How to Integrate with Microsoft Defender XDR
Integrating with Microsoft Defender XDR allows you to initiate triage acquisition on hosts with the Defender agent installed using Live Response.
Once initiated, Live Response will locate the endpoint running the Defender agent and execute a Cado Host command to collect the triage package and upload it to Cado for processing.
Prerequisites
-
Ensure you have a Microsoft Defender for Endpoint Plan 2 license.
-
In the Defender Portal, enable the following settings by navigating to Settings > Endpoints > Advanced Features:
-
Create an App Registration with the required API permissions for Defender XDR. Refer to Microsoft documentation for guidance on creating the App Registration in your Azure portal.
The following API permissions are required for Cado integration:
| Permission | Reason | Type | Admin Consent Required |
|---|---|---|---|
| Library.Manage | Allows Cado to upload Cado Host scripts to the Live Response library for credential refresh | Application | Yes |
| Machine.LiveResponse | Allows Cado to run Cado Host against a machine | Application | Yes |
| Machine.Read.All | Allows Cado to inspect a single machine on Defender and obtain its UUID | Application | Yes |
| Machine.ReadWrite.All | Allows Cado to retrieve a list of all machines on Defender for display in the UI | Application | Yes |
| Alert.Read.All | Allows Cado to monitor alerts from Defender as part of the Detection integration | Application | Yes |
| Alert.ReadWrite.All | Allows Cado to manage alerts from Defender as part of the Detection integration | Application | Yes |
Enabling the Integration in the Cado Platform
- Enable the beta feature by going to Settings > Experiments and toggling the "Microsoft Defender XDR" option.
- Navigate to Settings > Integrations > XDR and click Add Connection.
- Select Defender from the dropdown menu.
- Enter the Tenant, Client ID, and Client Secret from the App Registration you created. The integration will appear on the settings page.
- In any investigation, click Import > XDR > Defender.
- If configured correctly, a paginated list of hosts with the Defender agent installed will be displayed.
Limitations
- Microsoft Defender limits to 25 concurrent Live Response sessions.
- Live Response scripts will time out after 10 minutes.
- Only one Live Response session can be active per endpoint.