Microsoft Defender for Cloud Apps

Microsoft Defender for Cloud Apps is a solution that helps you secure your cloud applications across Microsoft 365 and other SaaS providers. It is a multimode cloud access security broker (CASB) that offers deep visibility, strong data controls, and enhanced threat protection for your cloud apps.

Integration Method: API

Tables: Account Change, Authentication, Detection Finding, Entity Management, File System Activity

DataBee connects to Microsoft Defender for Cloud Apps APIs to retrieve activities, alerts, and entities. This integration has been tested against Microsoft Defender for Cloud Apps API v1.

Azure Configuration

To use Microsoft Defender for Cloud Apps API, you need client credentials, tenant id, and tenant region.

1. Log on to Azure with a user account that has the Global Administrator role.  

2. Navigate to Microsoft Entra ID > App registrations > New registration. The Register an application page window appears.

3. Enter the application's registration information:  

4. In the Name section, enter a meaningful application name that will be displayed to users.

5. For Supported account types, click the Accounts in any organizational directory option.  

6. Set the Redirect URI to http://localhost.  

7. Click on Register to create the application.  

8. On the app Overview page, copy the Application (client) ID and Directory (tenant) ID for later use.

Add Permissions  

Once the application is created, permissions should be provided to get data. The appropriate permissions for the application are needed to configure these endpoints. The following endpoints are needed for this integration

• https://<tenant_id>.<tenant_region>.portal.cloudappsecurity.com/api/v1/entities/

• https://<tenant_id>.<tenant_region>.portal.cloudappsecurity.com/api/v1/activities/

• https://<tenant_id>.<tenant_region>.portal.cloudappsecurity.com/api/v1/alerts/

To add permissions for the one endpoint outlined above, from the Azure Active Directory portal:  

1. On the Application page, select API Permissions > Add permission > APIs my organization uses.

2. Type Defender for Cloud Apps, and then select it 

3. Select Application permissions > Investigation.Read, and then select Add permissions.

4. Select Grant admin consent.

5. The following permissions need to be granted for the endpoints to function properly:

Create the Client ID and Client Secret  

The final step in configuring the API is creating a Client ID and Client Secret. To create these items, from the Azure Portal:

1. Select the application created above.

2. Click Certificates and Secrets, and then Client Secrets.

3. Click New client secret. Then Add a client secret window appears.

4. Enter a Description for this client secret.

5. Select the desired expiry period from the Expires drop-list.  

6. Click Add.

7. Copy the Value field, which will be used to initialize the DataBee.

Get Tenant Region

1. Open Microsoft Defender Portal.

2. Select Settings.

3. Select Cloud Apps.

4. Under System, select About.

5. The value of Data center represents tenant region.

DataBee Configuration

1. Login to the DataBee console and navigate to the Data > Data Sources tab

2. Click on Add New Source

3. Search for Defender for Cloud Apps and select it

4. Select API Ingest

5. Enter basic contact information in the dialog box and click Next

6. In the detailed configuration boxes, ensure the following fields are filled

   • Authorization Method: OAuth2

   • Client Key: Paste the client key generated in the Microsoft console

   • Secret Key: Paste the client secret generated in the Microsoft console

   • Token URL:  replace the <application_id> with your Tenant Id.

   • API URL: Replace <tenant_id> and <tenant_region> with above generated values.

7. Click Submit