All Collections
Integration Guide
Microsoft 365 Defender Integration
Microsoft 365 Defender Integration
Ali Murtaza avatar
Written by Ali Murtaza
Updated over a week ago

About Microsoft 365 Defender

Microsoft Defender for Office 365 safeguards your organization against malicious threats posed by email messages, links (URLs), and collaboration tools.

Microsoft Office 365 Defender offering is part of Microsoft 365 Defender which is a unified pre- and post-breach enterprise defense suite that natively coordinates detection, prevention, investigation, and response across endpoints, identities, email, and applications to provide integrated protection against sophisticated attacks.

Using Office 365 integration with SIRP, IR teams run multiple actions on Office 365 without ever leaving the SIRP interface. For example, IR teams can use O365 actions within SIRP to run advanced threat hunting queries to detect threats, ingest new incidents within SIRP, or even mark incidents as resolved.

Supported Actions

SIRP’s Microsoft Defender (Office 365) integration app allows you to execute the following actions:

ID

Action

Description

1

Advanced hunting

Allows you to execute threat hunting queries.

Advanced hunting is a query-based threat hunting tool that lets you explore up to 30 days of raw data. Advanced hunting is based on Kusto query language, supporting the same syntax and operators.

Advanced hunting data can be categorized into two distinct types, each consolidated differently.

Event or activity data—populates tables about alerts, security events, system events, and routine assessments.

Entity data—populates tables with information about users and devices.

2

Get Incidents

An incident in Microsoft 365 Defender is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity.

SIRP ingests O365 incidents in its Incident Management module for the SOC team to take action on.

3

Mark Incident as Resolved

Action to mark an open incident in O365 as Resolved

Enable and Configure Microsoft Office 365 Defender API

To integrate Microsoft Office 365 Defender with SIRP:

  • Log in to your Azure Portal.

  • Go to the Azure Active Directory tab.

  • Go to the App registrations option.

  • Click on Add

Application Registration

Follow the below-mentioned steps to register the application.

  • Set the Name of the application <Configured by the user>.

  • Set the Supported Account type as “Accounts in this organizational directory only.”

  • Set Redirect URL as web> https://security.microsoft.com/.

  • Click on Register.

API Generation

From the application created using the steps mentioned above, copy and save the following IDs from the application Overview:

  • Application (client) ID

  • Directory (tenant) ID

Next, go to the Certificates & Secrets tab and:

  • Add a new client secret.

  • Enter the description.

A new Token Value will be created that proves the identity of the application when requesting a token. Token Value (App Secret) should be copied from the Azure portal which then be used in SIRP app configuration.

Access the API permission tab to request the API permission. Take the following steps:

  • Click on the Add permission option.

  • Select an API from the APIs your organization uses.

  • Add the Microsoft Office 365 Defender application created using the above steps.

  • Enable the following permissions:

  1. AdvancedHunting.Read.All

  2. CustomDetections.ReadWrite.All

  3. Incident.Read.All

  4. Incident.ReadWrite.All

  • Induct the permissions by clicking on Add permission.

Finally, select the “Grant admin consent for <your organization>” and click on yes.

Configure The SIRP App

  • Next, log in to SIRP, then go to Apps from the left navigation bar

  • Locate the Microsoft Defender (Office 365) App.

  • Click on the Toggle button to enable the app.

When you enable the App, you will get an option to add the configuration details. Add the following details and click Save:

  • Host api.security.microsoft.com

  • Tenant ID <Generated earlier at Microsoft Office 365 Defender instance>

  • App ID <Generated earlier at Microsoft Office 365 Defender instance>

  • App-Secret <Generated earlier at Microsoft Office 365 Defender instance>

After the last step, you should be able to execute the Microsoft Office 365 Defender Actions and create an ingestion source to ingest O365 Incidents.

Did this answer your question?