Summary
In order for the Check Point MDR team to monitor your logs from your Microsoft Defender XDR environment, we will require an application to be created and correct permissions assigned.
If you need any assistance with this procedure, please open a ticket in the MDR Customer portal under "MDR Support" or if you are currently onboarding reply to your welcome email, and we will schedule a time to assist.
Note: Microsoft requires you to have an E5 or equivalent license (Defender Plan 2) to enable API monitoring. It is also important to note that Defender Plan 2 ONLY covers Endpoint. We will be unable to monitor Microsoft Defender XDR with MDR if you do not possess an E5 or equivalent license. We can attempt to enable monitoring for E3 or equivalent licensing if the API has been enabled by Microsoft but it is a best effort service.
Note: We will need these four items filled in on the Microsoft Defender XDR integration located in the MDR Profile page when adding:
- Client (Application) ID
- Secret Value
- Tenant (Directory) ID
- Recommended: "Use auditLogs Enrichment" - set to yes if use Azure
Procedure
Application Registration:
1. Sign into the Microsoft Azure portal
Ensure you are singed in to Azure as a user with the Global Administrator role when
2. Open the navigation menu, select Microsoft Entra ID in "Azure Services"
3. Under the "Manage" dropdown select App Registrations.
4. Select New registration.
-
-
Microsoft Entra>App registrations>New registration.
-
5. Enter Check_Point_MDR in the Name text box.
6. In the Supported Account types section, confirm that Accounts in this organizational directory only
(<Organization-Name> only - Single Tenant) is selected.
Note: all other fields here can be left with defaults.
7. Click Register.
8. Copy the Application (client) ID and Directory (tenant) ID values to a secure location.
9. In the navigation pane, under Manage, select Certificates & secrets.
10. In the Client secrets section, select + New client secret, and then create the secret:
1. Enter a meaningful description for the client secret.
2. Select one year in the future for the Expires field.
3. Click Add.
11. Verify that your new client secret appears in the Client secrets section, and then copy the Secret Value field to a secure location. We will not need the Secret ID, only the Value.
Application API Permissions Configuration:
1. In the navigation pane, under Manage, select API permissions.
2. In the Configured permissions section, click +Add a permission to open the Request API permissions page.
3. Select "Microsoft API's" and then "Microsoft Graph"
4. Select Application permissions to open the permission type list.
NOTE: Please be sure that all permission are set to the "Application" type and NOT "Delegated"
Recommended Permissions:
Microsoft Graph
- AuditLog.Read.All
- SecurityAlert.ReadWrite.All
- SecurityEvents.ReadWrite.All
- SecurityIncident.ReadWrite.All
- User.Read.All
Minimum Required Permissions:
Microsoft Graph
- User.Read.All
- SecurityAlert.ReadWrite.All
- SecurityIncident.ReadWrite.All
Required Permissions for Remediation Options:
WindowsDefenderATP
- Machine.Isolate
- Machine.ReadWrite.All
- Machine.Scan
- Under Request API Permissions, select APIs my organization uses
- Select WindowsDefenderATP
- Select Application permissions
4. Search "Machine" permissions to multi-select the permissions listed
• Click Add permissions to apply. This returns you to the API permissions page where the new
permissions appear in a list Application (Client) ID, Directory (Tenant) ID, Client
Value (Secret)
*If a warning triangle (⚠ ) is present, and an error shows ‘Not Granted for XYZ Corp’, click the 'Grant admin consent' checkmark and click the Yes button*
*All Permissions should have a green checkmark under Status after selecting "Grant admin consent" and should be "Application" under Type.
Full Microsoft Defender XDR Remediation guide: https://support.cpirt.io/hc/en-us/articles/36495597281179-Microsoft-Defender-XDR-Host-Isolation-Remediation