- Incident Responder Release Notes
- Get Started with Incident Responder
- Configure Incident Responder Settings
- Core Settings
- Analytics Settings
- Configure Services
- Prerequisites for Configuring Incident Responder Microsoft Services with OAuth2.0 Authentication
- Configure the Amazon Elastic Compute Cloud (EC2) Service
- Configure the Anomali ThreatStream API Service
- Configure the Atlassian Jira Service
- Configure the BMC Remedy Service
- Configure the Check Point Firewall Service
- Configure the Cisco AMP for Endpoints Service
- Configure the Cisco Services Engine (ISE) Service
- Configure the Cisco Threat Grid Service
- Configure the Cisco Umbrella Enforcement Service
- Configure the Cisco Umbrella Investigate Service
- Configure the CrowdStrike Falcon Host API Service Service
- Configure the CrowdStrike Falcon Host API Service Service
- Configure the CyberArk Service
- Configure the Cylance Protect Service
- Configure the Exabeam Advanced Analytics Service
- Configure the Exabeam Cloud Search Service
- Configure the Exabeam DL Service
- Configure the FireEye HX Service
- Configure the Fortinet Service
- Configure the Google Gmail Service
- Configure the IntSights Cyber Intelligence Ltd. Service
- Configure the IRNotificationSMTPService Service
- Configure the Joe Security Joe Sandbox Service Service
- Configure the Microsoft Active Directory (AD) (Latest) Service
- Configure the Microsoft Exchange Service
- Configure the Microsoft Outlook Office 365 Service
- Configure the Microsoft Windows Defender ATP Service
- Configure the Microsoft Windows Management Instrumentation Service
- Configure the Netskope Service
- Configure the Okta Service
- Configure the Palo Alto Networks Firewall Service
- Configure the Palo Alto Networks Wildfire Service
- Configure the Rapid7 insightVM Service
- Configure the SentinelOne Service
- Configure the SentinelOneV2 Service
- Configure the Service Now Service
- Configure the Slack Service
- Configure the SlashNext Service
- Configure the Splunk Service
- Configure the ThreatConnect API Service
- Configure the Urlscan.io API Service
- Configure the VirusTotal Service
- Configure the Zscaler Service
- Test a Service
- Edit a Service
- Disable a Service
- Upload a Custom Service
- Delete a Custom Service
- Create an Email Template for the Notify by Email Action
- Respond to Security Incidents
Configure the Microsoft Windows Defender ATP Service
Configure Microsoft Windows Defender Advanced Threat Protection (ATP) as a service to gather information about entities and artifacts, manage files and applications on a host, and use other Microsoft Windows Defender ATP actions.
Last updated: March 22, 2023
Get access to the Microsoft Defender for Endpoints API: create an Azure Active Directory (AAD) application, get an access token to Microsoft Defender for Endpoint, then validate the token.
When you create the AAD application, ensure you complete certain tasks if your Microsoft Exchange Online account uses OAuth2.0 modern authentication and assign specific permissions for each action:
Incident Responder action
API delegated permission
Add Tag to Host Windows Defender ATP
Collect Investigation Package Windows Defender ATP
Find Devices for User Windows Defender ATP
Get Device Info Windows Defender ATP
Get File Information Windows Defender ATP
Get IP Information Windows Defender ATP
Get Investigation Package SAS URI Windows Defender ATP
Get Logged On Users Windows Defender ATP
Get URL Domain Information Windows Defender ATP
Hunt Domain Windows Defender ATP
Hunt File Windows Defender ATP
Quarantine Host Windows Defender ATP
Find Alerts for Device
Find Alerts for Domain Windows Defender ATP
Find Alerts for File Windows Defender ATP
Find Alerts for IP Windows Defender ATP
Find Alerts for Machine Windows Defender ATP
Find Alerts for User Windows Defender ATP
Offboard Machine Windows Defender ATP
Un quarantine Host Windows Defender ATP
Remove App Restriction Windows Defender ATP
Remove Tag from Host Windows Defender ATP
Restrict App Execution Windows Defender ATP
Scan Host Windows Defender ATP
Stop and Quarantine File Windows Defender ATP
Create an application secret.
In the sidebar, click SETTINGS
, then select Core.Under SERVICE INTEGRATIONS, select Services.
Select a service:
To configure a specific service, hover over a service, then click CONFIGURE. Use the search by vendor or filter by action to find a service.
To manually provide the relevant information for a service, click Configure a new service
.To view all actions for a service, hover over a service, then click the information icon
.
Enter information about the service:
Service Name – Enter a unique name for the service. By default, the service name is Windows Defender ATP.
(Optional) Description – Describe the service.
(Optional) Owner – Enter the email address of the person or group responsible for the service.
Tenant ID – Enter the directory (tenant) ID you noted when you created the AAD application.
Client ID – Enter the application (client) ID you noted when you created the AAD application.
Secret – Enter the application secret you previously created.
To validate the source, select TEST CONNECTIVITY.
Click CREATE SERVICE.