Skip to main content
Sign in

Creating an extended integration for Microsoft Defender assets

  • November 10, 2024 13:07
  • Updated

Let Oomnitza be your single source of truth!

You'll get complete visibility of your assets as data from Microsoft Defender is automatically transformed into consumable information and actionable insights.

The Microsoft Defender Asset Load uses the List Machines API. This asset load requires theMachine.Read or Machine.ReadWritepermissions. If you would like to retrieve software information in the asset load, you will also need Software.Readpermissions. You must have the View Data role permission to run this API. For further information, see Microsoft Defender Protect API Documentation: List machines API.

Connect Oomnitza and Microsoft Defender in minutes

Get the information and insights that you need to reduce costs and the time that you spend on administration tasks such as:

  • Configurable dashboards and list views of key asset information
  • Configurable reports to share information about your assets with your colleagues and management
  • Configurable workflows that you can easily create for:
    • Getting general machine information, including installed software, OS, last activity, and status.
    • Offboarding machines from Microsoft, isolating machines, and restricting the execution of all applications on a device.
    • Managing device security includes getting the device vulnerabilities, device alerts, security recommendations and remotely triggering full or quick anti-virus updates.

Contents

  1. Before you start
  2. Creating the asset integration
  3. Creating custom mappings

Before you start

Before you can create the integration with Oomnitza, you need to have completed the following steps:

  1. Generated your OAuth2.0 credentials in Azure
  2. Added your OAuth 2.0 credentials to Oomnitza
  3. Added a Microsoft Defender domain as a global variable (recommended)

Creating the asset integration

Information
When creating the asset integration, check Software to enable the retrieval of desktop software. 

  1. In Oomnitza, click Configuration> Integrations> Overview.
  2. Click Block view block_view.PNG
  3. Scroll down to the Extended section for asset integrations.
  4. Click NEW INTEGRATION.
  5. Select the integration in the sidebar.
  6. Click ADD.

Integration details overview

More information is provided about the following fields to help you complete the integration:

Installation type

Select Cloud if you want to store credentials in the Oomnitza cloud.

Select Local if you want to store credentials locally. Local extended integrations do not support AWS and OAuth authentication. If you want to sync Oomnitza with vendor applications that require AWS or OAUTH authentication, select Cloud.

Integration preferences

By default, the option Create & Update option is selected. Select this option  when you want to edit records and add new records. If you want to edit records and not add new records, select Update Only. If you only want to add new records, select Create Only.

Integration details

To review or update the integrations details, click Edit edit_black_pencil_icon.svg.

  1. Update the integration name if necessary. 
  2. Select an installation type.
  3. For integration preferences, select an option.
  4. Enter the name of the integration user.

Credential details

If you selected Cloud as the installation type, choose one of the following options:

  • Select the credentials that were created for the integration.
  • Edit the credentials that were created for the integration.
  • Create new credentials

Schedule

By default, data is streamed to Oomnitza once every day.

You can configure the schedule to meet your needs such as changing the interval or changing the time so that the data is streamed when your system isn't busy.

  1. Click the Edit edit_black_pencil_icon.svg.
  2. Configure your schedule.
  3. Click Update.

Mappings

To map the fields to Oomnitza, click Edit edit_black_pencil_icon.svg.

TipBulb_Icon_small.svgYou can define rules for your integration by selecting Edit integration edit_integration.svg on the mapping page. For example, you may only want to run the integration if a certain contact or region exists. See Filtering integration results.  
You can add new fields to your integration by selecting Add new field  add_grey_rectangel_icon.svg on the mapping page. All you need to do is specify the property name. See Creating custom API fields. 

Creating custom mappings

Map Microsoft Defender fields to Oomnitza fields to get the asset information that you need. For the field mapping, it is recommended to follow these steps:

  1. Click Smart Mapping to automatically detect appropriate mapping fields. Values from the integration can also be dragged to the appropriate field on the Oomnitza side, or selected from the integration field dropdown.
  2. Create a custom mapping for the Microsoft Defender Device ID.
    1. Click the down arrow on the Microsoft Defender Device ID.
    2. Select Add new Oomnitza assets field.
    3. Update the Name field to Microsoft Defender Device ID.
    4. Click CREATE
  3. Assign a sync key. We recommend that you map the AAD Device ID to the Serial Number field, and use this as a sync key.

Tracking information for asset loads 

When the integration is run, you can track the name of the credentials that were used and the source of the data. To do this, you map the following fields to Oomnitza:   

  • Connect: Credentials

Custom mappings

AAD Device ID*
Computer DNS Name
Connect: Credentials
Connect: Microsoft Defender Domain
Connector Sync Time
Exposure Level
First Seen
Health Status
Is AAD Joined?
Last External IP Address
Last IP Address
Last Seen
Machine Tags
Microsoft Defender Device ID**
OS Build
OS Platform
OS Processor
RBAC Group ID
RBAC Group Name
Risk Score
Version

*Suggested sync key

** Also known as the Machine ID, the ID that is returned in the List Machines API response.

Launching the integration

Your integration is in Draft mode until the required mandatory fields are added. When added, click Launch to activate your integration. 

small_blue_link.svg If you selected Cloud as the installation type when creating the integration, see Running an extended integration

small_blue_link.svg If you selected Local as the installation type when creating the integration, see Running an extended integration locally.

Viewing data ingested by Oomnitza

Viewing ingested asset data

For asset integrations, click Hardware. If the asset integration also ingests software data, click Software.

Viewing ingested user data

For user integrations, click People. If you chose the option to ingest User and SaaS user data, click Software > SaaS, click the SaaS app, and then click the Users tab. 

Related Links

Unleash the power of Oomnitza

To get valuable actionable insights that help you manage your assets, learn how to:

  • Configure dashboards for your users and software
  • Configure custom reports about your users and software
  • Create workflows to automate tasks

See Getting started for more information.

Related articles

Comments

0 comments

Please sign in to leave a comment.