Microsoft 365 Defender

1. About this document

This document provides step-by-step instructions to configure Microsoft 365 Defender in SAFE.

2. Introduction

SAFE integrates with Microsoft 365 Defender to fetch the configuration assessment of the following Microsoft products:

• Microsoft 365 Exchange Online
• Microsoft Azure AD
• Microsoft Teams
• Microsoft SharePoint Online
• Microsoft 365

This unified integration pulls data for the above four Microsoft products in SAFE.

3. Prerequisites

• Azure Active Directory Administrator privileges to approve assigning permissions.
• Connection Details (Active Directory Primary Domain, Client ID, and Client Secret).
• SAFE access with an admin role.

Click here to learn more about the Microsoft 365 Defender prerequisites.

4. Generate Connection Details

1. Login to Microsoft 365 admin center.
2. From the left navigation menu, navigate to Azure Active Directory (This will open a new tab).
3. Click on the Overview from the left navigation.
4. Here you can see the value for Primary Domain. Copy and save this value to use while configuring Microsoft 365 Defender in SAFE in the next section.
   Alternatively, you can open SAFE in a new tab, go to the Microsoft 365 Defender configuration page and enter the Primary Domain in the respective field.
5. Expand Applications, then select the App registrations option from the left navigation.
6. At the top of the page, click New registration.
7. Enter a Name and click the Register button. All other settings can stay as default.
    
8. Copy and save the value for the Application (Client) IDto use while configuring Microsoft 365 Defender in SAFE in the next section. 

   Alternatively, you can paste the Client ID on the Microsoft 365 Defender configuration page in SAFE.

9. Next, click the API Permissions from the left navigation.
10. Click Add a permission option availabe in the center of the page.
11. From the options, select Microsoft Graph.
    
12. Click on the Application permissions option.
13. Search for SecurityEvents.Read.All and tick the box to select it.
14. Click the Add permissions button. 
    Admin Consent

    You will now need to grant admin consent to apply this permission. If you do not have the privileges to do this, reach out to your administrator to do this.

15. Select Certificates & secrets from the left navigation. 
16. Click on the New client secret option available in the center of the page.
    
17. Enter a Description and select an option from the Expiry drop-down.
18. Click the Add button at the bottom of the page. 
19. Client Secret value is availabe in the Value column. Copy and savethis value to use while configuring Microsoft 365 Defender in SAFE in the next section. 

    Alternatively, you can paste the Client Secret on the Microsoft 365 Defender configuration page in SAFE.

5. Configure Microsoft 365 Defender in SAFE

1. Navigate to the SAFEHooks.
2. Click the Microsoft 365 Defender card.
3. Enter the connection details (Primary domain, Client ID, and Client Secret) generated in section 4 on the configuration page.
4. Select the Auto Sync frequency in a number of days.
5. Click on the Test Connection button. A success message appears when the connection is successful.
6. Click the Save button.
7. Click the Sync Now button to trigger an on-demand sync.
8. Upon a successful sync, the system adds the Microsoft 365 Defender assets to SAFE, and their assessments and scores can be reviewed. You can track the status of the sync in the History table.

View results

To view the assets, controls, and their status:

1. Click the "See Updated Assets" button available at the top-right of the History table.
2. You will be redirected to the filtered assets list page that displays all the assets pulled from Microsoft 365 Defender.
   Alternatively, you can navigate to Assets under Technology and filter the assets list for signal source equals security.safe.saas.m365.defender.
   
3. Click an asset to view the controls and their status. Further clicking a control, you can see the ATT&CK mapping.
   

6. History

Learn More about Integration History here.

8. SAFE's Outgoing IP Addresses

Click here to find the outgoing IP addresses of SAFE. All traffic to any integrations in SAFE will see one IP address as the source IP of the incoming connection.

9. FAQs

Q. How does the Control Status get calculated?

Using a field named "scoreInPercentage" from the Defender API, which is equivalent to points achieved in the UI (but the UI shows it in points, while the API provides it in %), to determine if the configuration is done properly or not.

Examples

1. In the UI, the “Points Achieved“ is shown as 1/1, then the API response corresponding to that will be 100%, and the status will be "Completed." If the Status in the UI is "Completed," then in SAFE UI, the Control Status will be Qualified because the configuration is done properly.
2. In the UI, the "Points Achieved" is shown as 0/10, then the API response corresponding to that will be 0%, and the status will be "To address." If the Status in UI is “To address," then in SAFE UI, the Control Status will be Failed because the configuration is not done properly and needs to be remediated.
3. In the UI, the "Points Achieved" is shown as 0.89/9, then the API response corresponding to that will be 11%, and the status will be "To address." If the Status on UI is "To address," then in SAFE UI, the Control Status will be Failed because the configuration is not done properly and needs to be remediated.