Status: Available (sub-feature of Azure AD integration)
Prerequisite: Azure AD integration must be connected first
License required: Microsoft Defender for Endpoint P1 or P2
Syncs: Devices, alerts, CVEs, secure score
Prerequisite: Azure AD integration must be connected first
License required: Microsoft Defender for Endpoint P1 or P2
Syncs: Devices, alerts, CVEs, secure score
Prerequisites
Defender data is synced as part of the Azure AD integration using the same app registration. You do NOT need a separate OAuth connection. Before proceeding:- Complete the Azure AD setup guide first
- Confirm your tenant has Defender for Endpoint P1 or P2 licensing
Add Defender Permissions to Your App Registration
- Go to portal.azure.com → App registrations
- Open your
SecurAtlas Integrationapp (created in the Azure AD guide) - Click API permissions → Add a permission
- Select APIs my organization uses
- Search for “WindowsDefenderATP” → select it
- Choose Application permissions and add:
| Permission | Purpose |
|---|---|
Alert.Read.All | Read all Defender alerts |
Machine.Read.All | Read all enrolled machines/devices |
SecurityRecommendation.Read.All | Read security recommendations |
Vulnerability.Read.All | Read CVE and vulnerability data |
AdvancedQuery.Read.All | Run advanced hunting queries |
- Click Grant admin consent for [your org]
Verify Defender is Working
After the next sync, check the integration hub in SecurAtlas. You should see entity types including:defender_device(your enrolled endpoints)defender_alert(active security alerts)defender_vulnerability(CVEs affecting your devices)
Findings Generated
| Finding | Trigger |
|---|---|
defender_at_risk_device | Devices with High or Critical risk score |
defender_critical_alert | Active critical security alerts |
defender_high_alert | Active high severity alerts |
defender_unpatched_critical_vuln | Critical CVEs with public exploits |
defender_low_secure_score | Defender Secure Score below 50 |
defender_no_av_signature | Devices with outdated AV signatures |