Microsoft Defender for Identity

Microsoft Defender for Identity is a cloud-based security solution that helps secure your identity monitoring across your organization. Defender for Identity is fully integrated with Microsoft Defender XDR, and leverages signals from both on-premises Active Directory and cloud identities to help you better identify, detect, and investigate advanced threats directed at your organization.

Integration Method: API

Tables: Detection Finding, User Inventory

This integration has been tested against Microsoft Graph REST API v1.0.

Azure Configuration

1. Log on to the Azure console with a user account that has the Global Administrator role.

2. Navigate to Microsoft Entra ID > App registrations > New registration. The Register an application page window appears.

3. Enter the application's registration information:

• In the Name section, enter a meaningful application name that will be displayed to users.

• For Supported account types, click the Accounts in any organizational directory option.

• Set the Redirect URI to http://localhost.

• Click on Register to create the application.

4. On the app Overview page, copy the Application (client) ID and Directory (tenant) ID for later use.

Add Endpoint Access

Once the application is created, appropriate permissions should be provided to get data. The appropriate permissions for the application are needed to configure these endpoints

Add Permissions

To add permissions for the one endpoint outlined above, from the Azure Active Directory portal:

1. Select the application whose logs are to be accessed (generally, the application registered earlier on this page).

2. Click API Permissions, and then click Add a Permission. The Request API permissions window appears.

3. Click on Microsoft Graph.

4. Click on Application Permissions.

5. The following permissions need to be granted for the one endpoint to function properly:

In the Select permissions search bar, enter the permissions shown above, and check the box to include it. If you run into any problems, check out Microsoft's official documents

6. Click the Add permissions button after selecting all required permissions.

7. On the API permissions page, click Grant Admin Consent for <tenant>.

8. Click the Yes button on the consent confirmation. The required permissions are now added for the endpoints.

Create the Client ID and Client Secret

The final step in configuring the Graph API is creating a Client ID and Client Secret. To create these items, from the Azure Portal:

1. Select the application created above.

2. Click Certificates and Secrets, and then Client Secrets.

3. Click New client secret. The Add a client secret window appears. 

4. Enter a Description for this client secret.

5. Select the 24 months expiry period from the Expires drop-list.
    

6. Click Add.

7. Copy the Value and SecretID fields, which will be used to configure the DataBee API connection.

DataBee Configuration

1. Log in to the DataBee console, navigate to the Data tab and click on Add new Datasource.

2. Search for Microsoft Defender for Identity and select it.

3. Click on API Ingest.

4. Enter the required details in the contact form.

5. In the configuration dialog boxes, enter the following:

   • Authorization Method: OAuth2

   • Client Key: Paste the Value from previous step

   • Client Secret: Paste the Secret Key from the previous step

   • Token URL: Replace the <application_id> placeholder with your tenant id.

6. Click Submit