Microsoft Defender for Cloud Apps

Microsoft Defender for Cloud Apps is a solution that helps you secure your cloud applications across Microsoft 365 and other SaaS providers. Defender for Cloud Apps was previously known as Microsoft Cloud App Security. For more information refer to the Microsoft product page.

Integration Method: API

Tables: Account Change, Authentication, Detection Finding, Entity Management, File System Activity

This integration has been tested against Microsoft Defender for Cloud Apps API v1.

Prerequisites

1. Admin access to Azure Portal

2. Access to Microsoft Defender console

Configuration Overview

1. Create an App registration on Azure Portal: application_id and directory_id

2. Set the permissions on the new API user

3. Create API credentials: secret value

4. Logon to Defender console to get the API base URL

5. Configure DataBee with client key, client secret, baseurl, and tenantid

Azure Configuration

To use Microsoft Defender for Cloud Apps API, you need client credentials, tenant id, and tenant region.

1. Log on to Azure with a user account that has the Global Administrator role.  

2. Navigate to App registrations and click on New registration. The Register an application page window appears.

3. Enter the application's registration information:  

   1. In the Name section, enter a meaningful application name that will be displayed to users.

   2. For Supported account types, click the Accounts in any organizational directory option.  

   3. Set the Redirect URI to http://localhost.  

   4. Click on Register to create the application.  

4. On the app Overview page, copy the Application (client) ID and Directory (tenant) ID for later use.

Add Permissions  

Once the application is created, permissions should be provided to get data. The appropriate permissions for the application are needed to configure these endpoints.

To add permissions for the one endpoint outlined above, from the Azure portal:  

1. On the Application page, select API Permissions > Add permission > APIs my organization uses.

2. Search for Defender for Cloud Apps or Cloud App Security (older name) and select it

3. Select Application permissions > Investigation.Read, and then select Add permissions.

4. Select Grant admin consent and click Yes on the pop up box

5. The following permissions will be granted

Create the Client ID and Client Secret  

The next step is creating a Client ID and Client Secret for API access. To create these items, from the Azure Portal:  

1. Select the DataBee application

2. Click Certificates and Secrets, and then Client Secrets.

3. Click New client secret. Then add a client secret window appears.

4. Enter a Description for this client secret and the expiry period from the Expires drop-list.  

5. Click Add.

6. Copy the Value field, which will be used when configuring DataBee.

Get Defender API URL

7. Open Microsoft Defender Portal and select Settings

8. Select Cloud Apps.

9. Under System, select About.

10. Copy the API URL and Data center value for DataBee configuration.

DataBee Configuration

1. Login to the DataBee console and navigate to the Data > Data Sources tab

2. Click on Add New Source

3. Search for Defender for Cloud Apps and select it

4. Select API Ingest

5. Enter basic contact information in the dialog box and click Next

6. In the detailed configuration boxes, ensure the following fields are filled

   • Authorization Method: OAuth2

   • Client Key: Paste the Application (client) id generated in the Azure console

   • Secret Key: Paste the client secret generated in the Azure console

   • Token URL:  replace the <placeholder> with the Directory (tenant) Id from the Azure console

   • API Base URL:  Paste the API URL generated from the Defender Portal

7. Click Submit