Home
Microsoft

A typical enterprise depends on multiple security solutions to operate and to combat advanced cyber adversaries. At Microsoft, we believe that when these solutions work together, you gain greater efficiency, speed, and stronger defenses.
To enable this, Microsoft Defender ATP offers a rich and complete set of APIs that span across multiple functional areas of the platform including investigation, detection, response, threat and vulnerability management.

 

We’ve worked with our ecosystem partners to take these API integrations a step further and are extending the power of our combined platforms to help our customers strengthen their network and endpoint security posture, add continuous security validation and attack simulation testing, orchestrate and automate incident correlation and remediation, add threat intelligence and web content filtering capabilities.

We’re thrilled to announce this step forward and extend our vast partner ecosystem that is part of the broader Microsoft Intelligent Security Association (MISA). We’ve outlined the specifics of these integrations below:

 

Integrating the network and the endpoint to improve visibility and detection speed 

To integrate two important views of a cyber-attack – the network and the endpoint – we have partnered with Aruba and Blue Hexagon to add more visibility and context for defenders to detect and protect against attacks:

 

Aruba ClearPass  | Network access control
As a critical piece of a sound network security strategy, network access control (NAC) can enforce granular policies and ensure the right devices and users have access to the right network resources. Aruba ClearPass Policy Manager utilizes key endpoint attributes provided by Microsoft Defender ATP such as risk and exposure scores, and sensor’s last report time to make enforcement decisions as part of an authorization check.

Blue Hexagon | Network threat protection

Blue Hexagon has built a network threat protection platform harnessing deep learning. In the Blue Hexagon-Microsoft Defender ATP partnership, a network threat detected in less than a second can quickly be prevented on enterprise endpoints. The solutions work tightly together to stop malicious files from being executed, prevent infection of patient zero, and stop any further lateral movement. Read more about this here.

 

Continuous security validation

Test continuously, measure and validate your security infrastructure by launching automated and on-demand attack scenarios.

SafeBreach | Continuous security validation

The SafeBreach platform provides visibility into an organization's cyber-security posture, enables data-driven risk analysis, resource prioritization and guided mitigation. This integration connects Microsoft Defender ATP’s event and alerting engine to SafeBreach’s breach and attack simulation platform to bring prevention capabilities to the next level. Read more about this here.


AttackIQ
| Continuous security validation
AttackIQ, a leading player in the emerging market of continuous security validation, enable red and blue teams to test the effectiveness of their security controls, including direct integration with Microsoft Defender ATP. The platform maps Microsoft Defender ATP coverage against the MITRE ATT&CK Matrix, a curated knowledge base, and a model for cyber adversary behavior. Security teams can determine how to deploy and keep their Microsoft Defender ATP configured properly, with the visibility to quickly remediate any gaps that might exist. Read more about the AttackIQ-Microsoft Defender ATP integration here.

 

Security orchestration and automation

Security teams today are inundated with alerts and information from a growing number of siloed point solutions. Furthermore, manual processes and cross-team handoffs hinder the security team’s ability to efficiently respond to attacks. To help solve this problem we are introducing the following integrations:


Swimlane | Security orchestration automation and response

Swimlane delivers pre-configured integrations for rapidly implementing enterprise-wide security automation and orchestration. The Swimlane integration with Microsoft Defender ATP is designed to provide tools for taking automated remediation actions. This integration leverages the rich and complete set of APIs to assist with remediation such as blocking a hash, killing a process, or isolating host from the network.

 

The Microsoft Defender ATP orchestration and automation ecosystem include partnerships with Demisto, CyberSponse CyOps, Microsoft Power Automate (formerly Microsoft Flow), and Azure Functions

Web content filtering

Cyren | Web content filtering
More than 1.3 billion users around the world rely on Cyren's cloud security solutions to protect them against cyberattacks and data loss every day. Cyren’s comprehensive web content classification technology is integrated into Microsoft Defender ATP to enable web content filtering and auditing capabilities. Learn more about this here.


Threat intelligence

Microsoft Defender ATP allows customers to integrate with Threat Intelligence solutions and act on IoCs. Rich telemetry is correlated, then prevention and automated response capabilities are leveraged to alert or block execution and take remediation actions when there’s a match.

Anomali | Threat Intelligence
Anomali has developed an integration with Microsoft Defender ATP and other Microsoft solutions via the Microsoft Graph Security API. Learn more about it here.


You can also submit threat indicators to Microsoft Defender ATP using a MISP Connector, Threat Connect, and Palo Alto MineMeld.

 

What else?
Designed to deliver best-of-breed security, Microsoft Defender ATP offers partners opportunities to extend their existing security offerings on top of the open framework and a rich complete set of APIs, allowing them to build extensions and integrations to our endpoint security platform. 

Security vendors interested in connecting to Microsoft Defender ATP can use this page to get started on developing an integration.

We are constantly working on extending our network of partners, as a customer, if you would like to see additional integrations with Microsoft Defender ATP use the ‘recommend a partner’ button in the Partner Application page in the Microsoft Defender Security Center.

1 Comment
Frequent Contributor
Another new integration with MDATP is THOR Scanner THOR extends Microsoft Defender ATP’s real-time monitoring by intense local scans to allow a full on-demand compromise assessment. THOR is a forensic scanner that integrates into MDATP to scans the local filesystem, registry, logs and other elements for traces of hacking activity using 10,000 hand-written YARA rules and thousands of filename, C2, hash, mutex and named pipe IOCs to them. This live forensic scan reduces the work of your forensic analysts to a minimum and generates results as fast as possible for you to react in a timely manner. https://www.nextron-systems.com/2020/01/07/thor-integration-into-windows-defender-atp