This article contains information on integrating Microsoft Defender with the Human Risk Platform to enhance malware behavior scoring, including setup, technical requirements, and FAQs about deployment and functionality.
Overview
The Integration with Mimecast's Human Risk and Microsoft Defender for Endpoint enhances the robustness of human risk scoring by adding human interaction with malware on devices, allowing security awareness practitioners to send users training and other information based on the users' malware-associated behavior.
The Integration periodically reads endpoint protection alerts from Microsoft via API. These are forwarded to the Human Risk Platform, which associates each event with a user and updates the malware behavior score for that user.
How it works
Mimecast pulls security alerts from /v1.0/security/alerts_v2, filtered to microsoftDefenderForEndpoint as the source and scoped by last updated timestamp. The malware score is based on the severity of each alert. All malware events will display in the event log, but only alerts that are both "closed" and "true positive" are scored against the user's malware behavior score.
Prerequisites
- You have access to the Human Risk Command Center, via Email Security - MX or Engage.
-
Microsoft Defender for Endpoint license. Availability as of publishing is listed below. Up-to-date guidance is available here.
-
Microsoft Defender for Endpoint Plan 1.
- Microsoft Defender for Endpoint P1 is available as a standalone user subscription license and as part of Microsoft 365 E3/A3/G3.
-
Microsoft Defender for Endpoint Plan 2.
- Microsoft Defender for Endpoint P2 is available as a standalone license and as part of the following plans:
- Windows 11 Enterprise E5/A5.
- Windows 10 Enterprise E5/A5.
- Microsoft 365 E5/A5/G5 (which includes Windows 10 or Windows 11 Enterprise E5).
- Microsoft 365 E5/A5/G5/F5 Security.
- Microsoft 365 F5 Security & Compliance.
- Microsoft Defender for Endpoint P2 is available as a standalone license and as part of the following plans:
-
Microsoft Defender for Endpoint Plan 1.
- Mimecast Administrator account.
Permissions
You will need to grant the following users Read and Write permissions:
- Global Sys Admin
- Sys Admin - SD Full
- Super Administrator
- Full Administrator
- Basic Administrator
- Partner Administrator
- Custom Role with Integrations Marketplace (Read/Write permissions must be enabled.)
Configuration
The Integration is configured in the Integration Marketplace, which at time of launch should only be visible to users with Engage. To do this, follow the steps below:
- Log in to the Mimecast Administration Console.
- Navigate to Integrations | Integrations Hub and click Configure New.
- Enter Application Name and Description. Click Authorize.
- You will be directed to the Microsoft sign-in page. Click Use another account.
- Enter username and password. Click Next | Sign in | Accept.
- Initially, the Integration status will display as Unavailable. You will need to refresh the page to reflect Connected Status.
- To view, edit, or delete an Integration, click the ellipses in the right-hand corner.
- To view events and security scores from Defender for Endpoint, navigate to the Human Risk section. Expand the Malware category below Human Risk Behaviors.
- Low sensitivity has a score 2.5
- Medium sensitivity has a score of 5
- High sensitivity has a score of 7.5
- Critical sensitivity has a score of 10
- To view the Malware score for each user, navigate to and click Risk Analysis in the left side panel.
- Click on the user to view the Individual Risk Profile.
- To view an example event, navigate to and click Events.
- Click on one event to view additional details (username, title of the event, etc.).
Comments
Please sign in to leave a comment.