Description:
This setting enables Windows Defender ATP (WDATP) integration with Security Center. WDATP integration brings comprehensive Endpoint Detection and Response (EDR) capabilities to security center. This integration helps to spot abnormalities, and detect and respond to advanced attacks on Windows server endpoints monitored by Azure Security Center.
Rationale:
WDATP integration brings comprehensive Endpoint Detection and Response (EDR) capabilities to the security center. This integration helps to spot abnormalities, and detect and respond to advanced attacks on Windows server endpoints monitored by Azure Security Center. Windows Defender ATP in Security Center supports detection on Windows Server 2016, 2012 R2, and 2008 R2 SP1 operating systems in a Standard service subscription. WDATP works only with Standard Tier subscriptions.
Impact:
WDATP works with the Standard pricing tier Subscription. Choosing the Standard pricing tier of Azure Security Center incurs an additional cost per resource.
Default Value:
With the Windows Defender ATP license, these alerts are enabled by default.
Remediation:
Pre-Requisite:
An Azure Defender plan for Enhanced security plan (Azure Defender is free for the first 30 days. At the end of 30 days, if you choose to continue using the service, you’ll automatically be charged for usage).
Test Plan:
Sign in to your Azure account.
Go to Security Center
Select Pricing & settings blade
- Click on the subscription name
- Select the Integrations blade
- Ensure setting Allow Windows Defender ATP to access my data is selected.
If not follow the Implementation
Using Azure Command Line Interface 2.0
Ensure the output of the below command is True
az account get-access-token --query "{subscription:subscription,accessToken:accessToken}" --out tsv | xargs -L1 bash -c 'curl -X GET -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/settings?api-version=2019-01-01' | jq '.|.value[] | select(.name=="WDATP")'|jq '.properties.enabled'
Implementation Steps:
Go to Azure Security Center
Select Security policy blade
- Click On Edit Settings to alter the security policy for a subscription
- Select the Integrations blade
- Check/Enable the option Allow Windows Defender ATP to access my data
- Select Save
Backout Plan:
Go to Azure Security Center
Select Pricing & settings blade
Click on the subscription name
Select the Threat Detection blade
Ensure that Windows Defender ATP (WDATP) integration with Security Center is selected(how we can revoke the changes)
Using Azure Command Line Interface 2.0
Use the below command to enable the Standard pricing tier for Storage Accounts
az account get-access-token --query
"{subscription:subscription,accessToken:accessToken}" --out tsv | xargs -L1 bash -c 'curl -X PUT -H "Authorization: Bearer $1" -H "Content-Type: application/json"
https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/settings/WDATP?api-version=2019-01-01 -d@"input.json"'
Where input.json contains the Request body json data as mentioned below.
{
"id": "/subscriptions/<Your_Subscription_Id>/providers/Microsoft.Security/settings/ WDATP",
"kind": "DataExportSetting",
"type": "Microsoft.Security/settings", "properties": {
"enabled": true
}
}