Microsoft Defender for Endpoint connector

This is a cloud connector.

The Microsoft Defender for Endpoint (MDE) connector gathers data about devices, software, vulnerabilities, and security information from MDE.

In order to connect MDE to the Neurons Platform, you first need to create an application in Entra ID (formerly Azure AD). The app must have the Machine.Read.All and Vulnerability.Read.All permissions, which also need to be approved with Grant admin consent. For information on creating the app, see Creating API apps in Entra ID for Microsoft cloud connectors.

For information about what data is imported and how it is mapped, see Mapping (below).

Options

An MDE connector has the following options:

  • Connector name: A name for the connector.

  • Connector server name: For cloud connectors, this server is the Cloud option on the Connector Servers page. If you already added the connector to the Cloud option, this field will be populated for you. Otherwise, select Cloud from the list.

  • Directory (tenant) ID: The ID of the tenant you created in Entra ID.

  • Application (client) ID: The ID of the application you created in Entra ID.

  • Client secret: The client secret associated with the application you created in Entra ID.

  • Devices stale threshold: To limit the amount of data that is gathered for Neurons, set a threshold for a specific number of days. The connector will not include records unless the device has been created, logged in, or updated during that time.

  • Device tags: Tag filters limit the gathered data to specific devices. Tags are created and maintained within Entra ID and classify the devices you want to retrieve. Add a tag value by typing it in the filters area and pressing Enter.

  • Repeats: How often the connector should gather data.

  • Start time: The time of day the connector should start running. To minimize the impact on your network and applications, we recommend that connectors generally run at night or on weekends.

  • Active: Whether the connector is active or not. While the connector is active, it runs according to the schedule you create. If you clear the check box, the connector is inactive and will not gather data until the check box is enabled again and the connector is saved.

For details on configuring or using connectors, see Setting up connectors.

Mapping

The data that this connector imports is mapped to target attributes in the Neurons Platform database.

  • Machine ID

  • Merged into machine ID

  • Is potential duplication

  • Is excluded

  • Display name

  • Device name, device value, and device ID

  • TCPIP host name and TCPIP address

  • First and last seen dates

  • OS name, version, build, and architecture

  • Agent version

  • Health status

  • Machine risk score

  • Exposure level

  • Tag names

  • Av status and onboarding status

  • Managed by and managed by status

  • Public IP address and IP address

  • NIC address

  • Physical address

  • CVE ID, name, description, severity, and severity score

  • CVE published date, modified date, and date added

  • Public exploit, exploit verified, and exploit in kit

For an overview of how the data imported by this connector is mapped to the Neurons target attributes, please download the CSV file using the button below.

Download mappings

For an overview of the Neurons target attributes per data type and the connector source attributes that are mapped to them, see Connector data mapping.