This article discusses integrating data from Microsoft Defender for Endpoint to generate stories that you can review in the Cato Stories Workbench.
Using the Microsoft API, you can integrate alert data from Microsoft Defender for Endpoint to generate stories for endpoint devices. The endpoint stories help you get a more complete picture of potential threats in your network.
The Cato Endpoint Alerts engine creates a story by correlating data from Defender Alerts that occurred on the same device within a 24-hour period. Endpoint Alert stories include all relevant evidence for the Alert detected by Defender. The Stories Workbench shows the endpoint stories together with the other story types, and you can sort and filter the stories to focus on the Endpoint Alert stories.
To integrate Defender for Endpoint alert data with Cato XDR, you need to first set up API connectors for Microsoft 365 and for Defender for Endpoint. After creating the connectors, the Endpoint Alert engine retrieves and analyzes the alert data from Defender for Endpoint.
This is a high level description of the workflow for integrating and reviewing Defender for Endpoint stories in the Stories Workbench:
-
Create the Microsoft 365 parent connector.
-
Create the Defender for Endpoint connector.
-
Review the Endpoint Alert stories in the Stories Workbench.
-
The settings in the Story Actions panel are not configurable for Endpoint Alert stories. All fields related to the actions appear as N/A. For more about the Story Actions panel, see below.
To configure Cato's Microsoft Defender connector to fetch alert data, first you need to configure the Microsoft 365 connector as the parent app to give read permissions for the Defender connector. The parent app only has permissions to manage the Microsoft connectors. After configuring the Microsoft 365 connector, you can configure a Defender connector to retrieve the alert data.
If you want to import alert data from different sub-organizations within your organization, create a separate Microsoft 365 connector for each relevant Azure tenant, and then configure a Defender connector for each tenant.
-
A Microsoft 365 E3 license or higher is required
-
The Microsoft 365 connector requires an admin with the global admin role to give permissions to Cato's Defender connector
To let the Defender connector retrieve the alert data from your Microsoft 365 account, the connector gives Cato the following permissions and actions with Microsoft 365:
-
Connect to the Microsoft APIs and read all Defender for Endpoint data for an organization
-
Sign in and read user profile
Configure a parent Microsoft 365 connector and then define a Defender connector for the Microsoft 365 account.
If your organization already configured a Microsoft 365 parent connector for another feature, such as a Saas Security API policy for Microsoft apps, or for importing MIP labels to your DLP policy, you only need to configure a Defender connector.
Use the Cato Management Application to create the Microsoft 365 SaaS application connector for the relevant Azure tenant. You must have the correct credentials to authenticate to Microsoft 365 to add the connector to your Cato account.
To configure the Microsoft 365 parent endpoint connector:
-
From the navigation menu, select Security > Connectors, and select the Connectors Settings tab.
-
Click New. The New Connector panel opens.
-
From the SaaS Application drop-down menu, select the Microsoft 365 app.
-
Enter a unique Connector Name.
-
Click Authorize and Save.
A new browser tab opens to the Microsoft 365 app.
-
In the new browser tab, authenticate to the Microsoft 365 app:
-
Select the Microsoft account for the Microsoft 365 app.
-
Enter the password for the app and approve it.
-
Accept the permissions to let Cato access the Microsoft 365 app.
-
The screen shows that you have successfully applied the permissions for the app.
You can close the browser tab and return to the Cato Management Application.
-
-
The Microsoft 365 SaaS application is added to the Connectors Settings page.
It can take Microsoft Azure several seconds to process the request, so if the Status shows Pending user consent, refresh the browser.
Use the Cato Management Application to create the Microsoft Defender for Endpoint SaaS application connector for the Azure tenant with the alert data you want to use. You must have the correct credentials to authenticate to Microsoft 365 to add the connector to your Cato account.
Note
Note: When you create an API connector for a Microsoft 365 app, the connector creates an authentication certificate that is valid for 3 months, and renews the certificate 7 days before expiration.
To configure the Microsoft Defender connector:
-
From the navigation menu, select Security > Connectors, and select the Connectors Settings tab.
-
Click New. The New Connector panel opens.
-
From the Saas Application drop-down menu, select the Microsoft Defender app.
-
From the Connector Tenant drop-down menu, select the parent Microsoft 365 connector for the tenant with the alert data you want to use.
-
Enter a unique Connector Name for the Defender connector.
-
Click Save.
-
After the connector is successfully created, click Authorize.
A new browser tab opens to the Microsoft 365 app.
-
In the new browser tab, authenticate to the Microsoft 365 app:
-
Select the Microsoft account for the Microsoft 365 app.
-
Enter the password for the app and approve it.
-
Accept the permissions to let Cato access the Microsoft 365 app.
-
The screen shows that you have successfully applied the permissions for the app.
You can close the browser tab and return to the Cato Management Application.
-
-
The Microsoft Defender SaaS application is added to the Connectors Settings page.
It can take Microsoft Azure several seconds to process the request, so if the Status shows Pending user consent, refresh the browser.
The Status column on the Connectors Settings page shows the status of the connection between the Microsoft app and your Cato account. These are the explanations of the statuses:
-
Connected - Your account is connected to the app and it is working correctly
-
Pending user consent - Permissions have not been granted to let Cato access the Microsoft 365 app. To resolve this issue, refresh the browser. If Status changes to Connected, the issue is resolved, if Status doesn't change, delete and recreate the connector.
-
Error - There is a connectivity, permissions, or other issue with the Microsoft connector. Delete and recreate the connector.
The Stories Workbench page shows a summary of the stories for the potential threats in your account.
For information about the columns in the Stories Workbench see Understanding the Stories Columns
You can group and filter the stories according to the Endpoint Alert story type to quickly find stories for endpoint devices. For more about grouping and filtering stories, see Reviewing Detection & Response (XDR) Stories in the Stories Workbench.
You can click on a story in the Stories Workbench to drill-down and investigate the details in a different page. This page contains a number of widgets that help you evaluate the potential threat identified in the story.
When you drill-down to investigate an Endpoint Alert story, you can review all the Defender Alerts that the story is based on, and examine in detail the pieces of evidence that relate to each Alert. The Evidences include processes, files, and registry values, and can be reviewed in two different ways:
-
A chronological process tree presented in the context of a specific Alert - This helps you understand the sequence of events that looked suspicious and generated the Alert
Note
Note: It is occasionally possible that the process tree for a story is unavailable due to Microsoft Defender API connectivity issues,
-
The Evidences table - Provides an overview of the Evidences from all the Endpoint Alert stories. This helps to assess more broadly the prevalence of specific malicious or suspicious activities on the endpoint device
These are the story drill-down widgets:
Name |
Description |
---|---|
Story summary (top row) |
The Overview shows a summary of basic information about the story, including:
Use the Actions drop-down menu and select Manage Story change story settings such as Analyst Verdict, Analyst Severity, Status, and Classification. The Related Stories tab provides context for the story you're investigating by letting you quickly review stories with the same source and stories with similar characteristics involving different sources on your network. |
Shows a timeline of the story, such as changes made to the story verdict and severity, and when new Alerts are added to the story |
|
Details |
Basic information for analyzing the story, including:
|
Device |
Name and operating system for the endpoint device associated with the story |
User |
Shows the user name and domain name for the user logged into the endpoint device |
Alerts |
Shows details for the Alerts related to the story.
These are the columns in the Alerts table:
|
Evidences |
Aggregates details for all the Processes, Files, and Registry values identified in the evidence for the various story Alerts. Some of the columns in the Evidences table are shared by all the types of Evidences, and some are specific per type. These are the columns that appear for all types of Evidences:
These are the specific columns for each type of Evidence:
|
0 comments
Please sign in to leave a comment.