Microsoft Defender integration

With a MS Defender EDR (Endpoint Detection and Response) integration, you can receive entity enrichment for Investigator detections.

The MS Defender integration seamlessly blends Defender EDR with Investigator network detection capabilities and maps Corelight IP addresses from detections to Defender’s host information. When integrated, detections show valuable entity context within the detection details. The expanded data provides additional context to analyze threats and helps analysts make informed decisions during the triage process.

To configure the integration, you need to have Microsoft Defender OAuth2 API access with read access to the managed device information. Within Investigator, you need admin access. (Analyst users can view the integration but cannot make changes.)

If you want to enable Network Containment integration, the Microsoft Defender API client needs read and write permissions for Hosts. Incorrect settings will impact containment operations.

To integrate MS Defender with Investigator

  1. From System Settings in the left navigation, choose Integrations.

  2. In the Integrations tab, click the Microsoft Defender card.

    An integration dialog box appears.

  3. Toggle the integration value to Enabled.

  4. If you want to allow admin users to isolate entities from the network, toggle the Isolate Entity slider to Enabled.

    For hosts to enable Network Containment integration, your MS Defender API client needs write permissions so Investigator can enable the feature.

  5. Enter your MS Defender Tenant ID.

  6. Enter your MS Defender App ID and App Secret Key.

    These values are available from the Azure portal. For more information on creating and obtaining these values, see the Microsoft documentation Overview of management and APIs.

  7. Specify the Polling Time in minutes.

    Use this field to customize the interval for updates to the EDR data. The minimum interval is 5 minutes.

  8. Click Verify Connection to ensure Investigator can access your Defender data.

    You cannot save your connection until you verify it.

  9. Click Save.

With MS Defender configured and enabled, detection details show detailed entity information and identify Defender as the source of the content.

If you want to pause the integration, toggle the integration setting to Disabled. This preserves your connection details.

If you want to disable the integration and delete your connection details, click the Delete icon.

Note

If needed, update your firewall rules to allow network traffic from Investigator. The source IP address for Investigator is fixed for a region: the North America (us-west-2) IP address is 35.81.184.144, the EU IP address is 35.157.240.249 (for eu.investigator.com), and the Middle East IP address is 40.172.28.44 (for me.investigator.com). For endpoint details, see the AWS help topic Amazon Kinesis Data Streams endpoints and quotas - AWS General Reference.