Microsoft Defender for Endpoint

What is Microsoft Defender for Endpoint?

Microsoft Defender for Endpoint (Defender) is a unified endpoint security platform for preventative protection, post-breach detection, automated investigation, and response. This was formerly known as Microsoft Defender ATP.

Integration:

How does Defender integrate with my Vectra deployment?

Integration with Defender adds host context to aid in host identification during a security investigation. When Vectra NDR (Detect) sees a host session come online, it polls Defender for host information. Host information may include the following:

• Machine ID

• Machine name

• Operating system

• Isolation status

Defender host context is available under the Host Details tab of individual Host pages.

Vectra will release AI Stitching with Defender EDR in 1H 2026.

• Configuring Advanced Query permissions now as part of your Defender API client permissions will ensure the integration is future-ready without needing to revisit API client settings later.

• This capability automatically stitches EDR process data to Vectra detections, exposing root cause instantly.

• Please refer to the configuration steps below for adding the appropriate permissions.

• If you have previously configured Defender integration:

  • Existing API clients can simply be edited in your Azure Portal to add the Advanced Query permissions to your existing client.

  • No changes will be required in your Vectra deployment

Checking for the required MS Defender for Endpoint Plan 2 license

This integration requires that customers are subscribed to MS Defender for Endpoint Plan 2.

• More information about the license options is available from Microsoft here: Compare Microsoft Endpoint Security Plans

• To check for the type of Defender license, please see the "Review License Usage" section here: Change your endpoint security subscription

Please note that Microsoft DOES NOT support a mixed licensing types.

• This Microsoft article provides more details in the Can I have a mix of Microsoft endpoint security subscriptions? section.

For example, in the screenshot below, both Microsoft Defender for Business and Microsoft Defender for Endpoint Plan 2 licenses appear in the Licenses screen. In this scenario, the tenant defaults to the Defender for Business experience. As a result, the Vectra integration is not supported, since it requires Microsoft Defender for Endpoint Plan 2. Microsoft confirms this behavior in its documentation on mixed licensing:

Microsoft Defender for Business does not support mixed licensing, so a tenant with Defender for Business (which is included in Microsoft 365 Business Premium) along with Defender for Endpoint Plan 2 (which is included in Microsoft 365 E5 Security) defaults to the Defender for Business experience.

• Please ensure that your Defender console shows licensing as per the below screenshot and NOT as per the above screenshot. This license status is available from System > Settings > Endpoint > Licenses.

• Please note that the Subscription State shows Microsoft Defender for Endpoint Plan 2 which is the requirement for the Vectra integration.

How do I enable the Defender integration in Vectra NDR (Detect)?

In your Vectra UI, navigate to Configuration > SETUP > EDR Integrations > Microsoft Defender for Endpoint.

• Select Edit on the far right-hand side.

• Toggle Enable Microsoft Defender for Endpoint integration to On.

• Enter your Defender Tenant ID, Application ID, and Application Secret (this is the value of the client secret and not the SecretID).

• Click Save.

• Once the credentials have been validated, the UI will provide confirmation that your configuration has been saved.

• Your Microsoft Defender for Endpoint integration setup is now complete.

Where can I find my Defender Tenant ID, Application ID, and Application Secret?

To get credentials for Defender for use with Vectra:

• Log into portal.azure.com.

• Select the Entra ID (formerly Azure Active Directory) service.

• Navigate to Manage > App registrations > New registration.

• In the registration form, choose a name for your application, and then select Register. Now you have a new application that you must assign the correct permissions to.

• Once your new application has been created, select Manage > API permissions.

• From the API permissions screen, select Add a permission.

• Select APIs my organization uses, and search for WindowsDefenderATP.

• Select Application permissions.

• Select the AdvancedQuery.Read.All, Machine.Read.All and Machine.Isolate permissions.

• Click Add permissions.

• After you add the permissions, select Grant admin consent for [your organization].

  • For existing configurations, these are the new permissions required for EDR Process Stitching:

    • Next, select Add a permission.

    • Select APIs my organization uses, and search for Microsoft Threat Protection

    • Select Application permissions.

    • Select the AdvancedHunting.Read.All permissions.

    • Click Add permissions.

    • After you add the permissions, select Grant admin consent for [your organization].

• Now your application now has all the permissions it needs. Next you will create a client secret.

• From the Manage menu of your application, select Certificates & secrets.

• Under the Client secrets section, click the New client secret button.

• Provide a brief description and an expiration timeframe and click Add.

• Make sure that you record this secret! This will be the Application Secret you enter into for your Defender integration configuration in the Vectra UI.

• Navigate to the Overview page from the left-hand menu of your application.

• From the Overview page, record your Application (client) ID and Directory (tenant) ID.

• You may now return to the Detect UI and enter the Tenant ID, Application ID and Application Secret you recorded above to complete the Microsoft Defender for Endpoint configuration in your Vectra UI.

Can I use Advanced search to query for Defender hosts?

Yes, you can use the following query on the Hosts index to pull a list of hosts with Microsoft Defender artifacts (QUX):

Are there any Defender connectivity requirements?

All communication occurs between your Vectra Brain appliance and the following two Microsoft URLs:

• https://login.microsoftonline.com

• https://api.security.microsoft.com

• https://api.securitycenter.microsoft.com

If you are experiencing connectivity issues, it may be necessary to configure your firewall rules to allow your Brain to communicate with login.windows.net and api.securitycenter.windows.com over port 443.

Please also make sure that you do have a valid Vectra NDR (Detect) license.

Host Lockdown Information

Can Defender be used for Host Lockdown?

Yes, Vectra NDR (Detect) supports Host Lockdown using Microsoft Defender for Endpoint.

Can Host Lockdown access be managed by RBAC permissions?

There are 2 sets of permissions associated with Host Lockdown for Microsoft Defender for Endpoint:

Configuration of Host Lockdown:

• View

  • Configuration - Microsoft Defender - controls who can view the Microsoft Defender for Endpoint External Connector settings, which includes the Host Lockdown settings.

• Edit

  • Configuration - Microsoft Defender - controls who can edit the Microsoft Defender for Endpoint External Connector settings, which includes the Host Lockdown settings.

Use of Host Lockdown:

• Edit

  • Host Lockdown - This allows users to manually lock or unlock individual hosts.

By default (assuming roles have not been modified), all of the above are automatically granted to the roles of Super Admin and Admin

For more details, please check this article.