Microsoft 365 Defender

1. About this document

This document provides step-by-step instructions to configure Microsoft 365 Defender in SAFE.

2. Introduction

SAFE integrates with Microsoft 365 Defender to fetch the configuration assessment of the following Microsoft products:

1. Microsoft Teams (Enabled by Default)
2. Microsoft 365 Exchange Online (Enabled by Default)
3. Microsoft SharePoint Online (Enabled by Default)
4. Microsoft Azure AD (Enabled by Default)
5. Microsoft 365 (Enabled by Default)
6. Microsoft Defender for Endpoint (Learn more)
7. Microsoft Intune 
8. Microsoft Information Protection 
9. Microsoft Defender for Identity (Learn more) 
10. Microsoft Defender for Cloud Apps (Learn more)
11. App governance (Learn more)
12. Citrix ShareFile(Learn more) 
13. Docusign(Learn more)
14. Github(Learn more)
15. Okta(Learn more)
16. Salesforce(Learn more)
17. ServiceNow(Learn more)
18. Zoom(Learn more)

3. Prerequisites

• Azure Active Directory Primary Domain.
• Azure Active Directory application with SecurityEvents.Read.All permission.
• Client ID and Client Secret associated with the above application.
• SAFE admin access.

4. Generate Connection Details (Client ID and Client Secret)

1. Login to Microsoft 365 admin center.
2. From the left navigation menu, navigate to Azure Active Directory (This will open a new tab).
3. Click on the Overview from the left navigation.
4. Here, you can see the value for the Primary Domain. Copy and save this value to use while configuring Microsoft 365 Defender in SAFE in the next section.
   Alternatively, you can open SAFE in a new tab, go to the Microsoft 365 Defender configuration page, and enter the Primary Domain in the respective field.
5. Expand Applications, then select the App registrations option from the left navigation.
6. At the top of the page, click New registration.
7. Enter a Name and click the Register button. All other settings can stay as default.
    
8. Copy and save the value for the Application (Client) ID to use while configuring Microsoft 365 Defender in SAFE in the next section. 

   Alternatively, you can paste the Client ID on the Microsoft 365 Defender configuration page in SAFE.

9. Next, click the API Permissions from the left navigation.
10. Click Add a permission option availabe in the center of the page.
11. From the options, select Microsoft Graph.
    
12. Click on the Application permissions option.
13. Search for SecurityEvents.Read.All and tick the box to select it.
14. Click the Add permissions button. 
    Admin Consent

    You will now need to grant admin consent to apply this permission. If you do not have the privileges to do this, reach out to your administrator to do this.

15. Select Certificates & secrets from the left navigation. 
16. Click on the New client secret option available in the center of the page.
    
17. Enter a Description and select an option from the Expiry drop-down.
18. Click the Add button at the bottom of the page. 
19. Client Secret value is availabe in the Value column. Copy and save this value to use while configuring Microsoft 365 Defender in SAFE in the next section. 

    Alternatively, you can paste the Client Secret on the Microsoft 365 Defender configuration page in SAFE.

5. Configure Microsoft 365 Defender in SAFE

1. Navigate to Integrations.
2. Click the Microsoft 365 Defender card.
3. Enter the Primary domain, Client ID, and Client Secret generated in section 4.
4. Select the Auto Sync frequency in a number of days.
5. In the Product Exclude List drop-down, select the products you do not want to fetch the assets and misconfiguration for in SAFE.
6. Click on the Test Connection button. A success message appears when the connection is successful.
7. Click the Save button.
8. Click the Sync Now button to trigger an on-demand sync.
9. Upon a successful sync, the system adds the Microsoft 365 Defender assets to SAFE, and their assessments and scores can be reviewed. You can track the status of the sync in the History table.

View results

Scroll down to the Finding View and Asset View on the configuration page.

• Findings View: This tab displays all the findings details fetched from MS 365 Defender.
• View Assets: This tab displays all the assets pulled from Microsoft 365 Defender.

6. History

Learn More about Integration History here.

8. SAFE's Outgoing IP Addresses

Click here to find the outgoing IP addresses of SAFE. All traffic to any integrations in SAFE will see one IP address as the source IP of the incoming connection.

9. FAQs

Q. How does the Control Status get calculated?

Using a field named "scoreInPercentage" from the Defender API, which is equivalent to points achieved in the UI (but the UI shows it in points, while the API provides it in %), to determine if the configuration is done properly or not.

Examples

1. In the UI, the “Points Achieved“ is shown as 1/1, then the API response corresponding to that will be 100%, and the status will be "Completed." If the Status in the UI is "Completed," then in SAFE UI, the Control Status will be Qualified because the configuration is done properly.
2. In the UI, the "Points Achieved" is shown as 0/10, then the API response corresponding to that will be 0%, and the status will be "To address." If the Status in UI is “To address," then in SAFE UI, the Control Status will be Failed because the configuration is not done properly and needs to be remediated.
3. In the UI, the "Points Achieved" is shown as 0.89/9, then the API response corresponding to that will be 11%, and the status will be "To address." If the Status on UI is "To address," then in SAFE UI, the Control Status will be Failed because the configuration is not done properly and needs to be remediated.