Skip to main content

Microsoft Defender Suite

S
Written by Syed Vali Uddin
Updated over 2 weeks ago

About Microsoft Defender Suite

With the Microsoft Defender Suite integration, you can ingest alerts and incidents from the entire range of Defender products, enabling centralized monitoring and streamlined responses.

SIRP can also ingest Risky Users and Security Recommendation alerts from Defender, if needed.

Supported Actions

SIRP’s Microsoft Defender Suite integration app allows you to execute the following actions:

ID

Action

Description

1

GET ALERTS

Get new alerts

2

GET RISKY USERS

Get risky users

3

GET RECOMMENDATION

Get recommendation

Enable and Configure Microsoft Defender & Microsoft Graph API

To integrate Microsoft Office 365 Defender with SIRP:

  • Log in to your Azure Portal.

  • Go to the Azure Active Directory tab.

  • Go to the App registrations option.

  • Click on Add

Application Registration

Please follow the steps below to register the application.

  • Set the Name of the application <Configured by the user>.

  • Set the Supported Account type as “Accounts in this organizational directory only.”

  • Set Redirect URL as web> https://security.microsoft.com/.

  • Click on Register.

API Generation

From the application created using the steps mentioned above, copy and save the following IDs from the application Overview:

  • Application (client) ID

  • Directory (tenant) ID

Next, go to the Certificates & Secrets tab and:

  • Add a new client secret.

  • Enter the description.

A new Token Value will be created that proves the identity of the application when requesting a token. Token Value (App Secret) should be copied from the Azure portal which then be used in SIRP app configuration.

Access the API permission tab to request the API permission. Take the following steps:

  • Click on the Add permission option.

  • Select an API from the APIs your organization uses.

  • Add the Windows Defender ATP & Microsoft Graph application created using the above steps.

Enable the following application permissions for Microsoft Graph:

  1. CustomDetection.Read.All

  2. SecurityAlert.ReadAll

  3. SecurityEvents.ReadAll

  4. SecurityIncident.Read.All

  5. User.Read

  6. Identity.RiskyUser.Read.All (For Risky User)

  7. IdentityEvent.Read.All (For Risky User)

Enable the following application permissions for WindowsDefenderATP:

  1. AlertRead.All

  2. Vulnerability.ReadAll

  3. SecurityRecommendation.Read.All (for Recommendations)

  4. Machine.Read.All (for Recommendations)

Induct the permissions by clicking on Add permission.

Finally, select “Grant admin consent for <your organization>” and click on Yes.

Configure The SIRP App

  • Next, log in to SIRP, then go to Apps from the left navigation bar

  • Locate the Microsoft Defender Suite App.

  • Click on the Toggle button to enable the app.

When you enable the App, you will get an option to add the configuration details. Add the following details and click Save:

  • Host graph.microsoft.com

  • Tenant ID <Generated earlier from the portal>

  • App ID <Generated earlier from the portal>

  • App-Secret <Generated earlier from the portal>

Create and Configure Microsoft Defender Suite Ingestion

To start ingesting alerts from MS Defender through API, you need to create a new ingestion source and enable it.

  1. Go to the Administration section from the left-hand navigation bar

  2. Go to Apps > Ingestion Sources

  3. Click on Add Source

  4. Fill the fields in the popup form as shown in the image above:

    • Name: MS Defender Suite(This can be any name to distinguish this ingestion source)

    • Ingestion Method: API

    • Ingestion Type: Incident (Because we want to ingest alerts into our Incident Management module)

    • Frequency: Every 5 min (SIRP will call MS Defender & Graph API every 5 minutes to check for new offenses)

    • Opened By: Not Mandatory

    • Applications: Select the Microsoft Defender Suite application

    • Configuration: Select the configuration name

    • Actions: Select GET ALERTS

    • Format: JSON

  5. Click the Create button to create the new ingestion source

  6. The final step after creating an ingestion source is to map the data fields ingested from Microsoft Defender with the fields available in SIRP. Once the ingestion source is created, a new configuration icon will appear under the Actions column. Click on this icon to configure the field mappings.

  7. Configure the field mapping as shown in the following screenshot and click Save.

To start ingesting RiskyUser from MS Defender through API, you need to create a new ingestion source and enable it.

  1. Go to the Administration section from the left-hand navigation bar

  2. Go to Apps > Ingestion Sources

  3. Click on Add Source

    You can also filter RiskyUser by using filter in the ingestion sources.

  4. Fill the fields in the popup form as shown in the image above:

    • Name: RiskyUser(This can be any name to distinguish this ingestion source)

    • Ingestion Method: API

    • Ingestion Type: Incident (Because we want to ingest alerts into our Incident Management module)

    • Frequency: Every 5 min (SIRP will call RiskyUser API every 5 minutes to check for new RiskyUser alerts)

    • Opened By: Not Mandatory

    • Applications: Select the Microsoft Defender Suite application

    • Configuration: Select the configuration name

    • Actions: Select GET RISKY USERS

    • Format: JSON

  5. Click the Create button to create the new ingestion source

  6. The final step after creating an ingestion source is to map the data fields ingested from Microsoft Defender Risky Users with the fields available in SIRP. Once the ingestion source is created, a new configuration icon will appear under the Actions column. Click on this icon to configure the field mappings.

  7. Configure the field mapping as shown in the following screenshot and click Save.

To start ingesting Recommendation from MS Defender through API, you need to create a new ingestion source and enable it.

  1. Go to the Administration section from the left-hand navigation bar

  2. Go to Apps > Ingestion Sources

  3. Click on Add Source

  4. Fill the fields in the popup form as shown in the image above:

    • Name: Recommendation(This can be any name to distinguish this ingestion source)

    • Ingestion Method: API

    • Ingestion Type: Incident (Because we want to ingest alerts into our Incident Management module)

    • Frequency: Every 5 min (SIRP will call Recommendation API every 5 minutes to check for new Recommendation alerts)

    • Opened By: Not Mandatory

    • Applications: Select the Microsoft Defender Suite application

    • Configuration: Select the configuration name

    • Actions: Select GET RECOMMENDATION

    • Format: JSON

  5. Click the Create button to create the new ingestion source

  6. The final step after creating an ingestion source is to map the data fields ingested from Microsoft Defender Recommendation with the fields available in SIRP. Once the ingestion source is created, a new configuration icon will appear under the Actions column. Click on this icon to configure the field mappings.

  7. Configure the field mapping as shown in the following screenshot and click Save.

After enabling the ingestion source, SIRP will start to call MS Defender & MS Graph API every 5 minutes to check for any new alerts, alerts for risky users & recommendation. If SIRP finds any alert, it will start ingesting the records within its database.

The results will be visible in the Incident Management module. The Alerts tab will list all the ingested alerts.

Did this answer your question?