Microsoft Defender for Endpoint (Beta)

Connect Intezer's AutonomousDR with Microsoft Defender for Endpoint to automate alert triage, response, and hunting.

It is easy to set up Microsoft Defender as a source for alerts so Intezer can automate triage, investigations, and provide clear remediation steps. This reduces false positive alerts and highlights the confirmed threats with more context to ensure real incidents aren't overlooked.

• How Intezer for Microsoft Defender works
• Setting up the connection for Microsoft Defender alerts
• Automated Alert Remediation
• Setting up Intezer's Live Endpoint Scanner

How Intezer works with Microsoft Defender

1. Microsoft Defender detects malicious activity on an endpoint and triggers an alert.
2. Intezer automatically collects the relevant evidence (files, URLs, processes, memory images) from the endpoint using Defender's API and scans the relevant artifacts.
3. Intezer calculates triage verdicts and provides deep analysis results with clear recommendations to remediate the threat or tune the detection. From Intezer's dashboard, you can see triage results for false positives, confirmed threats, and top threat clusters.  
4. For all alerts, Intezer also posts relevant information as a comment to give you context on individual alerts from within the Microsoft Defender console.
5. For advanced in-memory threats (such as fileless and packed malware, malicious code injections, or unrecognized code), Intezer can launch the Live Endpoint Scanner using Defender's Live response.

Set up the connection

1. Follow these instructions to register Intezer as a new app: Microsoft's guide to creating an app. In steps 4-5 of the guide, add the following API permissions:
   • AdvancedQuery.Read.All
   • Alert.Read.All
   • Alert.ReadWrite.All
   • File.Read.All
   • Library.Manage
   • Machine.LiveResponse
   • Machine.Read.All
   • Machine.ReadWrite.All
2. In step 6 in the guide, save the generated secret value in a secured location.
3. In step 7 in the guide, you can find your Application ID and Directory (tenant) ID.
4. Go to Intezer's "Connect Sources" in Intezer, select Microsoft Defender for Endpoint, and fill your secret value, Application ID and Directory (tenant) ID in the relevant fields, and continue.

Automated Alert Remediation - coming soon...

Intezer’s auto alert remediation is a feature that automatically closes false positive alerts in your EDR instance based on Intezer’s verdict. The purpose is to reduce false positives and save valuable time for your team, helping you focus on alerts that require deeper investigation.

Set up Intezer's Live Endpoint Scanner 

1. Download the script from Intezer's repository.
2. Upload the script to the library in Microsoft Defender.
3. Use the following input schema:
   

   {
     "$schema": "https://json-schema.org/draft-07/schema",
     "properties": {
       "api_key": {
         "type": "string"
       }
     },
     "required": [
       "api_key"
     ],
     "type": "object"
   }