Setting up ATR for Microsoft Defender XDR
Microsoft Defender XDR was previously known as Microsoft 365 Defender.
XDR’s detection and response capabilities for high-risk incidents from Microsoft Defender XDR monitor your environment for a range of indicators. This approach includes critical threat categories such as Ransomware, along with high-severity Tactics, Techniques, and Procedures (TTPs) derived from our extensive threat intelligence platform.
Barracuda’s Managed XDR platform swiftly secures infected machines running Microsoft Defender XDR by isolating the device from the network, ensuring all inbound and outbound network connectivity is severed. Our platform combines SOAR, threat intelligence, and Microsoft’s detection data to analyze activity and identify malicious behavior. Once a high-risk threat is detected, XDR initiates an automated response to isolate the computer via API, ensuring swift protection against advanced threats.
Once you have set up ATR for Microsoft Defender XDR, you can also do the following:
ATR for Microsoft Defender XDR workflow
A Microsoft Defender XDR event occurs, triggering an alarm in Barracuda XDR.
The alarm is sent to Barracuda XDR ATR.
ATR determines whether the incident is high severity.
If the event is identified as high severity, the device is automatically isolated using the Microsoft Defender XDR API. Then An alert is sent and followed by a phone call.
If the alert is not identified as high severity, the device is not isolated, and you will receive a Medium or Low severity alert.
In the rare case that a high risk threat is received and isolating a device from the network fails, the failure is indicated in the alert and the error code, error message, and any necessary steps for resolution are available in the message body.
To enable ATR for a Microsoft Defender XDR, you need to:
In Microsoft Entra, update the API permissions and grant admin consent
In Barracuda XDR, enable ATR.
To set the API Permissions and grant admin consent
Sign into the Microsoft Entra Admin Center.
In the left menu, click Identity > Applications > Enterprise apps.
Click the link to your app.
If you haven’t already done so, remove the User.Read API Permission by doing the following:
In the left menu, in the Manage section of your registered application, click API permissions.
Under Configured permissions, locate the default User.Read permission.
Next to User.Read, click the
icon, then click Remove all permissions.
Click Yes, remove.
Add Microsoft Defender XDR Permissions by doing the following:
In the Select an API section, click APIs my organization uses.
In the search bar, type WindowsDefenderATP and select WindowsDefenderATP from the
results.Click Application permissions.
Find and select the following permissions:
NOTE You can use the search box to type keywords.Machine.Isolate
Machine.Read.All
Alert.Read.All
Click Add permissions.
If you haven’t already done so, grant Admin Consent by doing the following:
In the Configured permissions section, click Grant admin consent for <organization>.
In the confirmation dialog, click Yes.
To update the XDR Dashboard
Unlike most other ATR integrations, Microsoft 365 Defender is integrated using its integration card, not the ATR Settings page.
In Barracuda XDR Dashboard, in the left navigation menu, click Administration > Integrations.
On the Microsoft 365 Defender card, click Update.
If Endpoint is not enabled, slide the slider to On.
Click Enable Auto Remediation.
Click Save.
Once you have set up ATR for Microsoft Defender XDR, you can do the following: