About Microsoft Defender Suite
With the Microsoft Defender Suite integration, you can ingest alerts and incidents from the entire range of Defender products, enabling centralized monitoring and streamlined responses.
SIRP can also ingest Risky Users and Security Recommendation alerts from Defender, if needed.
Supported Actions
SIRP’s Microsoft Defender Suite integration app allows you to execute the following actions:
ID | Action | Description |
1 | GET ALERTS | Get new alerts |
2 | GET RISKY USERS | Get risky users |
3 | GET RECOMMENDATION | Get recommendation |
Enable and Configure Microsoft Defender & Microsoft Graph API
To integrate Microsoft Office 365 Defender with SIRP:
Log in to your Azure Portal.
Go to the Azure Active Directory tab.
Go to the App registrations option.
Click on Add
Application Registration
Please follow the steps below to register the application.
Set the Name of the application <Configured by the user>.
Set the Supported Account type as “Accounts in this organizational directory only.”
Set Redirect URL as web> https://security.microsoft.com/.
Click on Register.
API Generation
From the application created using the steps mentioned above, copy and save the following IDs from the application Overview:
Application (client) ID
Directory (tenant) ID
Next, go to the Certificates & Secrets tab and:
Add a new client secret.
Enter the description.
A new Token Value will be created that proves the identity of the application when requesting a token. Token Value (App Secret) should be copied from the Azure portal which then be used in SIRP app configuration.
Access the API permission tab to request the API permission. Take the following steps:
Click on the Add permission option.
Select an API from the APIs your organization uses.
Add the Windows Defender ATP & Microsoft Graph application created using the above steps.
Enable the following application permissions for Microsoft Graph:
CustomDetection.Read.All
SecurityAlert.ReadAll
SecurityEvents.ReadAll
SecurityIncident.Read.All
User.Read
Identity.RiskyUser.Read.All (For Risky User)
IdentityEvent.Read.All (For Risky User)
Enable the following application permissions for WindowsDefenderATP:
AlertRead.All
Vulnerability.ReadAll
SecurityRecommendation.Read.All (for Recommendations)
Machine.Read.All (for Recommendations)
Induct the permissions by clicking on Add permission.
Finally, select “Grant admin consent for <your organization>” and click on Yes.
Configure The SIRP App
Next, log in to SIRP, then go to Apps from the left navigation bar
Locate the Microsoft Defender Suite App.
Click on the Toggle button to enable the app.
When you enable the App, you will get an option to add the configuration details. Add the following details and click Save:
Host graph.microsoft.com
Tenant ID <Generated earlier from the portal>
App ID <Generated earlier from the portal>
App-Secret <Generated earlier from the portal>
Create and Configure Microsoft Defender Suite Ingestion
To start ingesting alerts from MS Defender through API, you need to create a new ingestion source and enable it.
Go to the Administration section from the left-hand navigation bar
Go to Apps > Ingestion Sources
Click on Add Source
Fill the fields in the popup form as shown in the image above:
Name: MS Defender Suite(This can be any name to distinguish this ingestion source)
Ingestion Method: API
Ingestion Type: Incident (Because we want to ingest alerts into our Incident Management module)
Frequency: Every 5 min (SIRP will call MS Defender & Graph API every 5 minutes to check for new offenses)
Opened By: Not Mandatory
Applications: Select the Microsoft Defender Suite application
Configuration: Select the configuration name
Actions: Select GET ALERTS
Format: JSON
Click the Create button to create the new ingestion source
The final step after creating an ingestion source is to map the data fields ingested from Microsoft Defender with the fields available in SIRP. Once the ingestion source is created, a new configuration icon will appear under the Actions column. Click on this icon to configure the field mappings.
Configure the field mapping as shown in the following screenshot and click Save.
To start ingesting RiskyUser from MS Defender through API, you need to create a new ingestion source and enable it.
Go to the Administration section from the left-hand navigation bar
Go to Apps > Ingestion Sources
Click on Add Source
You can also filter RiskyUser by using filter in the ingestion sources.
Fill the fields in the popup form as shown in the image above:
Name: RiskyUser(This can be any name to distinguish this ingestion source)
Ingestion Method: API
Ingestion Type: Incident (Because we want to ingest alerts into our Incident Management module)
Frequency: Every 5 min (SIRP will call RiskyUser API every 5 minutes to check for new RiskyUser alerts)
Opened By: Not Mandatory
Applications: Select the Microsoft Defender Suite application
Configuration: Select the configuration name
Actions: Select GET RISKY USERS
Format: JSON
Click the Create button to create the new ingestion source
The final step after creating an ingestion source is to map the data fields ingested from Microsoft Defender Risky Users with the fields available in SIRP. Once the ingestion source is created, a new configuration icon will appear under the Actions column. Click on this icon to configure the field mappings.
Configure the field mapping as shown in the following screenshot and click Save.
To start ingesting Recommendation from MS Defender through API, you need to create a new ingestion source and enable it.
Go to the Administration section from the left-hand navigation bar
Go to Apps > Ingestion Sources
Click on Add Source
Fill the fields in the popup form as shown in the image above:
Name: Recommendation(This can be any name to distinguish this ingestion source)
Ingestion Method: API
Ingestion Type: Incident (Because we want to ingest alerts into our Incident Management module)
Frequency: Every 5 min (SIRP will call Recommendation API every 5 minutes to check for new Recommendation alerts)
Opened By: Not Mandatory
Applications: Select the Microsoft Defender Suite application
Configuration: Select the configuration name
Actions: Select GET RECOMMENDATION
Format: JSON
Click the Create button to create the new ingestion source
The final step after creating an ingestion source is to map the data fields ingested from Microsoft Defender Recommendation with the fields available in SIRP. Once the ingestion source is created, a new configuration icon will appear under the Actions column. Click on this icon to configure the field mappings.
Configure the field mapping as shown in the following screenshot and click Save.
After enabling the ingestion source, SIRP will start to call MS Defender & MS Graph API every 5 minutes to check for any new alerts, alerts for risky users & recommendation. If SIRP finds any alert, it will start ingesting the records within its database.
The results will be visible in the Incident Management module. The Alerts tab will list all the ingested alerts.