Skip to main content

πŸ“ Microsoft Defender For Cloud Integration With Microsoft Defender For Endpoint is not enabled 🟒

  • Contextual name: πŸ“ Integration With Microsoft Defender For Endpoint is not enabled 🟒
  • ID: /ce/ca/azure/subscription/integration-with-microsoft-defender-for-endpoint
  • Located in: πŸ“ Azure Subscription

Flags​

Our Metadata​

  • Policy Type: COMPLIANCE_POLICY
  • Policy Category:
    • SECURITY

Similar Policies​

Similar Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-x-cff561fd3

Logic​

Description​

Open File

Description​

This integration setting enables Microsoft Defender for Endpoint (formerly 'Advanced Threat Protection' or 'ATP' or 'WDATP' - see additional info) to communicate with Microsoft Defender for Cloud.

IMPORTANT: When enabling integration between DfE & DfC it needs to be taken into account that this will have some side effects that may be undesirable.

  1. For server 2019 & above if defender is installed (default for these server SKU's) this will trigger a deployment of the new unified agent and link to any of the extended configuration in the Defender portal.
  2. If the new unified agent is required for server SKU's of Win 2016 or Linux and lower there is additional integration that needs to be switched on and agents need to be aligned.

Rationale​

Microsoft Defender for Endpoint integration brings comprehensive Endpoint Detection and Response (EDR) capabilities within Microsoft Defender for Cloud. This integration helps to spot abnormalities, as well as detect and respond to advanced attacks on endpoints monitored by Microsoft Defender for Cloud.

... see more

Remediation​

Open File

Remediation​

From Azure Console​

  1. From Azure Home select the Portal Menu.
  2. Go to Microsoft Defender for Cloud.
  3. Under Management, select Environment Settings.
  4. Click on the subscription name.
  5. Click Settings & monitoring.
  6. Set the Status for Endpoint protection to On.
  7. Click Continue.

From Azure CLI​

Use the below command to set Allow Microsoft Defender for Endpoint to access my data:

az account get-access-token --query "{subscription:subscription,accessToken:accessToken}" --out tsv | xargs -L1 bash -c 'curl -X PUT -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/<subscriptionID>/providers/Microsoft.Security/settings/WDATP?api-version=2021-06-01 -d@"input.json"'

Where input.json contains the Request body json data as mentioned below:

{ 
    "id": "/subscriptions/<Your_Subscription_Id>/providers/Microsoft.Security/settings/WDATP", 
    "kind": "DataExportSettings", 
    "type": "Microsoft.Security/settings", 
    "properties": { 

... [see more](remediation.md)

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 16f information security reporting and analytics;911
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 36j monitoring controls β€” for timely detection of compromises to information security;911
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 67a network and user profiling that establishes a baseline of normal activity which, when combined with logging and alerting mechanisms, can enable detection of anomalous activity;1821
πŸ’Ό CIS Azure v1.3.0 β†’ πŸ’Ό 2.9 Ensure that Windows Defender ATP (WDATP) integration with Security Center is selected - Level 2 (Manual)11
πŸ’Ό CIS Azure v1.4.0 β†’ πŸ’Ό 2.9 Ensure that Microsoft Defender for Endpoint (WDATP) integration with Microsoft Defender for Cloud is selected - Level 2 (Manual)11
πŸ’Ό CIS Azure v2.1.0 β†’ πŸ’Ό 2.1.21 Ensure that Microsoft Defender for Endpoint integration with Microsoft Defender for Cloud is selected - Level 2 (Manual)1
πŸ’Ό CIS Azure v3.0.0 β†’ πŸ’Ό 3.1.3.3 Ensure that 'Endpoint protection' component status is set to 'On' (Manual)1
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Microsoft Defender Configuration26
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό IR-6(1) Automated Reporting (M)(H)810
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό IR-6(1) Automated Reporting (M)(H)10
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SI-7(12) Software, Firmware, and Information Integrity _ Integrity Verification1820