Description:

This integration setting enables Microsoft Defender for Endpoint (formerly 'Advanced Threat Protection' or 'ATP' or 'WDATP' - see additional info) to communicate with Microsoft Defender for Cloud. IMPORTANT: When enabling integration between DfE & DfC it needs to be taken into account that this will have some side effects that may be undesirable.

1. For server 2019 & above if defender is installed (default for these server SKU's) this will trigger a deployment of the new unified agent and link to any of the extended configuration in the Defender portal.

2. If the new unified agent is required for server SKU's of Win 2016 or Linux and lower there is additional integration that needs to be switched on and agents need to be aligned.


Rationale:

Microsoft Defender for Endpoint integration brings comprehensive Endpoint Detection and Response (EDR) capabilities within Microsoft Defender for Cloud. This integration helps to spot abnormalities, as well as detect and respond to advanced attacks on

endpoints monitored by Microsoft Defender for Cloud. MDE works only with Standard Tier subscriptions.

Impact:

Microsoft Defender for Endpoint works with Standard pricing tier Subscription. Choosing

the Standard pricing tier of Microsoft Defender for Cloud incurs an additional cost per  resource.


Audit:

From Azure Portal

1. From Azure Home select the Portal Menu

2. Select Microsoft Defender for Cloud

3. Select Environment Settings blade

4. Click on the subscription name

5. Select the Integrations blade

6. Ensure setting Allow Microsoft Defender for Endpoint to access my data is selected.


From Azure CLI

Ensure the output of the below command is True

az account get-access-token --query
"{subscription:subscription,accessToken:accessToken}" --out tsv | xargs -L1
bash -c 'curl -X GET -H "Authorization: Bearer $1" -H "Content-Type:
application/json"
https://management.azure.com/subscriptions/<subscriptionID>/providers/Microso
ft.Security/settings?api-version=2021-06-01' | jq '.|.value[] |
select(.name=="WDATP")'|jq '.properties.enabled'

From PowerShell

Run the following commands to login and audit this check

Connect-AzAccount
Set-AzContext -Subscription <subscriptionID>
Get-AzSecuritySetting | Select-Object name,enabled |where-object {$_.name -eq
"WDATP"}
PowerShell Output - Non-Compliant
Name Enabled
---- -------
WDATP False
PowerShell Output - Compliant
Name Enabled
---- -------
WDATP True

Remediation:

From Azure Console

1. From Azure Home select the Portal Menu.

2. Go to Microsoft Defender for Cloud.

3. Select Environment Settings blade.

4. Select the subscription.

5. Select Integrations.

6. Check Allow Microsoft Defender for Endpoint to access my data.

7. Select Save.

From Azure CLI

Use the below command to enable Standard pricing tier for Storage Accounts

az account get-access-token --query
"{subscription:subscription,accessToken:accessToken}" --out tsv | xargs -L1
bash -c 'curl -X PUT -H "Authorization: Bearer $1" -H "Content-Type:
application/json"
https://management.azure.com/subscriptions/<subscriptionID>/providers/Microso
ft.Security/settings/WDATP?api-version=2021-06-01 -d@"input.json"'

Where input.json contains the Request body json data as mentioned below.

{
 "id":
"/subscriptions/<Your_Subscription_Id>/providers/Microsoft.Security/settings/
WDATP",
 "kind": "DataExportSettings",
 "type": "Microsoft.Security/settings",
 "properties": {
 "enabled": true
 }
}
References:

1. https://docs.microsoft.com/en-in/azure/defender-for-cloud/integration-defenderfor-endpoint?tabs=windows

2. https://docs.microsoft.com/en-us/rest/api/securitycenter/settings/list

3. https://docs.microsoft.com/en-us/rest/api/securitycenter/settings/update

4.https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3- endpoint-security#es-1-use-endpoint-detection-and-response-edr

5.https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3- endpoint-security#es-2-use-modern-anti-malware-software