Microsoft Defender for Endpoint connector

This connector can be run in the cloud or using an on-premises connector server.

The Microsoft Defender for Endpoint (MDE) connector gathers data about devices, software, vulnerabilities, and security information from MDE.

For information about what data is imported and how it is mapped, see Mapping (below).

In order to connect MDE to the Neurons Platform, you first need to create an application in Entra ID (formerly Azure AD) with the following permissions:

  • Machine.Read.All

  • Vulnerability.Read.All

All permissions must be approved with Grant admin consent. For information on creating the app, see Creating apps in Entra ID for Microsoft connectors.

Options

An MDE connector has the following options:

  • Connector name: A name for the connector.

  • Connector server name: The name of the connector server that this connector is associated with. When running the connector in the cloud, this server needs to be the Cloud option in the list.

    Each connector can only be associated with one connector server. If you added this connector to a specific connector server (on the Connectors > Connector Servers page), this field will be populated for you. Otherwise, you can select the server from the list.

  • Directory (tenant) ID: The ID of the tenant you created in Entra ID.

  • Application (client) ID: The ID of the application you created in Entra ID.

  • Client secret: The client secret associated with the application you created in Entra ID.

  • Devices stale threshold: To limit the amount of data that is gathered for Neurons, set a threshold for a specific number of days. The connector will only import devices that have checked in or changed during that time.

  • Device tags: Tag filters limit the gathered data to specific devices. Tags are created and maintained within Entra ID and classify the devices you want to retrieve. Add a tag value by typing it in the Tags area and pressing Enter.

    If you discover that the tags are not importing devices correctly, read the following Ivanti knowledge base article about troubleshooting the issue: Troubleshooting Dynamic Asset Tag Issues in Ivanti Neurons for UEM with Microsoft Defender for Endpoint Integration.

  • Repeats: How often the connector should gather data.

  • Start time: The time of day the connector should start running. To minimize the impact on your network and applications, we recommend that connectors generally run at night or on weekends.

  • Active: Whether the connector is active or not. While the connector is active, it runs according to the schedule you create. If you clear the check box, the connector is inactive and will not gather data until the check box is enabled again and the connector is saved.

For details on configuring or using connectors, see Setting up connectors.

Mapping

The data that this connector imports is mapped to target attributes in the Neurons Platform database.

For an overview of how the data imported by this connector is mapped to the Neurons target attributes, please download the CSV file using the button below.

Download mappings

For an overview of the Neurons target attributes per data type and the connector source attributes that are mapped to them, see Connector data mapping.