.. _ms-defender-overview-sync:
Microsoft Defender setup, sync, and overbuild
----------------------------------------------
.. _25.3|VOSS-1507:
:bdg-primary:`Microsoft`
Automate provides a consolidated view and management of the Microsoft Defender suite,
including the partitioning of and role-based access to Microsoft tenant data.
Setup
......
Perform these tasks to enable and use Microsoft Defender:
1. Set **Enable Defender for Office** and/or **Enable Defender for Endpoint** to *Yes* in the Global Settings.
.. raw:: latex
See Global Settings in the Core Feature Guide
.. raw:: html
See Global Settings
Once enabled, a **Security Management** menu is added to the GUI. The menu contains Defender-related
submenus and management dashboards.
For details, see the *Microsoft Defender management* topic below.
2. Configure a Microsoft tenant in Automate.
This configuration will sync Microsoft Defender data to Automate.
Refer to the collection and and sync details below.
.. raw:: latex
See Microsoft tenant setup in the Core Feature Guide
.. raw:: html
See Microsoft tenant setup
Data collection and sync
...........................
When a tenant configuration for Microsoft Defender is saved, Automate ...
* Creates a data collection instance in Automate that is then synced from the tenant.
For the data collection, if a Microsoft Defender for Endpoint instance is added to the
model called ``data/DataCollection``, its name is of the format:
**Defender for Endpoint Data Collection ** and
collects all instances from the tenant for the following models in a batch:
* ``device/msgraphsecurity/SecureScore``
* ``device/msgraphsecurity/Alert``
* ``device/msgraphsecurity/Incident``
* ``device/mssecurity/Machine``
* ``device/mssecurity/MachineAction``
* ``device/mssecurity/ExposureScoreByMachineGroups``
.. uncomment for 25.4:A **Filter** field is also available to be applied when collecting the records,
in accordance with the device model in question.
* Syncs Microsoft Defender collection data to Automate and creates sync schedules.
Microsoft Defender data is synced to the tenant hierarchy.
For the schedules, these are created (according to Global Settings enabled Microsoft Defender suite items)
and by default run every 30 minutes. The schedules can sync data according to the relevant created
collection and a batch sync of data takes place.
For the schedule instance, the **Resource Type** of the created schedule is
``data/DataCollection``, while the selected **Resource** naming format is:
* **Defender for Endpoint Data Collection **
* **Defender for Office Data Collection **
The collected data at the tenant hierarchy is then also available when
Overbuild for Microsoft is run to partition and move the data to the
relevant sites in Automate.
.. note::
The default **MSOLUser** data collection does not apply the setting, **Create Standalone Records**, since
this collection is used only for the Insights database in order to provide time series data for trends and charting.
.. image:: /src/images/msft-data-collection-msoluser.png
.. rubric:: Related topics
*
.. raw:: latex
Overbuild for Microsoft in the Core Feature Guide
.. raw:: html
Overbuild for Microsoft
Microsoft Defender for Office and Endpoint overbuild
.....................................................
Automate's Overbuild for Microsoft allows for the partitioning of the synced Microsoft Defender
data to relevant sites in Automate. This includes:
* Incident alerts
* Quarantine messages
* Microsoft Defender policies
Data partitioning is done according to the **Model Filter Criteria** (MFC) created during tenant setup.
For details on Microsoft Defender for Office and Endpoint overbuild, see: :ref:`overbuild-by-mfc`.
Managing Microsoft Defender data
..................................
Microsoft Defender data can be viewed and accessed in Automate from dashboards,
allowing for further analysis as well as management from
policy, incident, and alert management interfaces.
* :ref:`ms-defender-for-office`
* :ref:`ms-defender-for-endpoint`