microsoft Azure portal. Select App registrations and click on the registered application you added permissions to in the Add API Permissions section of this article. When you click on the registered application, the application’s overview page will display.
  8. On the application’s overview page, copy the Application (client) ID in the Essentials section at the top of the page.
  9. Navigate back to your KSAT console. In the Client ID field, paste your Application (client) ID.
  10. In the Client Secret field, enter the Value for the client secret that you created for Microsoft
  11. Defender for EndpointDefender for Endpoint
  12. , Microsoft 365, or MCAS.
  13. In the Token Expiration Date field, select the Expires date for the client secret that you created for Microsoft Defender for Endpoint, Microsoft 365, or MCAS.
  14. To finish setting up the integration, click Authorize.

Map Your Users

After you’ve finished integrating Microsoft Defender for Endpoint, you can map your users either through mapping rules (recommended) or through a CSV file upload. For more information about user mapping, see our Mapping Users in SecurityCoach article.

Once you’ve successfully authorized this integration, you can manage detection rules for Microsoft Defender for Endpoint on the Detection Rules subtab of SecurityCoach. For a full list of available system detection rules for this vendor, see our Which Detection Rules Can I Use with My Vendors? article.

Can't find what you're looking for?

Contact Support