Integrations
      Back to home
      1. Knowledge Base
      2. Detect
      3. Integrations

      Connecting MDE (Detect)

      To attach a MDE account to Detect, you will need:

      • The Prelude Dashboard / UI (US1 | EU1) or Prelude CLI
      • An Azure user with Global Administrator role
       
       
      In Azure
       Create an App Registration
      1. Navigate to the App registrations section in the Azure Portal.
      2. Select "+ New registration" toward the top of the page.
      3. Enter a name for your application
      4. Choose Single tenant as the supported account type (Accounts in this organizational directory only). Click Register.
      5. Leave Redirect URI (optional) as it is.
      6. After registration:
        1. Copy/Save the Application (client) ID and Directory (tenant) ID from the app's Overview page.
      7. In the left menu, expand the Manage section and select Certificates & secrets and create a new Client Secret:
        1. Click New client secret, enter a description, and set an expiration period.
        2. Copy/Save the generated Client Secret Value (you won’t be able to view it later).

      The following information are need to be documented/saved for later.

      • APP ID (Application (client) ID) from step 6
      • TENANT ID (Directory (tenant) ID) from step 6
      • APP SECRET (Client Secret Value) from step 7

       
       
      Granting API Permissions
      1. In the left menu of the app you created, select API permissions and click Add a permission
      2. Under "Microsoft APIs" select Microsoft Graph
        1. Select Delegated permissions (not Application) and add the following API Permissions.
          • User.Read (note: this may already be selected)
        2. Select Application permissions (not Delegated) and add the following API Permissions.
          • ThreatHunting.Read.All
          • CustomDetection.ReadWrite.All
          • DeviceManagementConfiguration.Read.All
      3. Under "APIs my organization uses" search for: "WindowsDefenderATP" select "WindowsDefenderATP"
        1. Select Application permissions (not Delegated) and add the following API Permissions.
          • Alert.Read.All
          • Machine.Read.All
          • Ti.ReadWrite.All

      Note: After adding the above permissions ensure you select "Grant admin consent for " as show in the screenshot below:


       
       
      In Prelude
       
      Attach the partner

      You can attach a partner via UI or CLI

       
       
      via UI
      • Navigate to your user name in upper right hand corner and select "Integrations"
      • Select the "Connect" action for Microsoft Defender
      • Fill out Base URL, Tenant ID, APP ID and App Secret to connect
        • Base URL should be set to https://api.securitycenter.microsoft.com. Optionally can be set to hit one of Microsoft's regional endpoints, example https://api-<REGION>.securitycenter.microsoft.com
       
       
      via CLI

      Ensure you have the latest version of the CLI

      • run: prelude partner attach --api https://api.securitycenter.microsoft.com/ --user {TENANT ID} --secret {APP ID}/{APP SECRET} DEFENDER
        • replace {TENANT ID}, {APP ID} and {APP SECRET} with the values from your App Registration
        • --api is a required field that should be set to https://api.securitycenter.microsoft.com. Optionally can be set to hit one of Microsoft's regional endpoints, example https://api-<REGION>.securitycenter.microsoft.com
       
       
      Detach the partner
       
       
      via UI
      • Navigate to your user name in upper right hand corner and select "Integrations"
      • Select the "Disconnect" action for Microsoft Defender
       
       
      via CLI

      Ensure you have the latest version of the CLI

      • run: prelude partner detach DEFENDER