Skip to main content

🛡️ Azure Subscription Integration With Microsoft Defender For Endpoint is not enabled🟢

  • Contextual name: 🛡️ Integration With Microsoft Defender For Endpoint is not enabled🟢
  • ID: /ce/ca/azure/subscription/integration-with-microsoft-defender-for-endpoint
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: SECURITY

Logic

Similar Policies

Similar Internal Rules

RulePoliciesFlags
✉️ dec-x-cff561fd3

Description

Open File

Description

This integration setting enables Microsoft Defender for Endpoint (formerly 'Advanced Threat Protection' or 'ATP' or 'WDATP' - see additional info) to communicate with Microsoft Defender for Cloud.

IMPORTANT: When enabling integration between DfE & DfC it needs to be taken into account that this will have some side effects that may be undesirable.

  1. For server 2019 & above if defender is installed (default for these server SKU's) this will trigger a deployment of the new unified agent and link to any of the extended configuration in the Defender portal.
  2. If the new unified agent is required for server SKU's of Win 2016 or Linux and lower there is additional integration that needs to be switched on and agents need to be aligned.

Rationale

Microsoft Defender for Endpoint integration brings comprehensive Endpoint Detection and Response (EDR) capabilities within Microsoft Defender for Cloud. This integration helps to spot abnormalities, as well as detect and respond to advanced attacks on endpoints monitored by Microsoft Defender for Cloud.

... see more

Remediation

Open File

Remediation

From Azure Console

  1. From Azure Home select the Portal Menu.
  2. Go to Microsoft Defender for Cloud.
  3. Under Management, select Environment Settings.
  4. Click on the subscription name.
  5. Click Settings & monitoring.
  6. Set the Status for Endpoint protection to On.
  7. Click Continue.

From Azure CLI

Use the below command to set Allow Microsoft Defender for Endpoint to access my data:

az account get-access-token --query "{subscription:subscription,accessToken:accessToken}" --out tsv | xargs -L1 bash -c 'curl -X PUT -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/<subscriptionID>/providers/Microsoft.Security/settings/WDATP?api-version=2021-06-01 -d@"input.json"'

Where input.json contains the Request body json data as mentioned below:

{ 
    "id": "/subscriptions/<Your_Subscription_Id>/providers/Microsoft.Security/settings/WDATP", 
    "kind": "DataExportSettings", 
    "type": "Microsoft.Security/settings", 
    "properties": { 

... [see more](remediation.md)

policy.yaml

Open File

Linked Framework Sections

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
💼 APRA CPG 234 → 💼 16f information security reporting and analytics;911no data
💼 APRA CPG 234 → 💼 36j monitoring controls — for timely detection of compromises to information security;911no data
💼 APRA CPG 234 → 💼 67a network and user profiling that establishes a baseline of normal activity which, when combined with logging and alerting mechanisms, can enable detection of anomalous activity;1922no data
💼 CIS Azure v1.3.0 → 💼 2.9 Ensure that Windows Defender ATP (WDATP) integration with Security Center is selected - Level 2 (Manual)11no data
💼 CIS Azure v1.4.0 → 💼 2.9 Ensure that Microsoft Defender for Endpoint (WDATP) integration with Microsoft Defender for Cloud is selected - Level 2 (Manual)11no data
💼 CIS Azure v2.1.0 → 💼 2.1.21 Ensure that Microsoft Defender for Endpoint integration with Microsoft Defender for Cloud is selected - Level 2 (Manual)1no data
💼 CIS Azure v3.0.0 → 💼 3.1.3.3 Ensure that 'Endpoint protection' component status is set to 'On' (Manual)1no data
💼 CIS Azure v4.0.0 → 💼 9.1.3.3 Ensure that 'Endpoint protection' component status is set to 'On' (Manual)1no data
💼 Cloudaware Framework → 💼 Microsoft Defender Configuration26no data
💼 FedRAMP High Security Controls → 💼 IR-6(1) Automated Reporting (M)(H)810no data
💼 FedRAMP Moderate Security Controls → 💼 IR-6(1) Automated Reporting (M)(H)10no data
💼 NIST SP 800-53 Revision 5 → 💼 SI-7(12) Software, Firmware, and Information Integrity _ Integrity Verification1921no data
💼 SOC 2 → 💼 CC7.2-3 Implements Filters to Analyze Anomalies918no data