feat(MicrosoftDefender): add the set up section

SEKOIA-IO · Feb 13, 2025 · 8de9807 · 8de9807
1 parent 0b425b5
commit 8de9807
Show file tree

Hide file tree

Showing 2 changed files with 68 additions and 3 deletions.
diff --git a/_shared_content/automate/library/microsoftdefenderxdr.md b/_shared_content/automate/library/microsoftdefenderxdr.md
@@ -6,7 +6,7 @@ type: playbook
 
 ![MicrosoftDefenderXDR](/assets/playbooks/library/microsoftdefenderxdr.png){ align=right width=150 }
 
- [Microsoft Defender for Endpoint](https://learn.microsoft.com/en-us/defender-endpoint/) is an Endpoint Detection and Response (EDR) product that monitors the security of endpoints. The module required, at least, the Microsoft Defender for Endpoint plan 1
+ Microsoft Defender for Endpoint is an Endpoint Detection and Response (EDR) product that monitors the security of endpoints. The module required, at least, the Microsoft Defender for Endpoint plan 1
 
 ## Configuration
 
@@ -243,6 +243,71 @@ Update an alert
 | `determination` | `string` | The determination of the alert |
 | `category` | `string` | The category of the alert |
 
+## Set up
+
+## Configuration
+
+### Collect events
+
+#### Create an Azure application
+
+1. On the Azure Portal, in the search bar, go to `App registrations`
+2. Click `+ New registration`
+3. Type a name
+4. Select `Accounts in this organizational directory only` option as account type
+5. Click `Register`
+6. From the `Overview` page, copy `Application (client) ID` and `Directory (tenant) ID`
+
+
+#### Create a client secret
+
+1. Go to `Manage` > `Certificates & secrets`
+2. Click `+ New client secret`
+3. Type a description and select the desirated expiration period
+4. Click `Add`
+5. Copy the `Value` of the client secret
+
+#### Add permissions
+
+1. Go to `Manage` > `API permissions`
+2. Click `Add a permissions`
+3. On the right panel, Select `APIs my organization uses` tab
+4. Click `Office 365 Management APIs`
+5. Click `Application permissions`
+6. Select `ActivityFeed.Read`
+7. Click `Add permissions`
+8. In the `API permissions` page, click `Grant admin consent for TENANT_NAME`
+9. Click `Yes` in the `Grant admin consent confirmation` modal
+
+#### Install Agent
+
+1. On security.microsoft.com, go to `System > Parameters`
+2. Click `Endpoints` 
+3. Go to `Device Management > Onboarding`
+4. Download the Integration package
+
+[Read More](https://learn.microsoft.com/en-us/defender-endpoint/configure-endpoints-script)
+
+#### Create an application with the permission
+
+1. In Microsoft EntraID, create a new application under `App registrations`.
+2. For the permissions, go to `API permission`
+3. Click `+ Add a permission`. Select `APIs my organization uses` and type `WindowsDefenderATP`. 
+4. Select `WindowsDefenderATP`.
+5. In the permissions, select:
+   - Machine.Isolate
+   - Machine.Offboard
+   - Machine.Read.All
+   - Machine.RestrictExecution
+   - Machine.Scan
+   - Machine.StopAndQuarantine
+   - Ti.Read.All
+   - Ti.ReadWrite
+   - Ti.ReadWrite.All
+   - Alert.ReadWrite.All
+6. After permissions selection, grant the admin consent.
+
+[Read More](https://learn.microsoft.com/en-us/defender-endpoint/api/exposed-apis-create-app-webapp)
 
 ## Extra
 

diff --git a/mkdocs.yml b/mkdocs.yml
@@ -223,7 +223,6 @@ nav:
       - Operators: tip/features/automate/operators.md
       - Actions: tip/features/automate/actions.md
       - Actions Library:
-        - Overview: tip/features/automate/library/overview.md
         - Applicative:
           - Mandrill: tip/features/automate/library/mandrill.md
           - Mattermost: tip/features/automate/library/mattermost.md
@@ -262,6 +261,7 @@ nav:
           - Fortigate Firewalls: tip/features/automate/library/fortigate-firewalls.md
           - Sophos: tip/features/automate/library/sophos.md
           - Zscaler: tip/features/automate/library/zscaler.md
+        - Overview: tip/features/automate/library/overview.md
         - Threat Intelligence:
           - BinaryEdge's API: tip/features/automate/library/binaryedge-s-api.md
           - Censys: tip/features/automate/library/censys.md
@@ -499,7 +499,6 @@ nav:
       - WatchGuard Firebox: integration/categories/network_security/watchguard_firebox.md
       - Zscaler Internet Access: integration/categories/network_security/zscaler_zia.md
   - List of Playbooks Actions:
-    - Overview: integration/action_library/overview.md
     - Applicative:
       - Mandrill: integration/action_library/mandrill.md
       - Mattermost: integration/action_library/mattermost.md
@@ -538,6 +537,7 @@ nav:
       - Fortigate Firewalls: integration/action_library/fortigate-firewalls.md
       - Sophos: integration/action_library/sophos.md
       - Zscaler: integration/action_library/zscaler.md
+    - Overview: integration/action_library/overview.md
     - Threat Intelligence:
       - BinaryEdge's API: integration/action_library/binaryedge-s-api.md
       - Censys: integration/action_library/censys.md