Microsoft Defender for Endpoint GCC Integration

Note: This integration is with Microsoft's GCC environment, and it will forward those logs to Cisco XDR's environment located in AWS Commercial Cloud. Be aware of this before choosing to configure this integration.

Microsoft Defender for Endpoint GCC is an Endpoint Detection and Response (EDR) offering. Microsoft Defender for Endpoint GCC security events can generate and contribute to correlated incidents in Cisco XDR. In Cisco XDR, we enable Defender for Endpoint users to leverage it for incident detection functions, threat hunting and investigation features, rapid response actions to understand and defend against threats on the endpoint, and providing important device inventory context to help triage detected threats.

Integration with Microsoft Defender for Endpoint GCC allows you to incorporate Microsoft Defender for Endpoint GCC detections alongside detections from other telemetry sources into Cisco XDR's overall incident detection and correlation capabilities.

Use the Defender for Endpoint GCC integration to search for security detections involving specific hostnames, machine IDs, IPs, and file hashes. Defender for Endpoint GCC can be used through Cisco XDR to isolate hosts from the network and block many types of observables, including file hashes, network resources (such as IP addresses, domains, and URLs), and certificates.

This integration can be used to provide host information, including vulnerability information for use in triaging incidents and detections. It creates a target automatically in Automation for out-of-box workflows and it provides important device inventory context to help triage detected threats.

  1. In the Cisco XDR navigation menu, choose Administration > Integrations.

  2. On the Integrations page, click the Third-Party tab and navigate to the The Microsoft Government Community Cloud (GCC) integration.

  3. Click the plus sign (+) in the lower-right corner of the card. The The Microsoft Government Community Cloud (GCC) integration page is displayed.

  4. Expand the Integration Guide area and follow the instructions on how to add the Microsoft Defender for Endpoint GCC integration in Cisco XDR.

Incidents are groups of correlated events generated using data ingested from your integrated products. By correlating events which could be part of a larger threat into an incident, it reduces the time typically required to investigate individual security alerts or detections. For more information about Cisco XDR Incidents feature, see Incidents.

When you enable the Microsoft Defender for Endpoint GCC integration, Cisco XDR ingests the security alerts that are sent by Microsoft Defender for Endpoint GCC and uses them for incident correlation.

To view incidents with Microsoft Defender for Endpoint GCC data:

  1. In the Cisco XDR navigation menu, choose Incidents.

  2. Look for Microsoft Defender for Endpoint GCC in the Source column to find incidents generated with Microsoft Defender for Endpoint GCC data.

  3. Select an incident and open the Incident Detail page.

  4. Click on the Detection page to see events from Microsoft Defender for Endpoint GCC and other sources.

You can perform the following tasks after you integrate Microsoft Defender for Endpoint GCC with Cisco XDR:

  • Investigations - Start a new investigation into any combination of SHA-1, SHA-256, IPs, hostnames, and MS Machine IDs and the results will include any records of them found in your Microsoft Defender for Endpoint GCC. To verify that this integration is working, and to see what kind of data is returned, investigate one of more observables about which you know Microsoft Defender for Endpoint GCC has recent information. For details, see Investigate.

  • Pivot Menu - Use the Pivot menu to access actions in Microsoft Defender for Endpoint GCC. Available actions include searching for IP addresses in Microsoft Defender for Endpoint GCC. You can also install workflows from the Automation Exchange to add more actions to the Pivot menu.

  • Assets - View devices as reported by Microsoft Defender for Endpoint GCC. For more information, including how to filter the view to only the reports from Microsoft Defender for Endpoint GCC, see Devices.

  • Automation:

    • Atomic Actions - The atomic actions for Microsoft Defender for Endpoint GCC can be used as building blocks in custom workflows. These can be found as available Actions in the left menu of the Workflow Editor. See Atomic Actions and Workflows.

    • Workflows - The workflows for Microsoft Defender for Endpoint GCC can be installed from the Automation Exchange. See Workflows and Exchange.

    • Target - The Microsoft Defender for Endpoint GCC target is automatically created for out-of-box and custom workflows. See Targets Created From Integrations.

    • Playbooks - An Automation system workflow that uses Microsoft Defender for Endpoint GCC and is included in the Cisco Managed Incident Playbook can be used to isolate hostnames, block SHA-256 file hashes, identify vulnerabilities, and validate eradicated hosts and unquarantine assets. See Containment and Recovery on the Response page.