Skip to main content

🛡️ Azure Subscription Integration With Microsoft Defender For Endpoint is not enabled🟢

  • Contextual name: 🛡️ Integration With Microsoft Defender For Endpoint is not enabled🟢
  • ID: /ce/ca/azure/subscription/integration-with-microsoft-defender-for-endpoint
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: SECURITY

Logic

Similar Policies

Similar Internal Rules

RulePoliciesFlags
✉️ dec-x-cff561fd3

Description

Open File

Description

The Endpoint protection component enables Microsoft Defender for Endpoint (formerly 'Advanced Threat Protection' or 'ATP' or 'WDATP' - see additional info) to communicate with Microsoft Defender for Cloud.

IMPORTANT: When enabling integration between DfE and DfC, account for potential side effects that may be undesirable.

  1. For Server 2019 and above, if Defender is installed (default for these server SKUs), this triggers deployment of the new unified agent and links to any extended configuration in the Defender portal.
  2. If the new unified agent is required for server SKUs of Windows Server 2016 or Linux and lower, additional integration needs to be enabled and agents need to be aligned.

Rationale

Microsoft Defender for Endpoint integration brings comprehensive Endpoint Detection and Response (EDR) capabilities within Microsoft Defender for Cloud. This integration helps to spot abnormalities, as well as detect and respond to advanced attacks on endpoints monitored by Microsoft Defender for Cloud.

... see more

Remediation

Open File

Remediation

From Azure Portal

  1. From Azure Home, select the Portal Menu.
  2. Go to Microsoft Defender for Cloud.
  3. Under Management, select Environment Settings.
  4. Click on the subscription name.
  5. Click Settings & monitoring.
  6. Set the Status for Endpoint protection to On.
  7. Click Continue.

From Azure CLI

Use the below command to set Allow Microsoft Defender for Endpoint to access my data:

az account get-access-token \
    --query "{subscription:subscription,accessToken:accessToken}" \
    --out tsv | xargs -L1 bash -c 'curl -X PUT -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/{{subscription-id}}/providers/Microsoft.Security/settings/WDATP?api-version=2022-05-01 -d@"input.json"'

Where input.json contains the Request body json data as mentioned below:

{ 
    "id": "/subscriptions/{{subscription-id}}/providers/Microsoft.Security/settings/WDATP", 
    "kind": "DataExportSettings", 
    "type": "Microsoft.Security/settings", 

... [see more](remediation.md)

policy.yaml

Open File

Linked Framework Sections

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
💼 APRA CPG 234 → 💼 16f information security reporting and analytics;911no data
💼 APRA CPG 234 → 💼 36j monitoring controls — for timely detection of compromises to information security;911no data
💼 APRA CPG 234 → 💼 67a network and user profiling that establishes a baseline of normal activity which, when combined with logging and alerting mechanisms, can enable detection of anomalous activity;1922no data
💼 CIS Azure v1.3.0 → 💼 2.9 Ensure that Windows Defender ATP (WDATP) integration with Security Center is selected - Level 2 (Manual)11no data
💼 CIS Azure v1.4.0 → 💼 2.9 Ensure that Microsoft Defender for Endpoint (WDATP) integration with Microsoft Defender for Cloud is selected - Level 2 (Manual)11no data
💼 CIS Azure v5.0.0 → 💼 8.1.3.3 Ensure that 'Endpoint protection' component status is set to 'On' (Automated)1no data
💼 Cloudaware Framework → 💼 Microsoft Defender Configuration29no data
💼 FedRAMP High Security Controls → 💼 IR-6(1) Automated Reporting (M)(H)810no data
💼 FedRAMP Moderate Security Controls → 💼 IR-6(1) Automated Reporting (M)(H)10no data
💼 NIST SP 800-53 Revision 5 → 💼 SI-7(12) Software, Firmware, and Information Integrity _ Integrity Verification1921no data
💼 SOC 2 → 💼 CC7.2-3 Implements Filters to Analyze Anomalies918no data