Microsoft Defender Advanced Threat Protection (ATP) helps enterprise networks prevent, detect, investigate, and respond to advanced threats.

Creating an Application in Microsoft Azure

Before configuring the Microsoft Defender Advanced Threat Protection connector in Lucidum, you must first create an application . Lucidum will use the application to access the Microsoft Defender Advanced Threat Protection.

  1. Log in to the Azure Portal with an administrator account.

  2. Select Azure Active Directory. If you have more than one directory, make sure you are logged in to the right directory. If you are not, click on the top-right account logo and then click "Switch Directory" and select the directory you want Lucidum to access.

  3. Select App registrations and click New registration. Fill in the details and click Register.

  4. After you have created the app, you should see its Application ID and Directory ID. Keep these values, they are known as Client ID and Tenant ID.

  5. In the left menu, click Certificates & Secrets, then click New Client Secret. Click Add and copy the secret.

  6. In the left menu, click API Permissions and then add a permission. Then select 'APIs my organization uses' and select the WindowsDefenderATP API.

  7. Add the permissions Machine.Read.All, Vulnerability.Read.All, Software.Read.All, User.Read.All.

  8. Finally, click 'Grant admin consent for Default Directory' to apply these permissions.

Configuring the Connector for Microsoft Defender Advanced Threat Protection

To configure Lucidum to ingest data from Microsoft Defender Advanced Threat Protection:

  1. Log in to Lucidum.

  2. In the left pane, click Connector.

  3. In the Connector page, click Add Connector.

  4. Scroll until you find the Connector you want to configure. Click Connect. The Settings page appears.

  5. In the Settings page, enter the following:

    • URL. Microsoft defender base URL. For example,

    • Tenant ID (required) - The Azure Tenant ID.

    • Client ID (required) - Client ID

    • Client Secret (required) - Client Secret

    • Verify SSL (optional, default is false) - Verify the SSL certificate offered by Microsoft Defender ATP. 

    • Verify SSL. For future use.

  6. To test the configuration, click Test.

    • If the connector is configured correctly, Lucidum displays a list of services that are accessible with the connector.

    • If the connector is not configured correctly, Lucidum displays an error message.

Supported Actions

  • Isolate machines

  • Unisolate machines