Getting started with Microsoft Defender dashboards

Microsoft Defender does a great job protecting you and your organization from online threats. It is constantly working to detect and collect security data so you don’t have to worry about falling behind on incidents and vulnerabilities. The Defender portal can also provide great insights into that data, but connecting it to the rest of your stack is difficult. For IT admins and security teams, information is helpful, but without context, these monitors, notifications, and security scores are living in isolation. Getting a full picture of your organization’s security posture requires you to bounce back and forth between different tools, wasting valuable time and resources.

That’s where SquaredUp’s Defender plugin comes in. It makes it easy for you to place your Defender data alongside the rest of your stack, all at your fingertips. Custom visualizations and out-of-the-box dashboards mean that you can get insights in minutes, without the headaches caused by scattered resources. Trend your Secure Score over time, contextualize security data, and write Advanced Hunting KQLqueries to surface whatever your team needs.

Connect Microsoft Defender to SquaredUp

If you don't already have a SquaredUp account, no problem. Just sign up for our Free Forever tier and you can be dashboarding in a few minutes. From there, connecting to the Defender plugin is quick and easy.

First, you must add the data source. In the search box, just look for Defender, and the plugin should appear:

Client credentials are required to configure this plugin. Follow the same steps explained in the Microsoft 365 article Configuring App Registration for the Microsoft 365 Plugin.

The following permissions below are required to configure your app for Defender:

• SecurityAlert.Read.All
• SecurityIncident.Read.All
• ThreatHunting.Read.All
• SecurityEvents.Read.All

Once this is completed, fill in the details in the following fields:

Click Test and add to validate the data source configuration. SquaredUp will now attempt to connect using the provided authentication details. If you encounter an error at this step, please refer to the errors and warnings reported on the data source configuration screen. For errors on dashboard tiles, please see our article on Troubleshooting tiles.

Once you have successfully connected to the data source, you can start exploring your imported objects and using your data streams to create data tiles on your dashboards. Take a look at the pre-installed dashboards to see examples of how you can visualize your data.

Ready-made dashboards out of the box

The following pre-built dashboards are available with this plugin:

• Cockpit for a tenant-wide security overview
• Devices Health for your device fleet health
• Incidents for an incident operations view
• Device Status for a selected device’s exposure, health, and properties
• Vulnerabilities for a selected device’s critical/high vulnerability counts (and affected software)
• Recommendations for a selected device’s active security configuration recommendations

What you can pull from Microsoft Defender

There are many data streams installed with the plugin that you can use to craft your own custom Defender tiles. First, the Advanced Hunting Query data stream allows you to query a specified set of data to look for particular threats in your environment. If you have a KQL query to run, you can get that data pulled back and visualized in seconds.

Secure Score History retrieves the current tenant's Secure Score data from the past 90 days, helping you identify trends across your organization. If you want to be proactive about any of your devices, the general Devices data stream returns detailed attributes and properties for a specified device, and you can go further by returning Recommendations and Vulnerabilities data.

But bad stuff happens too, and that’s why you can pull back Alerts to get a list of alert resources created to track an organization’s suspicious activities. Incidents objects that Microsoft Defender created go further to track attacks in an organization, and you can filter by Severity and Status for both of these data streams to match all of your wants and needs.

Bringing it together

Microsoft Defender gives you a powerful lens into your organization’s security posture. SquaredUp lets you take that data out of isolation and place it where it belongs: alongside the rest of your stack.

Most teams running Defender are also running tools for endpoint management, ticketing, and IT operations. With SquaredUp, you can put your Defender alerts and Secure Score on the same dashboard as your your infrastructure data from Azure, device health from NinjaOne, or your open tickets from HaloPSA. This way, your team gets the full picture without switching between portals.

If you don't already have an account, sign up for a free account and start building in minutes. And since the Defender plugin is currently in beta, we'd love to hear what you think! Drop your feedback in the SquaredUp Community. Happy dashboarding!