Rule 9 - Enrich Defender for Endpoint Device Data (Payloads) from Entra ID

Rule Synopsis

The API for MS Defender for Endpoint returns limited attributes about each endpoint device. For example:

1. The API does not return Manufacturer or Model information for each device record.

2. The API does return Operting System and Operating System Version, however customers may notice the quality of these attributes are better in Entra ID than in MS Defender for Endpoint

To compensate for this, CI Sync provides an option for customers to enrich the Defender for Endpoint device data (payloads) with attribute data from Entra ID. Note: This only works for devices that are AAD enrolled.

Rule Details

• By default, CI Sync does not read the Manufacturer or Model attributes shown in the table below from MS Defender for Endpoint (because the API does not return these attributes). Therefore CIs in the CMDB will not contain data in those attributes.

• By default, CI Sync does read the Operting System and Operating System Version from the MS Defender for Endpoint API (and therefore populates CIs in the CMDB with the data in those attributes from MS Defender for Endpoint).

Override Options

Context

Customers may consider using data in Entra ID, for the attributes shown in the above table, to populate CIs in the CMDB.

Options

1. Customers can turn on (i.e. override the default behaviour) to instruct CI Sync to populate the attributes from Entra ID.

2. Customers can further influence CI Sync for each attribute shown in the table above. That is:

   1. Customers can enrich the Manufacturer only.

   2. Customers can enrich the Model ID and Model Number only.

   3. Customers can enrich the OS only.

   4. Customers can enrich the OS Version only.

   5. Or customers can enrich any combination of the above attributes.

Overriding via Connection Settings

Customers can perform the override using a “Connection Setting” via the CI Sync User Interface (i.e. customers can perform the overrides themselves). Additional information for this is available via the following documentation:

1. For a general overview of CI Sync Connection Settings please read Understanding the use of CI Sync Connection Settings.

2. For the specific CI Sync Connection Setting/s related to the rule described on this page please read Enrich Defender for Endpoint Device Payloads from Entra ID.

For documentation on all CI Sync Connection Settings please visit the page tree Connection Setting Guides.

Additional Information

N/A

Related Rules

• Rule 4 - Mapping of Defender for Endpoint Attributes/Fields into CMDB CI Classes

Support Model for Rule Overrides

Question: Can overrides be performed by customers without a Syncfish Extended Implementation and Support Plan?

Answer: Yes (via self-service in the CI Sync UI)

Question: Which Syncfish Extended Implementation and Support Plan is required to obtain overrides of this rule

Answer: Either a Bronze Plan, Silver Plan or Gold Plan (for customers wanting Syncfish assistance to perform overrides of this rule)