- Print
- DarkLight
Microsoft Defender for Cloud Apps
Microsoft Defender for Cloud Apps is a solution that helps you secure your cloud applications across Microsoft 365 and other SaaS providers. Defender for Cloud Apps was previously known as Microsoft Cloud App Security. For more information refer to the Microsoft product page.
Integration Method: API
Tables: Account Change, Authentication, Detection Finding, Entity Management, File System Activity
Events | |
Entities | Get a list of users and organizations using cloud apps |
Activities | Get activities of access and password changes |
Alerts | Get list of immediate alerts identified by Defender for Cloud Apps |
This integration has been tested against Microsoft Defender for Cloud Apps API v1.
Prerequisites
Admin access to Azure Portal
Access to Microsoft Defender console
Configuration Overview
Create an App registration on Azure Portal: application_id and directory_id
Set the permissions on the new API user
Create API credentials: secret value
Logon to Defender console to get the API base URL
Configure DataBee with client key, client secret, baseurl, and tenantid
Azure Configuration
To use Microsoft Defender for Cloud Apps API, you need client credentials, tenant id, and tenant region.
Log on to Azure with a user account that has the Global Administrator role.
Navigate to App registrations and click on New registration. The Register an application page window appears.
Enter the application's registration information:
In the Name section, enter a meaningful application name that will be displayed to users.
For Supported account types, click the Accounts in any organizational directory option.
Set the Redirect URI to http://localhost.
Click on Register to create the application.
On the app Overview page, copy the Application (client) ID and Directory (tenant) ID for later use.
Add Permissions
Once the application is created, permissions should be provided to get data. The appropriate permissions for the application are needed to configure these endpoints.
To add permissions for the one endpoint outlined above, from the Azure portal:
On the Application page, select API Permissions > Add permission > APIs my organization uses.
Search for Defender for Cloud Apps or Cloud App Security (older name) and select it
Select Application permissions > Investigation.Read, and then select Add permissions.
Select Grant admin consent and click Yes on the pop up box
The following permissions will be granted
Endpoints | Permission |
/api/v1/entities/ | Investigation.read |
/api/v1/activities/ | Investigation.read |
/api/v1/alerts/ | Investigation.read |
Create the Client ID and Client Secret
The next step is creating a Client ID and Client Secret for API access. To create these items, from the Azure Portal:
Select the DataBee application
Click Certificates and Secrets, and then Client Secrets.
Click New client secret. Then add a client secret window appears.
Enter a Description for this client secret and the expiry period from the Expires drop-list.
Click Add.
Copy the Value field, which will be used when configuring DataBee.
Get Defender API URL
Open Microsoft Defender Portal and select Settings
Select Cloud Apps.
Under System, select About.
Copy the API URL and Data center value for DataBee configuration.
DataBee Configuration
Login to the DataBee console and navigate to the Data > Data Sources tab
Click on Add New Source
Search for Defender for Cloud Apps and select it
Select API Ingest
Enter basic contact information in the dialog box and click Next
In the detailed configuration boxes, ensure the following fields are filled
Authorization Method: OAuth2
Client Key: Paste the Application (client) id generated in the Azure console
Secret Key: Paste the client secret generated in the Azure console
Token URL: replace the <placeholder> with the Directory (tenant) Id from the Azure console
API Base URL: Paste the API URL generated from the Defender Portal
Click Submit