This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
Webinar May 14th: Gemini's generative AI within Google SecOps
Webinar May 29th: Log Ingestion: Bindplane + Google SecOps
Log in to ask a question

Microsoft Defender ATP Integration permissions

Posted 2 weeks ago
VictorSOAR
Bronze 2
Bronze 2
Reply posted on --/--/---- --:-- AM

Hey Team,

I am looking for giving least privileges to SOAR on defender ATP to only do enrichments and some data gathering. 

Does anyone have list of Actions and its respective permission required to be granted on WindowsdefenderATP application?

Also, I would like to know more about the purpose of Event.Write permission and in which actions its used?

Solved Solved
1 1 93
Topic Labels
Jump to Solution
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
dnehoda
Staff
Reply posted on --/--/---- --:-- AM
The list of actions are listed in the marketplace details for this integration.   As for each permission and what it can do, I would beleive we could find that on the MS site.  Our required permissions are in the below link.  
 
https://cloud.google.com/chronicle/docs/soar/marketplace-integrations/microsoft-defender-atp
 
The "Event.Write" permission in Microsoft Defender for Endpoint (MDE) allows an application to create events in the machine timeline, providing a record of activities on a deviceThis is essential for logging and tracking events, particularly for security investigations and analysis. 
 
Elaboration:
  • Event.Write Permission:
    This specific permission enables an application to create events that will be visible in the Defender for Endpoint device timeline. 
     
  • Machine Timeline:
    The device timeline provides a chronological view of events and alerts observed on a device, allowing security professionals to trace activities and investigate potential threats. 
     
  • Security Investigations:
    The ability to write events to the timeline is crucial for incident response and security analysis, allowing investigators to reconstruct the sequence of events leading to a potential breach. 
     
  • Event Flags:
    Event flags in the timeline help prioritize and filter events, making it easier to focus on the most relevant information during an investigation. 
     
  • Example Usage:
    An application might use the "Event.Write" permission to log a user's login event, a file access attempt, or an alert being triggered. 
     
  • API Access:
    To leverage this permission, applications need to be granted access to the Microsoft Defender for Endpoint API and have the necessary permissions. 
     
  • RBAC and Permissions:
    Microsoft Defender for Endpoint uses role-based access control (RBAC) to manage permissions. Security administrators can assign roles with the "Manage Security Settings" permission to manage custom detections and other security features, according to Learn Microsoft. 
     
  • Example:
    A Red Canary integration requires the "Event.Write" permission to create and update event entries in the device timeline. 

View solution in original post

Jump to Solution
1 REPLY 1

Posted on --/--/---- --:-- AM
dnehoda
Staff
Reply posted on --/--/---- --:-- AM
The list of actions are listed in the marketplace details for this integration.   As for each permission and what it can do, I would beleive we could find that on the MS site.  Our required permissions are in the below link.  
 
https://cloud.google.com/chronicle/docs/soar/marketplace-integrations/microsoft-defender-atp
 
The "Event.Write" permission in Microsoft Defender for Endpoint (MDE) allows an application to create events in the machine timeline, providing a record of activities on a deviceThis is essential for logging and tracking events, particularly for security investigations and analysis. 
 
Elaboration:
  • Event.Write Permission:
    This specific permission enables an application to create events that will be visible in the Defender for Endpoint device timeline. 
     
  • Machine Timeline:
    The device timeline provides a chronological view of events and alerts observed on a device, allowing security professionals to trace activities and investigate potential threats. 
     
  • Security Investigations:
    The ability to write events to the timeline is crucial for incident response and security analysis, allowing investigators to reconstruct the sequence of events leading to a potential breach. 
     
  • Event Flags:
    Event flags in the timeline help prioritize and filter events, making it easier to focus on the most relevant information during an investigation. 
     
  • Example Usage:
    An application might use the "Event.Write" permission to log a user's login event, a file access attempt, or an alert being triggered. 
     
  • API Access:
    To leverage this permission, applications need to be granted access to the Microsoft Defender for Endpoint API and have the necessary permissions. 
     
  • RBAC and Permissions:
    Microsoft Defender for Endpoint uses role-based access control (RBAC) to manage permissions. Security administrators can assign roles with the "Manage Security Settings" permission to manage custom detections and other security features, according to Learn Microsoft. 
     
  • Example:
    A Red Canary integration requires the "Event.Write" permission to create and update event entries in the device timeline. 
Jump to Solution
Top Solution Authors
View all
OSZAR »