Microsoft 365 Defender
  • 3 Minutes to read
  • PDF

Microsoft 365 Defender

  • PDF

Article Summary

About this document


This document gives you the step-by-step procedure to configure Microsoft 365 Defender in SAFE.

Introduction


SAFE integrates with Microsoft 365 Defender to fetch misconfiguration of the followingMicrosoft products:

  • Microsoft Azure AD
  • Microsoft Teams
  • Microsoft SharePoint Online
  • Microsoft Office

Prerequisites


  • Azure Active Directory Primary Domain
  • Azure Active Directory Application with permission "SecurityEvents.Read.All"
  • Client Id and Client Secret associated with the application.

Generate Connection Details (Client Id and Client Secret)


  1. Login to Microsoft 365 admin center.
  2. From the left navigation menu, navigate to Azure Active Directory.
  3. Click the Overview Tab. Here system displays the company details. Find the Primary Domain and copy and save it to use while configuring Defender 365 in SAFE.
    Def1
  4. Click the App Registration option from the left panel.
  5. Click the New Registration.
    Def2
  6. Enter an App Name and click the Register button. The system redirects you to the application overview page.
    Def3 
  7. Copy and save the Client ID to use while configuring Defender 365 in SAFE.Def4
  8. Click on the API Permissions from the left panel.
  9. Click on the New Permissions button.
    Def5
  10. Click the Microsoft Graph from the list of the API permissions available
    Def6
  11. Click the Application Permission option.
  12. Search and select SecurityEvents.ReadAll.Def7
  13. Click the Add Permission button. Grant the Admin consent (In case you are not one of the admins, please reach out to your account admin). The permission should be successfully added now. 
  14. Click the Certificates & Secrets from the left navigation. 
  15. Click the New Client Secret button.
    Def8
  16. Enter a description and select an option for the secret validity (Expiry) from the drop-down.
  17.  Click the Add button. 
  18. The system generates the value for the Secret ID (Client Secret). Copy and save the value of the secret ID to use while configuring Defender 365 in SAFE.
    Defender 365

Configure Microsoft Defender 365 in SAFE


  1. Navigate to the SAFE Hooks.
  2. Click the Microsoft 365 Defender card.
  3. On the configuration page, enter the Primary domain, Client ID, and Client Secret
  4. Add Auto-Sync frequency.
  5. Click the Test Connection button.
  6. Once the connection is validated, click the Save button.
  7. Once the configuration is saved, click the Sync Now button to trigger the on-demand sync outside of the scheduled auto sync.

Def11

View results in SAFE


To view the assets, controls, and their status:

  1. Go to Technology > Assets.
  2. Filter the assets list for Source as security.safe.saas.ms-defender. The system displays the defender 365 assets.
    MS Defender assets
  3. Click an asset to view the controls and their status. Further clicking a control, you can see the ATT&CK mapping.

FAQs


How does the Control Status get calculated?

Using a field named "scoreInPercentage" from the Defender API, which is equivalent to points achieved in the UI (but the UI shows it in points, while the API provides it in %), to determine if the configuration is done properly or not.

Examples

  1. In the UI, the “Points Achieved“ is shown as 1/1, then the API response corresponding to that will be 100%, and the status will be "Completed." If the Status in the UI is "Completed," then in SAFE UI, the Control Status will be Qualified because the configuration is done properly.
  2. In the UI, the "Points Achieved" is shown as 0/10, then the API response corresponding to that will be 0%, and the status will be "To address." If the Status in UI is “To address," then in SAFE UI, the Control Status will be Failed because the configuration is not done properly and needs to be remediated.
  3. In the UI, the "Points Achieved" is shown as 0.89/9, then the API response corresponding to that will be 11%, and the status will be "To address." If the Status on UI is "To address," then in SAFE UI, the Control Status will be Failed because the configuration is not done properly and needs to be remediated.
Note
If the "Points Achieved" shown in the UI is 1/1, 2/2, or M/N (Where M and N are always equal), then the status will be "Completed," and "scoreInPercentage" will always be 100%. But if the "Points Achieved" shown on the UI is 0/1, 1/2, or M/N (Where M is Less than N), then the Status will be “To address" and “scoreInPercentage" will always be less than 100%.

Defender(1)



Was this article helpful?