Defender data source
Data Manager is included in all Service Collection Premium and Enterprise plans.
Defender is an antivirus and endpoint protection tool produced by Microsoft.
The Defender data source uses an API connection to bring device data into Data Manager. It requires an application registered in Azure to obtain a Tenant ID, Client ID, and Application ID. Work with your Defender SME as needed.
This task requires Data Manager & Adapters admin permissions to complete. See how permissions and roles work in Data Manager.
How do I connect Defender to Data Manager?
Gather all of the Data Manager type information, including the data source name, short display name, and the data source type.
Gather the Defender fields – this may require consultation with the Defender subject matter expert (SME).
In Data Manager, add a new data source by selecting the tool you which to connect and configure with all the gathered information.
Each time this data source is fetched the data becomes raw data.
Data Manager fields
You need to specify the following information from Data Manager:
Data source name – the name of the data source used to run, transform, map, cleanse, and import the data.
Short display name – a unique name as a data source label.
Data source type – what type of data the tool is providing. For example, Assets, CMDB, user location.
Defender fields
Client‑ID – identifies the application in Defender/Azure.
Client secret – secret string used when requesting tokens.
Tenant ID – unique identifier for the Defender tenant, used for authentication.
認証と承認
Register the application in the Azure portal to obtain Tenant ID, Client ID, and Application ID.
Generate the Client secret.
In the app’s Overview page, under Manage, go to API permissions > Add a permission.
Select WindowsDefenderATP from the API list.
Add the permission
Machine.Read.Alland grant admin consent.Select Add permissions.
API 呼び出し
The documented API permission for Defender is:
Device.Read.All
Fields retrieved
次のフィールドが取得されます。
Id
AgentVersion
ComputerDnsName
OsBuild
FirstSeen
HealthStatus
LastSeen
DeviceValue
OsPlatform
RbacGroupId
OsVersion
RbacGroupName
OsProcessor
RiskScore
Version
ExposureLevel
LastIpAddress
IsAadJoined
LastExternalIpAddress
AadDeviceIdこの内容はお役に立ちましたか?