Overview
Defender for Cloud has several integrations with Microsoft’s security ecosystem. These integrations allow data sharing between Defender for Cloud Apps, Defender for Endpoint, and Microsoft Sentinel. Most of these integrations are enabled by default on subscriptions, however in some circumstances some of these settings may not be enabled.
The most common setting not enabled on subscriptions is the Defender for Endpoint Unified Agent. The unified solution isn’t automatically deployed for Azure Windows 2012 R2 and 2016 servers that are protected by Defender for Servers Plan 2. We strongly recommend that you upgrade to this agent asap to ensure Windows 2012 R2 and 2016 servers have full Defender for Endpoint capabilities.
| Integration | Enabled By Default | Caveats |
| Defender for Cloud Apps | Yes | None |
| Defender for Endpoint | Yes | None |
| Defender for Endpoint Unified Agent | Yes | Existing subscriptions may still need this enabled |
| Defender for Endpoint: Exclude Linux Servers Public Preview Flag | No | Existing subscriptions may still need this enabled |
| Sentinel Bi-Directional Alert Sync Settings | No | Only enable if you are using Microsoft Sentinel |
These settings can be viewed and configured on per subscription basis, however most of these settings cannot be configured via Azure Policy.
From the Defender for Cloud Portal navigate to Environment settings > Your Subscription > Integrations
The Enable unified solution and Enable for Linux machines may only show up in certain circumstances.
Reporting and Updating Integration Settings
I created a couple of scripts that will allow you to report and update these integration settings across all of your subscriptions. The scripts will also report and configure the Defender for Servers plan if desired.
You can download the scripts here: Integration Settings Scripts
Report on Integration Settings
The get-integration-report.ps1 script will get the current settings across all your subscriptions in your tenant. Make sure you have the Security Reader role assigned.
# Get all subscription integration settings for the currently connected Tenant
$settings = .\get-integration-report.ps1
$settings | Export-CSV integration-settings.csv
# Get all subscription integration settings for a specific Tenant
$settings = .\get-integration-report.ps1 -TenantId 'c94dffc7-2dd9-4750-a3de-a160ddd68c90'
$settings | Export-CSV integration-settings.csv
Configure Integration Settings
The enable-integration-settings.ps1 script will configure settings across subscriptions in your tenant. The script will impose the following default settings unless specified.
| Integration Setting | Setting |
|---|---|
| Defender for Servers Plan | Current Subscription Setting |
| Defender for Cloud Apps Integration | Enabled |
| Defender for Endpoint Integration | Enabled |
| Defender for Endpoint Unified Agent | Enabled |
| Defender for Endpoint: Exclude Linux Servers Public Preview Flag | Disabled |
| Sentinel Bi-Directional Alert Sync Settings | Enabled |
# Enable with all recommended settings
.\enable-integration-settings.ps1 -subscriptionId 'c94dffc7-2dd9-4750-a3de-a160ddd68c90'
# Enable with all reccomended settings on multiple subscriptions
Get-AzSubscription | % {.\enable-integration-settings.ps1 -subscriptionId $_.id}
# Enable with all reccomended settings and Defender for Servers P1
.\enable-integration-settings.ps1 -subscriptionId 'c94dffc7-2dd9-4750-a3de-a160ddd68c90' -DefenderforServersPlan 'P1'