Microsoft Defender for Endpoint Integration

Connect Furl to Microsoft Defender for Endpoint using Microsoft Graph API with OAuth2 authentication for vulnerability management and device inventory.

Required Licenses

Your organization must have one of the following Microsoft licenses for each capability:

For Vulnerabilities:

• Microsoft Defender for Endpoint Plan 1
• Microsoft Defender for Endpoint Plan 2
• Microsoft Defender Vulnerability Management
• Microsoft Defender XDR

For Assets/Devices:

• Microsoft Defender for Endpoint Plan 1
• Microsoft Defender for Endpoint Plan 2
• Microsoft Defender for Business

Description

Microsoft Defender for Endpoint is a unified endpoint security platform that provides advanced threat protection, vulnerability management, and security posture assessment for Windows, macOS, Linux, Android, and iOS devices. Furl integrates with Microsoft Defender for Endpoint to import device inventory and vulnerability data for comprehensive security risk management.

Configuration Steps

1. Create an Entra App

   • Log in to the Azure Portal
   • Navigate to Azure Active Directory > App registrations
   • Click “New registration” and create a new application
   • Note the Application (client) ID and Directory (tenant) ID

2. Add API Permissions

   • In your app registration, go to API permissions
   • Click “Add a permission” and select “Microsoft Graph”
   • Choose “Application permissions” (not Delegated permissions)
   • Add the following permissions:
     • Vulnerability.Read.All (for vulnerability data)
     • Machine.Read.All (for device/asset data)
   • Click “Grant admin consent” to approve the permissions

3. Create Client Secret

   • Go to Certificates & secrets in your app registration
   • Click “New client secret”
   • Add a description and set expiration (recommend 12-24 months)
   • Copy the secret value immediately (it won’t be shown again)

Required Configuration

Provide the following in Furl:

• Tenant ID - Your Microsoft Azure AD Tenant ID (Directory ID)
• Application ID - Your Azure AD Application ID (Client ID)
• Client Secret - Your Azure AD Application Client Secret

Datasource Configuration

Devices and Vulnerabilities

The Devices and Vulnerabilities datasource supports the following optional configurations:

• Device Filter - Filter devices by specific criteria using OData query syntax. Examples:
  • deviceName eq 'DESKTOP-ABC123' - Filter by specific device name
  • osPlatform eq 'MacOs' - Filter by operating system platform
  • machineTags/any(t: t eq 'test') - Filter by machine tags
• Vulnerability Filter - Filter vulnerabilities by severity using OData query syntax. Examples:
  • severity eq 'Critical' - Filter for critical vulnerabilities only
  • severity eq 'High' - Filter for high severity vulnerabilities
  • severity eq 'Critical' or severity eq 'High' - Filter for critical or high severity

Supported Capabilities

Datasources

• Devices and Vulnerabilities → Import device inventory, vulnerability findings, and associated evidence from Microsoft Defender for Endpoint to understand your security posture and prioritize remediation efforts

Actions

Currently no actions are supported for this integration.

Troubleshooting

• Ensure your Entra app has the correct API permissions (Vulnerability.Read.All and Machine.Read.All)
• Verify admin consent has been granted for the API permissions
• Check that your organization has the required Microsoft Defender licenses
• Ensure the client secret hasn’t expired
• Verify the Tenant ID and Application ID are correct

Additional Resources

• List machines API Documentation - Retrieve device inventory and machine information
• Export software vulnerabilities assessment API Documentation - Retrieve vulnerability data per device
• Entra App Registration Guide

Back to Integrations

Documentation Home