Defender Asset Discovery

In this guide we will showcase how to connect and retrieve users / workstations and servers from an enviornment using Graph API and Defender, then use Asset Update to store them within the Asset A-Ops application

Download template

Requirements

  • Asset Integration
  • Microsoft Defender Integration

Steps

  1. Add Trigger object to the flow
  2. Edit the trigger, name it
  3. Add and configure a MS Defender Connect with a Tenant ID, Client ID, Client_secret and set the scope to: https://graph.microsoft.com/.default.
  4. Add and configure a MS Defender Custom Request, set the Method to GET.
If wanting to retrieve users, Set the API Endpoint to:
users
If wanting to retrieve devices, Set the API Endpoint to:
devices
  1. Add and configure a ForEach action to loop over all retrieved assets.
  2. Depending on the preference, an Asset Update can be added directly after the forEach loop, or specify variables to contain the information needed depending on the data retrieved.

Additional to the above steps, the guide includes retrieving all managed devices registered. This can be achieved by following a similar flow design

  1. Add Trigger object to the flow
  2. Edit the trigger, name it
  3. Add and configure a MS Defender Connect with a Tenant ID, Client ID, Client_secret and set the scope to: https://graph.microsoft.com/.default.
  4. Add and configure a MS Defender Custom Request, set the Method to GET. Setting the API endpoint to deviceManagement/managedDevices will fetch all managed devices that are registered within in-tune
  5. Add and configure a ForEach action to loop over all retrieved assets.
  6. Due to data being retrieved having dynamic values around Time, an action is being added to normalise the events and store the information within Variables to then create / update Assets.
  7. Add an Asset Update and create / update assets related to in-tune devices.

All above steps can be viewed below.

Preview