Microsoft Defender for Endpoint v1.0.0 Plugin for Risk Exchange

Microsoft Defender for Endpoint v1.0.0 Plugin for Risk Exchange

This plugin is used to fetch device data from Assets > Devices and users data from Assets > Devices > Select device > Overview > Logged on users page of the Microsoft Defender for Endpoint platform. This plugin supports performing actions such as Isolate device, Undo isolation, Restrict app execution, Remove app restriction, Run antivirus scan, Offboard device and Collect investigation package actions on the devices and doesn’t support any action on the users.

Netskope normalization score calculation = RiskLevel Low: 875, RiskLevel Medium: 625, RiskLevel High: 375. For RiskLevels ‘None’ and ‘Informational’ the normalization score value will be blank.

Prerequisites

To complete this integration, you need:

  • A Netskope tenant (or multiple, for example, production and development/test instances).
  • A Netskope Cloud Exchange tenant with the Tenant plugin and Risk Exchange module already configured.
  • Connectivity to Microsoft Defender platform.
  • Connectivity to the following hosts:
    • https://security.microsoft.com
    • https://entra.microsoft.com
CE Version Compatibility

Netskope v5.1.0

Microsoft Defender for Endpoint Plugin Support

This plugin is used to fetch device data from Assets > Devices and users from Assets > Devices > Select device > Overview > Logged on users page of the Microsoft Defender for Endpoint platform. This plugin supports performing actions such as Isolate device, Undo isolation, Restrict app execution, Remove app restriction, Run antivirus scan, Offboard device and Collect investigation package actions on the devices. and doesn’t support any action on the users.

Type of data pulled
  • Device
  • Users
Actions Supported
  • Isolate device
  • Undo isolation
  • Restrict app execution
  • Remove app restriction
  • Run antivirus scan
  • Offboard device
  • Collect investigation package
Mappings

Mappings are used to view the pulled Users, Devices, and their respective details. Mapped fields during plugin configuration will be visible on the Records page after the data is pulled. Here are the suggested mapping that should be used while configuring the plugin.

Pull Mapping for Users
Plugin Field Label Expected Data Type Suggested Field Label Aggregate Strategy
User ID String User ID Unique
User Name String User Name Overwrite
User Domain String User Domain Overwrite
First Seen Date First Seen Overwrite
Computer Name Reference Computer Name Overwrite
Pull Mapping for Devices
Plugin Field Label Expected Data Type Suggested Field Label Aggregate Strategy
Computer Name String Computer Name Unique
Device ID String Device ID Overwrite
OS String Os Platform Overwrite
Last IP Address String Last IP Address Overwrite
Risk Score String Risk Score Overwrite
Netskope Normalized Score Number Normalized Score Overwrite

Note that the Netskope Normalized score will be calculated on the basis of Risk Score value pulled from the platform. The Normalized score will be added for the records only if the Risk Score has values as low, medium, or high.

Score Mapping
Defender Risk Score Netskope Normalized Score
low 875
medium 625
high 375
Other Risk Score Levels (None, Informational) None
Permissions

Here are the required permissions needed for the plugin:

  • Machine.CollectForensics
  • Machine.Isolate
  • Machine.RestrictExecution
  • Machine.Scan
  • Machine.Offboard
  • Machine.Read.All
  • User.Read.All
API Details
List of APIs Used
API Endpoint Method Use Case
/api/machines GET Fetch devices and Update records
/api/machines/{deviceID}/isolate POST Isolate machine from network.
/api/machines/{deviceID}/unisolate POST Release machine from Isolation.
/api/machines/{deviceID}/restrictCodeExecution POST Restrict application execution.
/api/machines/{deviceID}/unrestrictCodeExecution POST Remove application execution restrictions.
/api/machines/{deviceID}/runAntiVirusScan POST Run an Antivirus scan using Windows Defender.
/api/machines/{deviceID}/offboard POST Offboard machine from Microsoft Defender for Endpoint.
/api/machines/{deviceID}/collectInvestigationPackage POST Collect an investigation package from a machine.
/api/machines/{deviceID}/logonusers GET Fetch device logon users
Authentication

This plugin uses the Python library to generate authentication tokens for:

  • Library: Microsoft Authentication Library for Python (msal).
  • Usage: Microsoft Authentication Library for Python (msal) to get authentication token for Microsoft Defender APIs.

Create a new session with credentials

scope = ["https://api.securitycenter.microsoft.com/.default"]
authority = "https://login.microsoftonline.com/{tenantID}

app = msal.ConfidentialClientApplication(
           client_id={clientID}, authority=authority, client_credential={clientSecret}, proxies=proxy
)
auth_json = app.acquire_token_for_client(scopes=scope)
auth_token = auth_json.get("access_token", "")
Fetch Devices and Update Records

API Endpoint: <Base URL>/api/machines
Method: GET
Headers

Key Value
Authorization Bearer <auth_token>
Content-Type application/json
Accept */*

Parameters

Key Value
$top 1
$skip 1

Sample API Response

{
    "@odata.context": "https://api.security.microsoft.com/api/$metadata#Machines",
    "value": [
        {
            "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
            "computerDnsName": "mymachine1.contoso.com",
            "firstSeen": "2018-08-02T14:55:03.7791856Z",
            "lastSeen": "2018-08-02T14:55:03.7791856Z",
            "osPlatform": "Windows10" "Windows11",
            "version": "1709",
            "osProcessor": "x64",
            "lastIpAddress": "172.17.230.209",
            "lastExternalIpAddress": "167.220.196.71",
            "osBuild": 18209,
            "healthStatus": "Active",
            "rbacGroupId": 140,
            "rbacGroupName": "The-A-Team",
            "riskScore": "Low",
            "exposureLevel": "Medium",
            "isAadJoined": true,
            "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
            "machineTags": [ "test tag 1", "test tag 2" ]
        }
        ...
    ]
}
Isolate a Machine

API Endpoint: <Base URL>/api/machines/{deviceID}/isolate
Method: POST
Headers

Key Value
Authorization Bearer <auth_token>
Content-Type application/json
Accept */*

Body

{
      "Comment": "Comment to associate with the action",
      "IsolationType": 'Full' or 'Selective'
}

Sample API Response (Status Code: 201)

{
        "id": "5382f7ea-7557-4ab7-9782-d50480024a4e",
        "type": "Isolate",
        "scope": "Selective",
        "requestor": "Analyst@TestPrd.onmicrosoft.com",
        "requestorComment": "test for docs",
        "status": "Succeeded",
        "machineId": "7b1f4967d9728e5aa3c06a9e617a22a4a5a17378",
        "computerDnsName": "desktop-test",
        "creationDateTimeUtc": "2019-01-02T14:39:38.2262283Z",
        "lastUpdateDateTimeUtc": "2019-01-02T14:40:44.6596267Z",
        "relatedFileInfo": null
}
Release a Machine from Isolation

API Endpoint: <Base URL>/api/machines/{deviceID}/unisolate
Method: POST
Headers

Key Value
Authorization Bearer <auth_token>
Content-Type application/json
Accept */*

Body

{
     "Comment": "Comment to associate with the action",
}

Sample API Response (Status Code: 201)

{
        "id": "5382f7ea-7557-4ab7-9782-d50480024a4e",
        "type": "Unisolate",
        "scope": "Selective",
        "requestor": "Analyst@TestPrd.onmicrosoft.com",
        "requestorComment": "test for docs",
        "status": "Succeeded",
        "machineId": "7b1f4967d9728e5aa3c06a9e617a22a4a5a17378",
        "computerDnsName": "desktop-test",
        "creationDateTimeUtc": "2019-01-02T14:39:38.2262283Z",
        "lastUpdateDateTimeUtc": "2019-01-02T14:40:44.6596267Z",
        "relatedFileInfo": null
}
Restrict an App Execution

API Endpoint: <Base URL>/api/machines/{deviceID}/restrictCodeExecution
Method: POST
Headers

Key Value
Authorization Bearer <auth_token>
Content-Type application/json
Accept */*

Body

{
     "Comment": "Comment to associate with the action",
}

Sample API Response (Status Code: 201)

{
        "id": "5382f7ea-7557-4ab7-9782-d50480024a4e",
        "type": "RestrictCodeExecution",
        "requestor": "Analyst@TestPrd.onmicrosoft.com",
        "requestorComment": "test for docs",
        "status": "Succeeded",
        "machineId": "7b1f4967d9728e5aa3c06a9e617a22a4a5a17378",
        "computerDnsName": "desktop-test",
        "creationDateTimeUtc": "2019-01-02T14:39:38.2262283Z",
        "lastUpdateDateTimeUtc": "2019-01-02T14:40:44.6596267Z",
        "relatedFileInfo": null
}
Remove an App Restriction

API Endpoint: <Base URL>/api/machines/{deviceID}/unrestrictCodeExecution
Method: POST
Headers

Key Value
Authorization Bearer <auth_token>
Content-Type application/json
Accept */*

Body

{
     "Comment": "Comment to associate with the action",
}

Sample API Response (Status Code: 201)

{
        "id": "5382f7ea-7557-4ab7-9782-d50480024a4e",
        "type": "UnrestrictCodeExecution",
        "requestor": "Analyst@TestPrd.onmicrosoft.com",
        "requestorComment": "test for docs",
        "status": "Succeeded",
        "machineId": "7b1f4967d9728e5aa3c06a9e617a22a4a5a17378",
        "computerDnsName": "desktop-test",
        "creationDateTimeUtc": "2019-01-02T14:39:38.2262283Z",
        "lastUpdateDateTimeUtc": "2019-01-02T14:40:44.6596267Z",
        "relatedFileInfo": null
}
Run an Antivirus Scan

API Endpoint: <Base URL>/api/machines/{deviceID}/runAntiVirusScan
Method: POST
Headers

Key Value
Authorization Bearer <auth_token>
Content-Type application/json
Accept */*

Body

{
     "Comment": "Comment to associate with the action",
     "ScanType": "Full" or "Quick"
}

Sample API Response (Status Code: 201)

{
        "id": "5382f7ea-7557-4ab7-9782-d50480024a4e",
        "type": "RunAntiVirusScan",
        "scope": "Quick",
        "requestor": "Analyst@TestPrd.onmicrosoft.com",
        "requestorComment": "test for docs",
        "status": "Succeeded",
        "machineId": "7b1f4967d9728e5aa3c06a9e617a22a4a5a17378",
        "computerDnsName": "desktop-test",
        "creationDateTimeUtc": "2019-01-02T14:39:38.2262283Z",
        "lastUpdateDateTimeUtc": "2019-01-02T14:40:44.6596267Z",
        "relatedFileInfo": null
}
Offboard a Machine

API Endpoint: <Base URL>/api/machines/{deviceID}/offboard
Method: POST
Headers

Key Value
Authorization Bearer <auth_token>
Content-Type application/json
Accept */*

Body

{
     "Comment": "Comment to associate with the action",
}

Sample API Response (Status Code: 201)

{
        "id": "5382f7ea-7557-4ab7-9782-d50480024a4e",
        "type": "Offboard",
        "requestor": "Analyst@TestPrd.onmicrosoft.com",
        "requestorComment": "test for docs",
        "status": "Succeeded",
        "machineId": "7b1f4967d9728e5aa3c06a9e617a22a4a5a17378",
        "computerDnsName": "desktop-test",
        "creationDateTimeUtc": "2019-01-02T14:39:38.2262283Z",
        "lastUpdateDateTimeUtc": "2019-01-02T14:40:44.6596267Z",
        "relatedFileInfo": null
}
Collect an Investigation Package

API Endpoint: <Base URL>/api/machines/{deviceID}/collectInvestigationPackage
Method: POST
Headers

Key Value
Authorization Bearer <auth_token>
Content-Type application/json
Accept */*

Body

{
     "Comment": "Comment to associate with the action",
}

Sample API Response (Status Code: 201)

{
        "id": "5382f7ea-7557-4ab7-9782-d50480024a4e",
        "type": "CollectInvestigationPackage",
        "requestor": "Analyst@TestPrd.onmicrosoft.com",
        "requestorComment": "test for docs",
        "status": "Succeeded",
        "machineId": "7b1f4967d9728e5aa3c06a9e617a22a4a5a17378",
        "computerDnsName": "desktop-test",
        "creationDateTimeUtc": "2019-01-02T14:39:38.2262283Z",
        "lastUpdateDateTimeUtc": "2019-01-02T14:40:44.6596267Z",
        "relatedFileInfo": null
}
Fetch Devices Logon Users

API Endpoint: <Base URL>/api/machines/{deviceID}/logonusers
Method: GET
Headers

Key Value
Authorization Bearer <auth_token>
Content-Type application/json
Accept */*

Sample API Response

{
    "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Users",
    "value": [
        {
            "id": "contoso\\user1",
            "accountName": "user1,
            "accountDomain": "contoso",
            "firstSeen": "2019-12-18T08:02:54Z",
            "lastSeen": "2020-01-06T08:01:48Z",
            "logonTypes": "Interactive",
            "isDomainAdmin": true,
            "isOnlyNetworkUser": false
        },
        ...
    ]
}
Performance Matrix

Below performance readings are conducted on a Large CE Stack with below-mentioned VM specifications by pulling 500K Devices and Users record each from Microsoft Defender Endpoint plugin.

Stack details Size: Large

RAM: 32 GB

CPU: 16 Cores

Time take to store the pulled and updated Device records ~30 mins
Time take to store the pulled Users records ~40 mins
User Agent

netskope-ce-5.1.0-cre-microsoft-defender-for-endpoint-1.0.0

Workflow

  1. Get your Tenant ID, Application (Client) ID, and Client Secret.
  2. Add Permissions to the Configuration Parameter.
  3. Configure the Microsoft Defender for Endpoint plugin
  4. Add a Business Rule.
  5. Add Actions.
  6. Validate the Microsoft Defender for Endpoint plugin.

Click play to watch a video.

 

Get your Tenant ID and Application (Client) ID

  1. Go to https://entra.microsoft.com/ and log in with your credentials.
  2. Expand Applications on the left side and click App registrations.
  3. Click New Registration.
  4. Provide the name for the application and click Register.
  5. Copy the Application (Client ID), which is the Client (Application) ID in Netskope, and the Directory (tenant) ID, which is tenant ID in Netskope. Click Certificates & Secrets.
  6. Click New client secret. Add a description and click Save.
  7. Copy the value; it is the Client Secret needed for plugin configuration.

Add Permissions to the Configuration Parameter

  1. Click API permissions.
  2. Click Add a permission.
  3. Click APIs my organization uses, and then click WindowsDefenderATP.
  4. Click Application permissions.
  5. Select these permissions, and then click Add permission.
    • Machine.CollectForensics
    • Machine.Isolate
    • Machine.RestrictExecution
    • Machine.Scan
    • Machine.Offboard
    • Machine.Read.All
    • User.Read.All


  6. Click Grant admin consent for Contoso.
  7. Click Yes.

Configure the Microsoft Defender for Endpoint Plugin

  1. Log in to Cloud Exchange and go to Settings > Plugins. Search for and select the Microsoft Defender for Endpoint 1.0.0 (CRE) plugin box.
  2. Enter the Basic Information:
    • Configuration Name: Enter a plugin configuration name.
    • Sync Interval: Change the sync interval if needed.

  3. Click Next. Enter the Configuration Parameters:
    • Client (Application) ID: The Application ID for Microsoft Defender.
    • Client Secret: The Secret value of Client (Application) ID for Microsoft Defender.
    • Tenant ID: The Tenant ID of your Microsoft Account.

  4. Click Next. Go to the Devices tab in Entity Sources. Select the Entity from the Entity dropdown, and provide the field mappings per your requirements:
    • The Computer Name field is required to perform action on the user and to pull devices.
    • The Computer Name  field in the Users entity should reference the Computer Name field from the Device entity.

  5. Go to the Users tab in Entity Sources. Select the Entity from the Entity dropdown, and provide the field mapping per your requirements:
    • The User ID field is required to pull users.
    • The Computer Name field in the Users entity should reference the Computer Name field from the Device entity.

  6. Click Save.

Add a Risk Exchange Business Rule for Microsoft Defender for Endpoint

  1. In Risk Exchange go to Business Rules.
  2. Click Create New Rule in the top right corner.
  3. Enter the Rule Name. Select the Entity for the Fields that were configured for the Microsoft Defender for Endpoint plugin, and configure the query based on your requirements. This example fetches all the devices fetched from the Microsoft Defender for Endpoint plugin.
  4. Click Save.

Add Risk Exchange Actions for Microsoft Defender for Endpoint

The Microsoft Defender for Endpoint plugin supports following actions for Devices:

Action Description Permission Comments
Isolate machine
Unisolate
Isolates a device from accessing an external network.
Release machine from isolation.
Requirements:
– Machine ID
– IsolationType
Machine.Isolate Selective isolation for

  • Windows 10 >= v1709
  • Windows 11.

– Full isolation is available in public preview for all supported Microsoft Defender for Endpoint on Linux listed in System requirements.

Restrict app execution
Remove app restriction
Restrict execution of all applications on the device except a predefined set.
Enable execution of any application on the device.
Requirements:
– Machine ID
Machine.RestrictExecution Only

  • Windows 10 >= v1709
  • Windows 11

Prerequisites:

– available if organization uses Microsoft Defender Antivirus

Run antivirus scan Initiate Microsoft Defender Antivirus scan on a device.
Requirements:
– Machine ID
– ScanType (Quick or Full)
Machine.Scan Windows devices

  • Windows 10 >= v1709
  • Windows 11 for
Offboard a Machine Offboard device from Defender for Endpoint.
Requirements:
– Machine ID
Machine.Offboard Supported on

  • Windows 11,
  • Windows 10 >= v1703
  • on Windows Server 2019 and later
  • on Windows Server 2012 R2
  • Windows Server 2016

– Not supported on macOS or Linux devices

Collect investigation package Collect an investigation package from a device.
Requirements:
– Machine ID
Machine.CollectForensics Available for

  • Windows 10 >= v1703
  • Windows 11.

The Microsoft Defender for Endpoint plugin supports following actions for Users:

  • “No Action” will not perform any action on Users .

To configure these actions, follow these steps.
Note:

  • Users will be able to perform action on the fields mapped with the fields of Microsoft Defender for Endpoint plugin.
  • If only No Action is supported for a plugin, Validation will not show the alerts generated on the CTO module.

Isolate a Machine

  1. In Risk Exchange, go to Actions and click Add Action Configuration.
  2. Select a Business rule and a Configuration (your plugin).
  3. From the Actions dropdown, select Isolate device.
  4. For the Action Parameters, select the option for Device ID or Computer DNS Name, if users need to filter out devices using business rules or provide a static value.
  5. For Isolation Type, select the options accordingly.
  6. For Comment, add a description.
  7. Enable the Require Approval toggle if approval is needed before performing action on the users.
  8. Click Save.

Undo Isolation

  1. In Risk Exchange, go to Actions and click Add Action Configuration.
  2. Select a Business rule and a Configuration (your plugin).
  3. From the Actions dropdown, select Undo isolation.
  4. For the Action Parameters, select the option for Device ID or Computer DNS Name, if users need to filter out devices using business rules or provide a static value.
  5. For Comment, add a description.
  6. Enable the Require Approval toggle if approval is needed before performing action on the users.
  7. Click Save.

Restrict App Execution

  1. In Risk Exchange, go to Actions and click Add Action Configuration.
  2. Select a Business rule and a Configuration (your plugin).
  3. From the Actions dropdown, select Restrict App Execution.
  4. For the Action Parameters, select the option for Device ID or Computer DNS Name, if users need to filter out devices using business rules or provide a static value.
  5. For Comment, add a description.
  6. Enable the Require Approval toggle if approval is needed before performing action on the users.
  7. Click Save.

Run Antivirus Scan

  1. In Risk Exchange, go to Actions and click Add Action Configuration.
  2. Select a Business rule and a Configuration (your plugin).
  3. From the Actions dropdown, select Run antivirus scan.
  4. For the Action Parameters, select the option for Device ID or Computer DNS Name, if users need to filter out devices using business rules or provide a static value.
  5. For Scan Type, select the options accordingly.
  6. For Comment, add a description.
  7. Enable the Require Approval toggle if approval is needed before performing action on the users.
  8. Click Save.

Offboard a Device

  1. In Risk Exchange, go to Actions and click Add Action Configuration.
  2. Select a Business rule and a Configuration (your plugin).
  3. From the Actions dropdown, select Offboard device.
  4. For the Action Parameters, select the option for Device ID or Computer DNS Name, if users need to filter out devices using business rules or provide a static value.
  5. For Comment, add a description.
  6. Enable the Require Approval toggle if approval is needed before performing action on the users.
  7. Click Save.

Remove App Restriction

  1. In Risk Exchange, go to Actions and click Add Action Configuration.
  2. Select a Business rule and a Configuration (your plugin).
  3. From the Actions dropdown, select Remove app restriction.
  4. For the Action Parameters, select the option for Device ID or Computer DNS Name, if users need to filter out devices using business rules or provide a static value.
  5. For Comment, add a description.
  6. Enable the Require Approval toggle if approval is needed before performing action on the users.
  7. Click Save.

Collect Investigation Package

  1. In Risk Exchange, go to Actions and click Add Action Configuration.
  2. Select a Business rule and a Configuration (your plugin).
  3. From the Actions dropdown, select Collect investigation package.
  4. For the Action Parameters, select the option for Device ID or Computer DNS Name, if users need to filter out devices using business rules or provide a static value.
  5. For Comment, add a description.
  6. Enable the Require Approval toggle if approval is needed before performing action on the users.
  7. Click Save.

Validate the Microsoft Defender for Endpoints Plugin

Validate on CE

In CE to Validate the pulling, follow these steps:

  1. Go to Risk Exchange and click Records. Select the Entity that was selected while configuring the field mappings for Devices to view the pulled Devices.
  2. Select the Entity that was selected while configuring the field mapping for Users to view the pulled Users.
  3. Go to Logging and search for the logs of the plugin.
    Example: Message Contains CRE Microsoft Defender for Endpoint.
  4. Verify the Restrict app execution action was performed for a device.
  5. Verify the Isolate device action was performed for a device.
  6. Verify the Remove app restriction action was performed for a device.
  7. Verify the Run antivirus scan action was performed for a device.
  8. Verify the Offboard device action was performed for a device.
  9. Verify the Collect investigation package action was performed for a device.
  10. Verify the Undo isolation action was performed for a device.

Validation on Microsoft Defender for Endpoint

The Devices are pulled from the Assets > Devices page from the Defender platform.

The Users are pulled from the Assets > Devices > Select device > Overview > Logged on users page from the Defender platform. To verify the action performed on the devices, click on the dotted icon and go to Action Center.

Here is the log for the Collect Investigation Package, Run Antivirus Scan, and Undo Isolate on Defender actions.

Here is the log for the Restrict App Execution and Remove App Restriction actions.


Here is the log for the Device Isolation action.

Troubleshooting

Unable to configure the CRE Microsoft Defender for Endpoint plugin.

If you are unable to configure the CRE Microsoft Defender for Endpoint plugin, it could be due to one of these reasons:

  • Provided Incorrect credentials.
  • Provided credentials don’t have sufficient permissions.

To resolve the above mentioned issues, follow these steps:

  1. To get the Credentials follow the steps mentioned in Obtaining configuration parameter
  2. To provide proper permissions to the configuration parameter, follow the steps mentioned in Adding Permissions to the configuration parameter
Unable to pull Devices

If you are unable to pull Devices from the CRE Microsoft Defender for Endpoint plugin, it could be due to one of these  reasons:

  • No Devices present on the Defender platform.
  • An error is received while pulling Devices from the platform.
  • Mapping is not added while configuring the plugin in the entity source page.

To resolve these issues, follow these steps:

  1. Receiving 403 error: The plugin configuration parameter does not have sufficient permissions or the credentials no longer exist. Verify the permissions.
  2. If there is no error in the logs, it might be the case that the Devices are not available on the Platform to pull. Check if the Device is available on Defender and confirm the same.
  3. Make sure that the mapping is added and the “id”, and “computerDnsName” field is mapped while configuring the plugin.
Unable to pull Users

If you are unable to pull Users from the CRE Microsoft Defender for Endpoint plugin, it could be due to one of these reasons:

  • No Users present on the Defender platform.
  • An error is received while pulling Users from the platform.
  • Mapping is not added while configuring the plugin in the entity source page.

To resolve these issues, follow these steps:.

  1. Receiving 403 error: The plugin configuration parameter does not have sufficient permissions or the credentials no longer exist. Verify the permission.
  2. If there is no error in the logs, it might be the case that the Users are not available on the Platform to pull. Check if the Users are available on Defender and confirm the same.
  3. Make sure that the mapping is added and the “id” field is mapped while configuring the plugin.
Unable to view Devices details on the Record

If you are unable to view Devices details on the record table, it could be due to one of these reasons.

  • Mapping for all the Defender fields for devices is not provided while configuring the CRE Defender plugin.
  • Pulled Devices are displayed in a row with comma separated values.

To resolve these issues, follow these steps:

  1. Make sure to provide the needed mapping while configuring the plugin.
  2. Make sure that the fields created in an entity are according to the Mapping.
Unable to view Users details on the Record

If you are unable to view Users details on the record table, it could be due to one of these reasons:

  • Mapping for all the Defender fields for users is not provided while configuring the CRE Defender plugin.
  • Pulled Users are displayed in a row with comma-separated values.

To resolve these issues, follow these steps:

  1. Make sure to provide the needed mapping while configuring the plugin.
  2. Make sure that the fields created in an entity are according to the Mapping.
Unable to perform action on the Devices

If you are unable to perform action on the Devices, it could be due to one of these reasons:

  • Insufficient permission was provided for the action.
  • Receiving error while performing an action.
  • Require Approval toggle button is enabled while configuring the Action, and the request is not approved.
  • Error received while performing the Isolate device action.
  • Error received while performing the Undo isolation action.

To resolve these issues, follow these steps:

  1. Insufficient permission was provided for the action. Verify the permission is provided.
  2. Go to the Action Logs page, select the logs that you want to approve the requests for and click on the approve icon, or disable the Require Approval toggle button from the configured action and perform the action again.
  3. If error is received while performing the Isolate device action, make sure any other action related to device isolation is not in progress.
  4. If error is received while performing the Undo isolation action, make sure any action related to device isolation or unisolation is not in progress.

Note that in order to perform the action successfully on Defender, make sure the device on which the action is to be performed is not in sleep/hibernate mode, and is connected to the internet.

Share this Doc

Microsoft Defender for Endpoint v1.0.0 Plugin for Risk Exchange

Or copy link

In this topic ...