Microsoft Defender ATP third-party solution integrations

Published May 05 2019 03:36 AM 13.8K Views

A typical enterprise deploys multiple solutions from different vendors to address its security needs and run its day-to-day operations. This often requires customers to build their own custom automation to bridge the seams between solutions - to automate procedures, integrate data, and orchestrate actions to enable security teams to effectively operate and respond to threats.


Today we are announcing the general availability of Microsoft Defender ATP partner integrations - a set of pre-integrated partner solutions that enable customers to streamline, integrate, and orchestrate defenses from other vendors with Microsoft Defender ATP; helping security teams to effectively respond to modern threats.


Third-party solution integrations


Microsoft Defender ATP seamlessly integrates with existing security solutions - providing out of the box integration with SIEM, Ticketing/ITSM solutions, integration with Managed Security Service Providers (MSSP), IoC indicators ingestions and matching, automated device investigation & remediation based on external alerts, and integration with SOAR orchestration systems. We’ll cover a couple of examples here.




Security orchestration and automation response (SOAR) integration


Orchestration solutions enable customers to build playbooks and integrate the rich data model and actions Microsoft Defender ATP APIs expose to orchestrate responses, as defined by the customer procedures (for example, query for device data, trigger machine isolation, block/allow, resolve alert and others).

  • Demisto (now Palo Alto Networks) integrated the orchestration solution with Microsoft Defender ATP.

“With Microsoft Defender ATP and Demisto orchestration, we could build our own custom

malware response playbook to automate the containment and eradication of infected machines.” 

Cyber Operations Manager, 50K+ seat global enterprise

External alert correlation & Automated investigation and remediation


Microsoft Defender ATP offers unique automated investigation and remediation capabilities, enabling customers to leverage automation and AI to drive incident response at scale.


Integrating automated investigation and remediation capabilities with solutions such as IDS and firewalls enables customers to address alerts and minimize the complexities surrounding network and device signal correlation, effectively streamlining the investigation and threat remediation actions on devices.


External alerts that are pushed into Microsoft Defender ATP is presented side-by-side with additional device-based alerts from Microsoft Defender ATP. This view provides a full context of the alert with the real process and the full story of the attack.


For example, Morphisec integrated their Moving Target Defense alerts this way with Microsoft Defender ATP. Soon, this scenario will be extended with an automated investigation and remediation report, allowing security operations experts to focus on more sophisticated threats and other high-value initiatives.


Indicators matching (a.k.a. block/allow)


Customers use TI providers and aggregators to maintain and use indicators of compromise (IoCs). Microsoft Defender ATP allows customers to integrate with such solutions and act on IoCs by correlating its rich telemetry and creating alerts when there's a match; leveraging prevention and automated response capabilities to block execution and take remediation actions when there’s a match.

  • For example, read our recent blog on Palo Alto Networks MineMeld


Microsoft Defender ATP currently supports IoC matching and remediation for file and network indicators. Blocking is supported for file indicators.


Support for non-Windows platforms via third-party integration


Using the cross-platform partner integration, customers gain a unified experience with value spanning beyond a single pane of glass. Here are a few examples:


Microsoft Defender ATP allows a seamless pivot between the alerts for a mobile device to the associated user, the user’s other devices and other alerts related to this user. This enables security teams to do a complete assessment of the scope of breach and impact of compromised user credentials. Additionally, Microsoft Defender ATP allows customers to monitor Mac and Linux operating systems using integration with Bitdefender, SentinelOne, and Ziften.


SIEM integration


Microsoft Defender ATP supports SIEM integration through a variety of methods – specialized SIEM system interface with out-of-the-box connectors, a generic Alert API enabling custom implementations, and an Action API enabling alert status management:


Seamless enablement, zero deployment 


The available third-party integrations are visible in a new partner page in the Microsoft Defender ATP security center console. Enabling an integration requires just a few clicks and no deployment, using cloud APIs and standard AAD (Azure Active Directory) authentication and authorization model, putting the customer in control of permissions granted to third-party solutions to interoperate with its Microsoft Defender ATP tenant.


Partner page.png




Microsoft Defender ATP Partner integrations enable customers to seamlessly integrate Microsoft Defender ATP capabilities with third-party solutions to further augment existing defenses and help security teams respond to modern threats better.


Can't find your security solution listed? Click "Recommend other partners" to suggest a solution integration and we’ll take it from there.




@Dan Michelson, @Oren Levin



Related Links:

Discover the Microsoft Intelligent Security Association




Version history
Last update:
‎May 07 2019 11:13 AM
Updated by: