Microsoft 365 Defender

Enterprise

runZero integrates with Microsoft 365 Defender to allow you to sync and enrich your asset inventory. Adding your Microsoft 365 Defender data to runZero makes it easier to find assets missing EDR protection.

How runZero maps Microsoft 365 Defender hosts to assets:

  • For hosts that can be matched to an existing runZero asset, asset-level attributes such as operating system, hardware platform, hostname, and MAC address will be updated, and Defender-specific attributes will be added.
  • For hosts that cannot be matched with an existing runZero asset, a new asset will be created in the site specified when the integration task is set up.

runZero is able to merge existing assets with Microsoft 365 Defender data when the hostname or MAC address overlaps. Microsoft 365 Defender devices can also be manually merged into runZero assets using the Merge button on the Asset Inventory page.

Getting started

To set up the Microsoft 365 Defender integration, you’ll need to:

  1. Configure Microsoft 365 Defender to allow API access through runZero.
  2. Add the Microsoft 365 Defender credential in runZero.
  3. Activate the Microsoft 365 Defender connection to sync your data with runZero.

Requirements

Before you can set up the Microsoft 365 Defender integration:

  • Verify that you have runZero Enterprise.
  • Make sure you have access to the Microsoft Azure portal.

Step 1: Register an Azure application for Microsoft 365 Defender API access

runZero can authenticate to the Microsoft 365 Defender API using a client secret. Register an application to configure Microsoft 365 Defender API access.

  1. Log into the Microsoft Azure portal.
  2. Go to Azure Active Directory > App registrations and click on New registration.
    • Provide a name.
    • Select the supported account types.
    • Optionally add a redirect URI.
  3. Click Register to register the application.
  4. Once the application is created, you should see the Overview dashboard. Note the following information:
    • Application (client) ID
    • Directory (tenant) ID
  5. From the application’s details page, go to API permissions > Add a permission.
  6. Select WindowsDefenderATP from the list of Microsoft APIs.
  7. Select the permissions type Application permissions to configure a client secret.
  8. Search for and select the following required permissions:
    • Windows Defender ATP API permissions:
      • Machine.Read.All
  9. Click Add permissions to save the permissions to the application.
  10. Navigate to Azure Active Directory > App registrations and select the application you created.
  11. Go to Certificates & secrets and click on New client secret.
    • Enter a description.
    • Select the expiration.
  12. Click Add to create the client secret and save the client secret value.

Step 2: Add an Azure Client Secret credential to runZero

This type of credential can be used to sync all resources in a single directory (across multiple subscriptions).

  1. Go to the Credentials page in runZero and click Add Credential.
  2. Provide a name for the credential, like Azure Client Secret.
  3. Choose Azure Client Secret from the list of credential types.
  4. Provide the following information:
    • Azure application (client) ID - The unique ID for the registered application. This can be found in the Azure portal if you go to Azure Active Directory > App registrations and select the application.
    • Azure client secret - To generate a client secret, go to Azure Active Directory > App registrations, select your application, go to Certificates & secrets and click on New client secret.
    • Azure directory (tenant) ID - The unique ID for the tenant. This can be found in the Azure portal if you go to Azure Active Directory > App registrations and select the application.
    • Select the Access all subscriptions in this directory (tenant) option to sync all resources in your directory. Otherwise, specify the Azure subscription ID - The unique ID for the subscription that you want to sync. This can be found in the Azure portal if you go to Subscriptions and select the subscription.
  5. If you want other organizations to be able to use this credential, select the Make this a global credential option. Otherwise, you can configure access on a per organization basis.
  6. Save the credential. You’re now ready to set up and activate the connection to bring in data from Azure.

Step 3: Set up and activate the Microsoft 365 Defender connection to sync data

After you add your Microsoft 365 Defender credential, you’ll need to set up a connection to sync your data from Microsoft 365 Defender. A connection requires you to set a schedule and choose a site. The schedule determines when the sync occurs, and the site determines where any new Microsoft 365 Defender-only assets are created.

  1. Activate a connection to Microsoft 365 Defender. You can access all available third-party connections from your inventory or tasks page.
  2. Choose the credential you added earlier. If you don’t see the credential listed, make sure it has access to the organization you are currently in.
  3. Enter a name for the task, like Microsoft 365 Defender sync.
  4. Schedule the sync. A sync can be set to run on a recurring schedule or run once. The schedule will start on the date and time you have set.
  5. Under Task configuration, choose the site you want to add your assets to.
  6. Activate the connection when you are done. The sync will run on the defined schedule. You can always check the Scheduled tasks to see when the next sync will occur.

Step 4: View Microsoft 365 Defender assets

After a successful sync, you can go to your inventory to view your Microsoft 365 Defender assets. These assets will have an Active Directory icon listed in the Source column.

To filter by Microsoft 365 Defender assets, consider running the following queries:

Click into each asset to see its individual attributes. runZero will show you the attributes returned by Microsoft 365 Defender.