Microsoft Defender data source
Integration with Microsoft Defender for Endpoint (Defender) as a Data Source will allow detection and incident signal from Defender to be ingested into the Vectra AI Platform.
Applicability
Vectra has two different integrations with Defender:
This new integration (the article you are reading) that brings detection and incident signal from Defender into the Vectra AI platform.
This must be configured separately from the existing integration.
This requires a Respond UX (RUX) deployment.
An existing integration that enables Host Lockdown and ingests data that helps Vectra's automated HostID to more accurately name hosts and provide additional host context to analysts.
Please see the Microsoft Defender for Endpoint FAQ for details about the existing integration.
This integration works with both Respond UX (RUX) and Quadrant UX (QUX) deployments. If you are unsure of your deployment type, please see Vectra Analyst User Experiences (Respond vs Quadrant) .
For maximum benefit, it is recommended to enable both integrations when possible.
Deployment
Deployment follows a simple process:
Create the Microsoft Defender Data Source Connector.
Follow a consent process to grant Vectra access to your Microsoft Defender deployment.
How does the integration work?
After creating the Data Source Connector, a link will be given to follow a consent process that creates an Enterprise application (Service Principal) in your Microsoft Azure tenant. This consent process creates a trust relationship between your Azure tenant and the Vectra AI Platform using Microsoft’s best practices as described in this Microsoft Document . It uses the Microsoft app registration process and creates an Enterprise Application (aka Service Principal) in your Azure tenant. Vectra will assume this Service Principal when reading data from your Defender deployment.
Creating the Microsoft Defender Data Source:
Navigate in your Vectra UI to Data Sources > Microsoft Defender and click "+ Create Microsoft Defender Connector" at the top right.
Give your connector a name and then click "Create and Continue"
Copy the "Connection Setup Link" with the copy button and then open the link in another browser tab.
!! Please note: The user executing the consent workflow must be a Global Administrator in Entra ID to successfully complete the workflow.
If you are not already authenticated to Microsoft, you will be asked to login.
Step through the rest of the consent workflow and accept the permissions request.
The full set of permissions can be seen in your Entra ID directory at Enterprise Applications > "Vectra AI - Integrated Signal for Defender" > Security > Permissions :
Once you see the permission granted successfully message, you are ready to complete the integration back in your Vectra UI.
Back in your Setup Microsoft Defender Connector dialog box, click "Finish Setup".
You should soon see a "Logs Flowing" message and are done with the deployment of the Microsoft Defender integration.
Last updated
Was this helpful?