Microsoft Intune and Microsoft Defender

Identity and Trust can query Microsoft Entra ID to get identity information based on sign-in events from Microsoft Intune or Microsoft Defender on endpoint computers. When you export sign-in events to Azure Event Hubs, Identity and Trust retrieves identities in a way that minimizes resource usage, reduces time delays, and ensures reliable access to the necessary data.

Prerequisites:

Workflow

  1. An Azure administrator adds Azure API permissions to the Entra ID application that is integrated with Identity and Trust.

  2. An Azure administrator configures Intune or Defender to export logs to the dedicate EventHub in Entra ID.

  3. An administrator of a Security Gateway that is integrated with Identity and Trust makes access control rules based on information from Intune and Defender. Data flow:

    Intune/Defender on the user endpoint computer => Entra ID sign-in logs (from Intune) and/or Entra ID advanced hunting (from Defender) => Azure EventHub => Identity and Trust => Security Gateway.

Comparison of Automatic and Manual Configuration of Intune and Defender

You can integrate Identity and Trust with Intune/Defender manually or automatically. The functionality of an automatic integration and a manual integration is the same.

In an Automatic Integration, an Azure administrator temporarily grants Azure privileges to Check Point. Check Point then makes the necessary configurations on the Azure side (the first two steps in the Workflow above).

In a Manual Integration, an Azure administrator makes the necessary configurations on the Azure side (the first two steps in the Workflow above). In a Manual Integration, you do not need to grant Azure privileges to Check Point.

Automatic Integration of Identity and Trust with Microsoft Intune and Microsoft Defender

  1. In Identity and Trust, from the left toolbar, click Integrations.

  2. In the Integrations section, click the + (plus sign) button.

  3. Select Identity Integrations.

  4. Select Microsoft Intune or Microsoft Defender. If you want to integrate both of them, it does not matter which one you select.

    The Microsoft Intune or Microsoft Defender integration window opens.

  5. Select Automatic.

  6. In Identity and Trust, click the link "First login to your Microsoft Entra ID Account".

    An Entra ID login window opens. The window contains a list of permissions that Check Point requires to perform automatic integration.

  7. Click Accept.

    The Entra ID login window closes. If Entra ID successfully granted permissions to Check Point, a confirmation message appears in the Check Point Portal.

  8. For the Integration Title, enter a title. After you create the integration, this title appears in the Identity and Trust Integrations section.

  9. Select an Entra ID Integration.

  10. Select a Subscription Name.

  11. Select a Resource Group Name.

  12. Optional - If you want to integrate both Intune and Defender, select the relevant checkbox:.

    • In a Microsoft Intune window, select Use this configuration to create Microsoft Defender integration as well.

    • In a Microsoft Defender window, select Use this configuration to create Microsoft Intune integration as well.

  13. Click Test permissions. If the test fails, follow the instructions in the failure message.

  14. Click Save.

    The Microsoft Intune and/or Microsoft Defender integration appears in the gallery.

Manual Integration of Identity and Trust with Microsoft Intune and Microsoft Defender

Keep Identity and Trust and Microsoft Entra ID open throughout this procedure.

  1. In Identity and Trust, from the left toolbar, click Integrations.

  2. In the Integrations section, click the + (plus sign) button.

  3. Select Identity Integrations.

  4. Select Microsoft Intune or Microsoft Defender. If you want to integrate both of them, it does not matter which one you select.

    The Microsoft Intune or Microsoft Defender integration window opens.

  5. Select Manual.

  6. For the Integration Title, enter a title. After you create the integration, this title appears in the Identity and Trust Integrations section.

  7. If there is more than one integration between Microsoft Entra ID and Identity and Trust, select an Entra ID Integration. If there is only one integration, this field is automatically filled and cannot be changed.

  8. Optional - If you want to integrate both Intune and Defender, select the relevant checkbox at the bottom of the window.

    • In a Microsoft Intune window, select Use this configuration to create Microsoft Defender integration as well.

    • In a Microsoft Defender window, select Use this configuration to create Microsoft Intune integration as well.

  9. Keep Identity and Trust open.

Watch the Video

  1. Open the Microsoft Entra ID application that you integrated with the Check Point Portal.

  2. In the left menu, expand Manage and click API permissions.

  3. In the Configured permissions section, click Add a permission.

    The Request API permissions window opens.

  4. Select Application permissions.

  5. Add a permission to the application:

    1. In the search bar below Select permissions, search for deviceManage.

    2. Expand DeviceManagementManagedDevices.

    3. Select DeviceManagementManagedDevices.Read.All.

  6. If you use Defender to send login events from endpoint computers, add another permission to the application:

    1. In the search bar below Select permissions, search for threat.

    2. Expand ThreatHunting.

    3. Select ThreatHunting.Read.All.

  7. Click Add permissions.

  8. In the Configured permissions section, click Grant admin consent for Check Point Software Technologies.

  9. In the confirmation window, click Yes.

Watch the Video

  1. In the Azure portal, on the homepage, in the Azure services section, open Event Hubs.

  2. In the table, open the Namespace that you want to use for the application.

  3. On the vertical toolbar, make sure the Overview tab is selected.

  4. From the horizontal toolbar, click Event Hub to create a new Event Hub.

    The Create Event Hub wizard open.

  5. In the Create Event Hub wizard:

    1. Set the value of the Partition count to 2 or greater.

    2. Complete the rest of the wizard according to your organization's requirements.

      The new Event Hub appears in the Event Hubs section at the bottom of the Azure portal.

  6. Copy the name of the Event Hubs Namespace from the top left of the Azure portal. Paste this value into the Namespace Name field in Identity and Trust.

  7. Copy the name of the relevant Event Hub from the Event Hubs table at the bottom of the Azure portal. Paste this value into the Eventhub Name field in Identity and Trust.

  8. At the bottom of the Azure portal, in the Event Hubs section, click the name of the Event Hub that you created.

    The Event Hubs Instance screen opens.

  9. From the horizontal toolbar, click Consumer group.

    The Create consumer group window opens.

  10. In the Create consumer group window:

    1. Enter a name for the consumer group.

    2. Click Create.

      The new consumer group appears in the Consumer groups section at the bottom the Azure portal.

  11. Copy the name of the new consumer group from the Azure portal. Paste it into the Consumer Group Name field in Identity and Trust.

  12. In the Azure portal, from the left toolbar, click Access control (IAM).

  13. From the top toolbar click Add, and then click Add role assignment

    The Add role assignment window opens.

  14. In the Add role assignment window:

    1. In the Roles tab:

      1. In the Job function roles section, search for receiver.

      2. Select Azure Event Hubs Data Receiver.

    2. In the Add role assignment window, in theMembers tab:

      1. For Assign access to, select User, group, or service principal.

      2. Click Select members.

        The Select members window opens.

      3. In the Select members window, search for the Microsoft Entra ID application you created for Identity and Trust.

      4. In the search results, select the application.

      5. At the bottom of the Select members window, click Select.

    3. In the Add role assignment window, in the Conditions tab, do not change the default configurations.

    4. In the Add role assignment window, in the Review + assign tab, make sure the configuration is correct and then click the Review + assign button at the bottom of the window.

For more information, see Authorize access to Event Hubs with Azure Active Directory in Microsoft documentation.

Watch the Video

  1. On the Microsoft Entra ID homepage, in the search bar, search for Storage Account.

  2. In the Services section of the search results, click Storage accounts.

  3. Open the storage account that you want to use for Identity and Trust.

  4. In Identity and Trust, enter the name of the storage account into the Storage Account Name field.

  5. In Entra ID, in the storage account window, from the left toolbar, open the Access Control (IAM) tab.

  6. In the storage account window, from the top toolbar, click Add and then click Add role assignment.

    The Add role assignment window opens.

  7. In the Add role assignment window:

    1. In the Roles tab:

      1. Select Job function roles.

      2. In the search bar, search for owner.

      3. Click Storage Blob Data Owner.

    2. In the Members tab:

      1. Click + Select members.

        The Select members window opens.

      2. In the Select members window, in the search bar, enter the name of the Microsoft Entra ID application you created for Identity and Trust.

      3. In the search results, select the application.

      4. Click Select.

        The Select members window closes. The application appears in the Members tab in theAdd role assignment window.

    3. In the Conditions tab, do not change default settings.

    4. In the Review + assign tab, make sure the configuration is correct and then click the Review + assign button at the bottom of the window.

You can integrate Intune and/or Microsoft Defender.

Watch the Video

  1. In the Azure portal, in the search bar, search for "sign-in".

  2. Click Sign-in logs.

    The Sign-in events window opens.

  3. From the top toolbar, click Export Data Settings.

  4. Click Add diagnostic setting.

  5. Enter a name in the Diagnostic setting name field.

  6. In the Logs section, select SigninLogs.

  7. In the Destination details section, select Stream to an event hub.

  8. For Event hub namespace, select the Namespace that you use for the Identity and Trust application.

  9. In the Diagnostic setting window, from the top toolbar, click Save.

For more information, see How to stream activity logs to an Event Hub in Microsoft documentation.

Watch the Video

  1. In a web browser, go tosecurity.microsoft.com and log in to your account.

  2. From the left toolbar, click Settings.

  3. In the table, click Microsoft Defender XDR.

  4. In the General section, click Streaming API.

  5. In the Streaming API section, click + Add.

    The Add new Streaming API settings window opens.

  6. In theName field, enter a name.

  7. Select Forward events to Event Hub.

  8. In a separate browser tab, open the Azure portal and do these steps:

    1. In the search bar, search for "event hubs".

    2. Open the Event Hub that you use for the Microsoft Entra ID application that you created for Identity and Trust.

    3. In the Event Hub window, in the left toolbar, expand Settings and click Properties.

    4. In the Essentials section, copy the ID string.

    5. Keep the Azure portal open.

  9. At security.microsoft.com, in the Add new Streaming API settings window, paste the ID string you copied from the Azure portal into the Event Hub Resource ID field.

  10. In the Azure portal Event Hub window:

    1. From the left toolbar, click Overview.

    2. At the bottom of the screen, in the Event Hubs table, copy the name of the Event Hub that you use for the Microsoft Entra ID application that you created for Identity and Trust.

  11. At security.microsoft.com, in the Add new Streaming API settings window:

    1. Paste the name that you copied from the Azure portal into the Event-Hub name field.

    2. In the Event Types section, expand Devices.

    3. Select DeviceNetworkInfo.

    4. Select DeviceLogonEvents.

    5. Click Submit.

  1. In Identity and Trust, click Test connectivity to verify the connection between your Identity and Trust account and your Microsoft Entra ID account.

    • If the test passes, then Connectivity test successful shows.

    • If the test fails, a warning message appears that highlights the problematic field in red.

  2. Click Save.

    The Microsoft Intune and/or Microsoft Defender integration appears in the gallery. After a few hours, Intune/Defender starts sending events to the Azure EventHub, which then sends them to Identity and Trust.