Microsoft 365 Defender
  • 4 Minutes to read
  • PDF

Microsoft 365 Defender

  • PDF

Article summary

1. About this document


This document provides step-by-step instructions to configure Microsoft 365 Defender in SAFE.

2. Introduction


SAFE integrates with Microsoft 365 Defender to fetch the configuration assessment of the following Microsoft products:

  • Microsoft 365 Exchange Online
  • Microsoft Azure AD
  • Microsoft Teams
  • Microsoft SharePoint Online
  • Microsoft 365

This unified integration pulls data for the above four Microsoft products in SAFE.

3. Prerequisites


  • Azure Active Directory Administrator privileges to approve assigning permissions.
  • Connection Details (Active Directory Primary Domain, Client ID, and Client Secret).
  • SAFE access with an admin role.

Click here to learn more about the Microsoft 365 Defender prerequisites.

4. Generate Connection Details


  1. Login to Microsoft 365 admin center.
  2. From the left navigation menu, navigate to Azure Active Directory (This will open a new tab).
  3. Click on the Overview from the left navigation.
  4. Here you can see the value for Primary Domain. Copy and save this value to use while configuring Microsoft 365 Defender in SAFE in the next section.
    Alternatively, you can open SAFE in a new tab, go to the Microsoft 365 Defender configuration page and enter the Primary Domain in the respective field.Def1
  5. Expand Applications, then select the App registrations option from the left navigation.
  6. At the top of the page, click New registration.Def2
  7. Enter a Name and click the Register button. All other settings can stay as default.
    Def3 
  8. Copy and save the value for the Application (Client) IDto use while configuring Microsoft 365 Defender in SAFE in the next section. 

    Alternatively, you can paste the Client ID on the Microsoft 365 Defender configuration page in SAFE.Def4

  9. Next, click the API Permissions from the left navigation.
  10. Click Add a permission option availabe in the center of the page.Def5
  11. From the options, select Microsoft Graph.
    Def6
  12. Click on the Application permissions option.
  13. Search for SecurityEvents.Read.All and tick the box to select it.Def7
  14. Click the Add permissions button. 
    Admin Consent

    You will now need to grant admin consent to apply this permission. If you do not have the privileges to do this, reach out to your administrator to do this.

  15. Select Certificates & secrets from the left navigation. 
  16. Click on the New client secret option available in the center of the page.
    Def8
  17. Enter a Description and select an option from the Expiry drop-down.
  18. Click the Add button at the bottom of the page. 
  19. Client Secret value is availabe in the Value column. Copy and savethis value to use while configuring Microsoft 365 Defender in SAFE in the next section. 

    Alternatively, you can paste the Client Secret on the Microsoft 365 Defender configuration page in SAFE.Defender 365

5. Configure Microsoft 365 Defender in SAFE


  1. Navigate to the SAFEHooks.
  2. Click the Microsoft 365 Defender card.
  3. Enter the connection details (Primary domain, Client ID, and Client Secret) generated in section 4 on the configuration page.
  4. Select the Auto Sync frequency in a number of days.
  5. Click on the Test Connection button. A success message appears when the connection is successful.
  6. Click the Save button.
  7. Click the Sync Now button to trigger an on-demand sync.
  8. Upon a successful sync, the system adds the Microsoft 365 Defender assets to SAFE, and their assessments and scores can be reviewed. You can track the status of the sync in the History table.

Defender Result 3

View results


To view the assets, controls, and their status:

  1. Click the "See Updated Assets" button available at the top-right of the History table.
  2. You will be redirected to the filtered assets list page that displays all the assets pulled from Microsoft 365 Defender.
    Alternatively, you can navigate to Assets under Technology and filter the assets list for signal source equals security.safe.saas.m365.defender.
    Defender Result 1
  3. Click an asset to view the controls and their status. Further clicking a control, you can see the ATT&CK mapping.
    Defender Result 2

6. History


Learn More about Integration History here.

8. SAFE's Outgoing IP Addresses


Click here to find the outgoing IP addresses of SAFE. All traffic to any integrations in SAFE will see one IP address as the source IP of the incoming connection.

9. FAQs


Q. How does the Control Status get calculated?

Using a field named "scoreInPercentage" from the Defender API, which is equivalent to points achieved in the UI (but the UI shows it in points, while the API provides it in %), to determine if the configuration is done properly or not.

Examples

  1. In the UI, the “Points Achieved“ is shown as 1/1, then the API response corresponding to that will be 100%, and the status will be "Completed." If the Status in the UI is "Completed," then in SAFE UI, the Control Status will be Qualified because the configuration is done properly.
  2. In the UI, the "Points Achieved" is shown as 0/10, then the API response corresponding to that will be 0%, and the status will be "To address." If the Status in UI is “To address," then in SAFE UI, the Control Status will be Failed because the configuration is not done properly and needs to be remediated.
  3. In the UI, the "Points Achieved" is shown as 0.89/9, then the API response corresponding to that will be 11%, and the status will be "To address." If the Status on UI is "To address," then in SAFE UI, the Control Status will be Failed because the configuration is not done properly and needs to be remediated.
Note
If the "Points Achieved" shown in the UI is 1/1, 2/2, or M/N (Where M and N are always equal), then the status will be "Completed," and "scoreInPercentage" will always be 100%. But if the "Points Achieved" shown on the UI is 0/1, 1/2, or M/N (Where M is Less than N), then the Status will be “To address" and “scoreInPercentage" will always be less than 100%.

Defender(1)



Was this article helpful?