Enable Microsoft Defender ATP integration in Azure Security Center programmatically

If you have worked with Azure Security Center and Microsoft Defender ATP (Advanced Threat Protection) you may know a setting in Azure Security Center called Threat Detection where you can allow Microsoft Cloud App Security (MCAS) or Microsoft Defender ATP to access your data.

In this article, let’s see how we can programtically enable the integration instead of going to Azure Portal to check boxes.

First of all, if you haven’t heard about the integration here is the shortcut . To enable the integration you simply need to go to Azure Security CenterPricing & settingsThreat detection.

For testing purpose this is the fastest way to do. However you are not going to go to each subscription to enable if you have many ones under your Azure tenant.

Azure Security Center Setting API

There is not any built-in PowerShell module to enable MCAS/MDATP integration in Azure Security Center so you must go with API approach. Below is the request URI you can use:

https://management.azure.com/subscriptions/$subscriptionId/providers/Microsoft.Security/settings/$type?api-version=2019-01-01

  • subscriptionId: the target subscription that you want to enable integration.
  • type: security services you want. Only MCAS and WDATP are supported.

There may be a typo of MDATP. In fact the value allowed is still WDATP while the product name was changed to MDATP (Microsoft instead of Windows).

Below is the request body you need to send to the API:

{
    "type": "Microsoft.Security/settings",
    "name": "WDATP",
    "id": "/subscriptions/{subscription_id}/providers/Microsoft.Security/settings/WDATP",
    "kind": "DataExportSettings",
    "properties": {
        "enabled": "True"
    }
}

Below is a dirty PowerShell code snippet to allow Microsoft Defender ATP to access Azure Security Center data.

$type = "WDATP"
$context = Get-AzContext
$profile = [Microsoft.Azure.Commands.Common.Authentication.Abstractions.AzureRmProfileProvider]::Instance.Profile
$profileClient = New-Object -TypeName Microsoft.Azure.Commands.ResourceManager.Common.RMProfileClient -ArgumentList ($profile)
$token = $profileClient.AcquireAccessToken($context.Subscription.TenantId)
$authHeader = @{
    'Content-Type'  = 'application/json'
    'Authorization' = 'Bearer ' + $token.AccessToken
}

$uri = "https://management.azure.com/subscriptions/" + $context.Subscription.Id `
                                                     + "/providers/Microsoft.Security/settings/" `
                                                     + $type `
                                                     + "?api-version=2019-01-01"
$uri
$body = @{
    "id" = "/subscriptions/$($context.Subscription.Id)/providers/Microsoft.Security/settings/$type"
    "name" = $type
    "kind" = "DataExportSettings"
      "type" =  "Microsoft.Security/settings"
      "properties" = @{
        "enabled" = 'false'
      }
}

$request = $body | ConvertTo-Json

Invoke-RestMethod -Method PUT `
                  -Body $request `
                  -Headers $authHeader `
                  -Uri $uri

If you are not familiar with PowerShell (or you’d hate it), here is the Bash script you’d love:

ACCESS_TOKEN=$(az account get-access-token --query 'accessToken' -o tsv)
AUTH_HEADER="Authorization: Bearer $ACCESS_TOKEN"
RM_ENDPOINT='https://management.azure.com'
CONTENT_TYPE="Content-Type: application/json"
SUBSCRIPTION_ID="xxxx-xxxx-xxx-xxx-xxxxxx"
INTEGRATION_NAME="WDATP"

URI="$RM_ENDPOINT/subscriptions/$SUBSCRIPTION_ID/providers/Microsoft.Security/settings/$INTEGRATION_NAME?api-version=2019-01-01"REQUEST_BODY=$(cat <<EOF
{
    "id":"/subscriptions/$SUBSCRIPTION_ID/providers/Microsoft.Security/settings/$INTEGRATION_NAME",
    "type":"Microsoft.Security/settings",
    "name": "$INTEGRATION_NAME",
    "kind":"DataExportSettings",
    "properties":{
        "enabled":"True"
    }
}
EOF
)

curl \
  -H "$CONTENT_TYPE" \
  -H "$AUTH_HEADER" \
  -X PUT \
  -d "$REQUEST_BODY" \
  $URI

You can disable by changing enabled  value to False

Enable Integration via Azure ARM template

Another way to enable integration is to use Azure ARM template for Azure Security Center. Follow this article to understand Azure Security Center ARM template deployment use case as well as the template to deploy.

Below is the sample code to enable MDATP integration:

{
    "type": "Microsoft.Security/settings",
    "apiVersion": "2019-01-01",
    "name": "WDATP",
    "kind": "DataExportSettings",
    "properties": {
        "enabled": true
    }
}

Use this template to deploy your Azure Security Center https://github.com/azsec/scaf-azure-arm-templates/tree/master/AzureSecurityCenter

Reference

Below are two references from Microsoft:

Note that there is a typo/invalid value in kind field. The valid value is DataExportSettings¬†while the doc is indicating DataExportSetting (missing ‘s’)

This entry was posted in Azure Security Center, Security Automation and tagged , . Bookmark the permalink.

Leave a Reply