STARK ON SECURITY

Programmatically Updating Defender for Cloud Integration Settings and enabling the Unified Agent

Overview

Defender for Cloud has several integrations with Microsoft’s security ecosystem. These integrations allow data sharing between Defender for Cloud Apps, Defender for Endpoint, and Microsoft Sentinel. Most of these integrations are enabled by default on subscriptions, however in some circumstances some of these settings may not be enabled.

The most common setting not enabled on subscriptions is the Defender for Endpoint Unified Agent. The unified solution isn’t automatically deployed for Azure Windows 2012 R2 and 2016 servers that are protected by Defender for Servers Plan 2. We strongly recommend that you upgrade to this agent asap to ensure Windows 2012 R2 and 2016 servers have full Defender for Endpoint capabilities.

IntegrationEnabled By DefaultCaveats
Defender for Cloud AppsYesNone
Defender for EndpointYesNone
Defender for Endpoint Unified AgentYesExisting subscriptions may still need this enabled
Defender for Endpoint: Exclude Linux Servers Public Preview FlagNoExisting subscriptions may still need this enabled
Sentinel Bi-Directional Alert Sync SettingsNoOnly enable if you are using Microsoft Sentinel
A look at the default settings

These settings can be viewed and configured on per subscription basis, however most of these settings cannot be configured via Azure Policy.

From the Defender for Cloud Portal navigate to Environment settings > Your Subscription > Integrations

The Enable unified solution and Enable for Linux machines may only show up in certain circumstances. 

Reporting and Updating Integration Settings

I created a couple of scripts that will allow you to report and update these integration settings across all of your subscriptions. The scripts will also report and configure the Defender for Servers plan if desired.

You can download the scripts here: Integration Settings Scripts

Report on Integration Settings

The get-integration-report.ps1 script will get the current settings across all your subscriptions in your tenant. Make sure you have the Security Reader role assigned.

# Get all subscription integration settings for the currently connected Tenant
$settings = .\get-integration-report.ps1
$settings | Export-CSV integration-settings.csv

# Get all subscription integration settings for a specific Tenant
$settings = .\get-integration-report.ps1 -TenantId 'c94dffc7-2dd9-4750-a3de-a160ddd68c90'
$settings | Export-CSV integration-settings.csv

Configure Integration Settings

The enable-integration-settings.ps1 script will configure settings across subscriptions in your tenant. The script will impose the following default settings unless specified.

Integration SettingSetting
Defender for Servers PlanCurrent Subscription Setting
Defender for Cloud Apps IntegrationEnabled
Defender for Endpoint IntegrationEnabled
Defender for Endpoint Unified AgentEnabled
Defender for Endpoint: Exclude Linux Servers Public Preview FlagDisabled
Sentinel Bi-Directional Alert Sync SettingsEnabled
# Enable with all recommended settings
.\enable-integration-settings.ps1 -subscriptionId 'c94dffc7-2dd9-4750-a3de-a160ddd68c90'

# Enable with all reccomended settings on multiple subscriptions
Get-AzSubscription | % {.\enable-integration-settings.ps1 -subscriptionId $_.id}

#  Enable with all reccomended settings and Defender for Servers P1
.\enable-integration-settings.ps1 -subscriptionId 'c94dffc7-2dd9-4750-a3de-a160ddd68c90' -DefenderforServersPlan 'P1'




Exit mobile version