New Defender Plugin

[jame2O]

🔌 Plugin overview

• Plugin name: Microsoft Defender for Endpoint
• Purpose / problem solved: Connects to the Microsoft Graph API to access security (defender for endpoint) based data
• Primary audience (e.g. platform teams, SREs, product teams): IT Administrators / Security Teams & Specialists
• Authentication method(s) (e.g. OAuth, Username/Password, API Key): OAuth Client Credentials (ID & Secret)

---

🖼️ Plugin screenshots

Plugin configuration

Default dashboards

---

🧪 Testing

---

⚠️ Known limitations

• No A. Grant OAuth currently - we are client creds to login
• 1 object limit on Recommendations & Vulnerabilities due to performance issues. This may change later down the line. Not acting as a blocker at this time.

📚 Checklist

• Plugin, datastream and UI naming follow SquaredUp guidelines
• Logo added
• One or more dashboards added
• README added including configuration guidance
• No secrets or credentials included
• I agree to the Code of Conduct

[vinbab]

@jame2O Alerts data stream

1. Alerts: Error message when Status is New

2) Alerts: Timeframe column needs to be on the Timeframe tab 3) let's order the columns, mimic the portal, everything else is hidden: - Alert name - Tags - Severity - Integration state - Status - Category - Detection source - Impacted Assets - First activity - Last activity - Policy name - Classification - Determination - Assigned To - Workspace - Cloud Scopes

4. When I change the time column to Last Update Time, I get this error

[vinbab]

@jame2O change the order of the columns to mimic the portal, and hide everything else:

• Name
• IP
• Criticality
• Device category
• Device type
• Domain
• Device AAD id
• Risk Level
• Exposure level
• OS platform
• OS version
• Sensor health state
• Onboarding status
• Discovery sources
• Last device update
• Tags
• Device Role
• Managed by
• Managed by status
• Migration status
• Cloud platforms

[vinbab]

@jame2O Incidents data stream.

1. Move the timeframe column to Timeframe tab.
2. Timeframe options: like in Alerts, not all data/time fields are in the list. Is that a fixed list you are manually populating?
3. order the columns like in the portal, hiding all others:

• Incident name
• Incident id
• Priority score
• Tags
• Severity
• Investigation state
• Categories
• Impacted assets
• Active alerts
• Service sources
• Detection sources
• Last update time
• Last activity
• Policy name
• Data sensitivity
• Status
• Assigned to
• Classification
• Determination
• Device groups
• Creation time
• Workspaces
• Cloud Scopes

[vinbab]

@jame2O Recommendations data stream:

1. can you add the sourceId to the Device Name
   Order the columns like this (hiding all others):

• Risk description
• Device Name
• Timestamp
• Configuration Name
• Configuration Category
• Configuration Subcategory
• Configuration Impact
• Remediation Options
• Is Applicable
• Is Compliant

[vinbab]

@jame2O Secure Score History

1. Order the columns like this:

• Created Date Time
• Current Score
• And everything else after

2. what are the 1 / , 2/ columns?

[vinbab]

@jame2O
Order the columns like so:

• Cve Id
• Severity
• CVSS
• Affected Software
• Age
• Published
• First detected
• Updated
• Exposes devices
• Tags

[vinbab]

@jame2O final tweaks, then I'll Approve

• device is lowercase in donut. Should be lowercase
• Change the device icon to

- Update Cockpit from this one on Community Plugin Validation https://app.squaredup.com/dashboard/dash-z4CN8D9bgegxdqNhmqEX

[clarkd]

All looks good. Happy to not use rawId for now, but worth noting it would be a breaking change in the future.

[jame2O]

All looks good. Happy to not use rawId for now, but worth noting it would be a breaking change in the future.

Thanks, I've got this in my list of things to add post-release along with better error communication. Thanks for jumping on this so quickly! :)

[github-actions]

🧩 Plugin PR Summary

📦 Modified Plugins

• plugins/MicrosoftDefender/v1

📋 Results

Step	Status
Validation	✅ Passed
Deployment	🚀 Deployed

🔍 Validation Details

✅ microsoft-defender

{
  "valid": true,
  "pluginName": "microsoft-defender",
  "pluginType": "hybrid",
  "summary": {
    "Data Streams": 12,
    "Import Definitions": 1,
    "UI Configuration": true,
    "Has Icon": true,
    "Has Default Content": true,
    "Config Validation": true,
    "Custom Types": true
  }
}