Microsoft Defender for Endpoint Integration

Microsoft Defender for Endpoint is an Endpoint Detection and Response (EDR) offering. In Cisco XDR, we enable Defender for Endpoint users to leverage it for incident detection functions, threat hunting and investigation features, rapid response actions to understand and defend against threats on the endpoint, and providing important device inventory context to help triage detected threats.

Integration with Microsoft Defender for Endpoint allows you to incorporate Microsoft Defender for Endpoint detections alongside detections from other telemetry sources into Cisco XDR's overall incident detection and correlation capabilities.

Use the Microsoft Defender for Endpoint integration to search for security detections involving specific hostnames, machine IDs, IPs, and file hashes. Microsoft Defender for Endpoint can be used through Cisco XDR to isolate hosts from the network and block many types of observables, including file hashes, network resources (such as IP addresses, domains, and URLs), and certificates.

This integration can be used to provide host information, including vulnerability information for use in triaging incidents and detections. It creates a target automatically in Automation for out-of-box workflows and it provides important device inventory context to help triage detected threats.

  1. In the Cisco XDR navigation menu, choose Administration > Integrations.

  2. On the Integrations page, click the Third-Party tab and navigate to the Microsoft Cloud integration.

  3. Click the plus sign (+) in the lower-right corner of the card. The Microsoft Cloud integration page is displayed.

  4. Expand the Integration Guide area and follow the instructions on how to add the Microsoft Defender for Endpoint integration in Cisco XDR.

Incidents are groups of correlated events generated using data ingested from your integrated products. By correlating events which could be part of a larger threat into an incident, it reduces the time typically required to investigate individual security alerts or detections. For more information about Cisco XDR Incidents feature, see Incidents.

When you enable the Microsoft Defender for Endpoint integration, Cisco XDR ingests the security alerts that are sent by Microsoft Defender for Endpoint and uses them for incident correlation.

To view incidents with Microsoft Defender for Endpoint data:

  1. In the Cisco XDR navigation menu, choose Incidents.

  2. Look for Microsoft Defender for Endpoint in the Source column to find incidents generated with Microsoft Defender for Endpoint data.

  3. Select an incident and open the Incident Detail page.

  4. Click on the Detection page to see events from Microsoft Defender for Endpoint and other sources.

You can perform the following tasks after you integrate Microsoft Defender for Endpoint with Cisco XDR:

  • Investigations - Start a new investigation into any combination of SHA-1, SHA-256, IPs, hostnames, and MS Machine IDs and the results will include any records of them found in your Microsoft Defender for Endpoint. To verify that this integration is working, and to see what kind of data is returned, investigate one of more observables about which you know Microsoft Defender for Endpoint has recent information. For details, see Investigate.

  • Pivot Menu - Use the Pivot menu to access actions in Microsoft Defender for Endpoint. Available actions include searching for IP addresses in Microsoft Defender for Endpoint. You can also install workflows from the Automation Exchange to add more actions to the Pivot menu.

  • Assets - View devices as reported by Microsoft Defender for Endpoint. For more information, including how to filter the view to only the reports from Microsoft Defender for Endpoint, see Devices.

  • Automation:

    • Atomic Actions - The atomic actions for Microsoft Defender for Endpoint can be used as building blocks in custom workflows. These can be found as available Actions in the left menu of the Workflow Editor. See Atomic Actions and Workflows.

    • Workflows - The workflows for Microsoft Defender for Endpoint can be installed from the Automation Exchange. See Workflows and Exchange.

    • Target - The Microsoft Defender for Endpoint target is automatically created for out-of-box and custom workflows. See Targets Created From Integrations.

    • Playbooks - An Automation system workflow that uses Microsoft Defender for Endpoint and is included in the Cisco Managed Incident Playbook can be used to isolate hostnames, block SHA-256 file hashes, identify vulnerabilities, and validate eradicated hosts and unquarantine assets. See Containment and Recovery on the Response page.