Microsoft Defender Integration

Incoming webhook integration with Microsoft Defender for Endpoint

This integration requires a Microsoft Power Automate license for the owner-user

Configuring this integration enables Rezonate's ITDR engine to cross-correlate identity threats from Endpoint detections, and to improve MTTR.

To set up the integration please follow the following steps:

Browse to the Rezonate integrations screen, add a new Integration, and select Microsoft Defender. Pick a name for the application and copy the webhook URL that appears on the integration screen. Take note of it as we will use it later in the microsoft configuration part.
Browse to https://flow.microsoft.com and Click Create.
Click on the All Connectors button at the bottom right of the page, search for “ATP” and select the Microsoft Defender ATP app.
After that, select “Triggers - Trigger when new WDATP alert occurs”.
A new block will appear on the board, with an Invalid connection error below it.
To authenticate with a licensed user, and authorize Power Automate’s access request to your tenant’s data, on the right side menu, look for an option to sign in to Microsoft Defender to set up the connection.
A popup window will open, choose your licensed user and then authorize the application’s access request.
Now authorized, inside the workflow board, click the + icon below the Defender block and add an action.
Search for “HTTP webhook”.
Select HTTP Webhook (first option), and Click the new webhook block, to set up the parameters, including the target URL that you copied from Rezonate.

Save your flow by clicking the Save button.
Head back to the main menu of Power Automate and find your flow under My Flows.
Click the 3 dots icon and more commands, and a menu will appear, choose Turn on to enable the new flow.

Last updated 3 months ago