Microsoft Defender for Endpoint

Connect Intezer's Autonomous SOC with Microsoft Defender for Endpoint* to automate alert triage, response, and hunting.

* Supported plans: Microsoft Defender for Endpoint Plan 2 and Microsoft Defender for Business.

It is easy to set up Microsoft Defender as a source for alerts so Intezer can automate triage, investigations, and provide clear remediation steps. This reduces false positive alerts and highlights the confirmed threats with more context to ensure real incidents aren't overlooked.

• How Intezer for Microsoft Defender works
• Setting up the connection for Microsoft Defender alerts
• Automated Alert Remediation
• Setting up Intezer's Live Endpoint Scanner

How Intezer works with Microsoft Defender

1. Microsoft Defender detects malicious activity on an endpoint and triggers an alert.
2. Intezer automatically collects the relevant evidence (files, URLs, processes, memory images) from the endpoint using Defender's API and scans the relevant artifacts.
3. Intezer calculates triage verdicts and provides deep analysis results with clear recommendations to remediate the threat or tune the detection. From Intezer's dashboard, you can see triage results for false positives, confirmed threats, and top threat clusters.  
4. For all alerts, Intezer also posts relevant information as a comment to give you context on individual alerts from within the Microsoft Defender console.
5. For advanced in-memory threats (such as fileless and packed malware, malicious code injections, or unrecognized code), Intezer can launch the Live Endpoint Scanner using Defender's Live response.

Connect Microsoft Defender as an Alert Source in Intezer 

1. Follow these instructions to register Intezer as a new app: Microsoft's guide to creating an app. In steps 4-5 of the guide, add the following API permissions:
   • AdvancedQuery.Read.All
   • Alert.Read.All
   • Alert.ReadWrite.All
   • File.Read.All
   • Library.Manage
   • Machine.LiveResponse
   • Machine.Read.All
   • Machine.ReadWrite.All
2. In step 6 in the guide, save the generated secret value in a secured location.
3. In step 7 in the guide, you can find your Application ID and Directory (tenant) ID.
4. Go to Intezer's "Connect Sources" in Intezer, select Microsoft Defender for Endpoint, and fill your secret value, Application ID and Directory (tenant) ID in the relevant fields, and continue.

Automated Alert Remediation

Intezer’s auto alert remediation is a feature that automatically closes false positive alerts in your EDR instance based on Intezer’s verdict. The purpose is to reduce false positives and save valuable time for your team, helping you focus on alerts that require deeper investigation.

How does it work?

Any alert that EDR deems to be risky or malicious but Intezer issues a “Trusted” verdict after deeper analysis is considered a “false positive” by Intezer.

All false positive alerts that fall into your pre-configured types (see the section below) are then auto-remediated by Intezer. For these alerts, Intezer changes the initial Detection Status to “False Positive”.

What type of alerts are auto-remediated?

Based on a pre-defined configuration, you select the alert classifications that you would like to apply auto-remediation

How to get started?

Contact us at support@intezer.com to enable auto-remediation.

Set up Intezer's Live Endpoint Scanner 

1. Follow the setup guide: Set Up Live Endpoint Scanner Script in Your EDR
2. To allow automatic Live Endpoint Scanner to be triggered by Intezer, contact Intezer's support