DeepSurface: Microsoft Defender for Endpoint
DocumentationInstallation GuideOverviewLet DeepSurface Host For YouGetting StartedSystem RequirementsSelf Hosted Quick Start - Installing to Cloud PlatformsSelf Hosted - Installation Using an OVARegistration, Package Installation, and InitializationFirst Steps After Initialization of the ConsoleDeployment OptionsMain and Subordinate ConsolesAgent-Based DeploymentUser Managed Scan DeploymentCredentialed Scanning DeploymentMixed EnvironmentDeployment ToolsActive Directory Group PolicyMicrosoft Endpoint Configuration Manager (part of InTune)Tanium DeployHCL BigFixIvantiVirtual MachinesVMWareVirtual BoxVirtualBox Guest AdditionsAWS EC2 (BYOL)AWS EC2 (Usage Based)Azure CloudGoogle CloudAdditional Items to ConsiderMain Console Server CertificatesLDAPTOFUClock SyncDeepSurface CommandsMultiple Vulnerability SourcesAPI DocumentationUser GuideReportingDashboardsExportsRisk InsightHostsPatchesVulnerabilitiesVulnerability InstancesUsersRemediation Workflow ManagerPlansSettingsIntegrationsWorkflowExportingAccepted Risk PlansAccepted Risk WorkflowExploreModelPathsActivityTasksConfiguration AlertsScan LogsNotification SettingsScanningStatusAgentsUser ManagedCredentialed Scanning SettingsCredentialsScan GroupsGeneral SettingsCloud ScanningNetwork ConnectivitySubordinatesVulnerability SourcesSetupSensitive Assets: PolicesSensitive Assets: ManualAdmin SettingsSMTP SettingsCertificatesOutbound ProxyAuthentication ProvidersUsersTagsIntegrations GuideVulnerability SourcesCrowdStrike SpotlightSentinelOneCarbon Black CloudMicrosoft Defender for EndpointWazuhLansweeper CloudNessus APITenable.io APISecurity Center/Tenable.sc APIRapid7 InsightVM APIQualys APINozomi GuardianEclypsiumAWS InspectorRemediationJira SoftwareTanium (BETA)Authentication ProvidersLDAP (Active Directory)SAML (Azure Active Directory)SAML (Google)SAML (Okta)PAMCyberArkDelinea (Thycotic)Microsoft LAPSSecurity GuideFirewall ConfigurationBase Network RequirementsAgent Network RequirementsCredentialed Scanning Network RequirementsAPI Network RequirementsHow DeepSurface Scans WorkDomain (LDAP) ScanningHost Scanning RoutineReasons for the Administrative Access RequirementEndpoint Protection ConsiderationsOther ItemsScope of Data Storage and RetentionIPS/IDS ConsiderationsLoggingResetting the DSADMIN passwordProduct InformationChangelogsOpen source LicensesEnd User License Agreement (EULA)
To configure DeepSurface to interface with Microsoft Defender for Endpoint, you need to create an Azure Active Directory Application, then generate an API token for the application. Detailed instructions can be found here.
Setting up the Azure Active Directory Application
- Name the Application something meaningful like "DeepSurface"
Select the Supported account type. If in doubt, the default should be fine
Ignore other settings and click Register
Once back in App registrations, click on DeepSurface
Click API permissions, then Add a permission
Select APIs my organization uses, and select WindowsDefenderATP
Select Application Permissions
Enable the following permissions:
- AdvancedQuery.ReadAll
- Machine.ReadAll
- Machine.ReadWriteAll
- Software.ReadAll
- Vulnerability.ReadAll
Select Add permissions
- Once back in API permissions, click Grant admin consent for [your Active Directory name]
- Navigate to Overview and copy your Application (client) ID and Directory (tenant) ID. You will need them later
Generating the Access Token
Name the secret something meaningful like DeepSurface API secret
Give the secret an expiration date
Click add
Copy the Value of the secret, not the Secret ID. You will need it later
Setting up Microsoft Defender for Endpoint in DeepSurface
Go to your DeepSurface Appliance website and log in
Navigate to Scanning > Settings > Vulnerability Scanners
Click the '+ Vulnerability Scanner' to add a new scanner
Select Microsoft Defender for Endpoint
Enter your Application (client) ID, Directory (tenant) ID, and Secret in the fields provided. That's it.