User Prerequisites to the Microsoft Defender for Endpoint TVM Connector

Microsoft Defender ATP Required Setup

Microsoft Defender ATP in Azure must be configured for the Microsoft Defender for Endpoint TVM Connector to access the necessary data for Cisco Vulnerability Management ingestion.

 

1) Login to Azure (https://portal.azure.com/).

 

2) Select App registrations from the main menu.

step2.jpg

 

3) Select New registration.

step3.jpg

 

4) Name the application and select Accounts in this organizational directory only radio button.

 

5) Click on the newly created application and select Certificates & Secrets from the menu. Select New Client Secret. Enter Description for the secret and set expiration date in the Expires field. Click the Add button.

    • Depending on the expiration date set, the credentials need to be regenerated and updated in Cisco Vulnerability Management. Otherwise, the connector runs will fail.
    • Make sure to copy the secret value as it will be obfuscated once you move away from that page.

step5.jpg

 

6) Select API Permissions from the menu and click on Add a permission.

step6.jpg

 

7) In the Request API permissions widget on the right side, find WindowsDefenderATP permissions under APIs my organization uses.

step7.jpg

8) Select the checkboxes for API permission as shown below and click on Add Permissions.

  • See table below for all required WindowsDefenderATP permissions

step8.jpg

 

9) For the permission to take effect please Grant admin consent confirmation to the api permissions. Click the Yes button.

step9.jpg

 

10) Once the permission is granted, the API permissions page will look like the following.

step10.jpg

 

11) Make note of the Cisco Vulnerability Management application client ID and Directory tenant ID. These IDs are required for the connector configuration in Kenna.

step11.png

 

Important: The following WindowsDefenderATP permissions are required. If the permission is not configured as specified, The connector run will fail with a “Not Authorized” error.

 

Permission

Permission Type

Permission Display Name

Requirement

Vulnerability.Read.All

Application

Read Threat and Vulnerability Management vulnerability information

Required

Machine.Read.All

Application

Read all machine profiles

Required

SecurityRecommendation.Read.All

Application

Read Threat and Vulnerability Management security recommendation information

Highly recommended

RemediationTasks.Read.All

Application

Read Threat and Vulnerability Management vulnerability information

Highly recommended

 

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment.