Microsoft Defender for Office 365

Microsoft Defender for Office 365 is a cloud-based email security service that protects against advanced threats such as phishing, malware, and business email compromise attacks targeting Office 365 users.

Setup and Configure

Retrieving Microsoft Defender for Office 365 logs from Microsoft via the Microsoft Graph API requires API that uses OAuth 2.0 for accessing logs. To establish this integration, commence by creating a Microsoft Enterprise Application. Upon logging into Azure, proceed to register a new application.

Creating Application

1. Log on to Azure with a user account that has the Global Administrator role.

2. Navigate to Microsoft Entra ID > App registrations > New registration. The "Register an application" page window appears.

   

3. Enter the application's registration information:

   1. In the 'Name' section, enter a meaningful application name that will be displayed to users.

   2. For 'Supported account types', click the Accounts in any organizational directory option.

   3. Set the 'Redirect URI' to http://localhost.

4. Click on Register to create the application.

   

5. On the app "Overview" page, copy the Application (client) ID and Directory (tenant) ID for later use.

   

Add Endpoint Access

Once the application is created, the appropriate permissions for the application has to be configured for the endpoints.

API Endpoints

• https://graph.microsoft.com/v1.0/reports/security/getAttackSimulationRepeatOffenders

• https://graph.microsoft.com/v1.0/reports/security/getAttackSimulationSimulationUserCoverage

• https://graph.microsoft.com/v1.0/reports/security/getAttackSimulationTrainingUserCoverage

Add Permissions

To add permissions for the three endpoints outlined above, from the Azure Active Directory portal, follow the steps below.

1. Select the application whose logs are to be accessed (generally, the application registered earlier on this page).

2. Click API Permissions, and then click Add a Permission. The "Request API permissions" window appears.

   

3. Click on Microsoft Graph.

   

4. Click on Application Permissions.

   

5. The following permissions need to be granted for the three endpoints to function properly:

   Endpoints	Permission
   /reports/security/getAttackSimulationRepeatOffenders	AttackSimulation.Read.All
   /reports/security/getAttackSimulationSimulationUserCoverage	AttackSimulation.Read.All
   /reports/security/getAttackSimulationTrainingUserCoverage	AttackSimulation.Read.All

   In the 'Select permissions' search bar, enter the permissions shown above one by one, and check the box for each to include them.

   

6. Click the Add permissions button after selecting all required permissions.

7. On the "API permissions" page, click Grant Admin Consent for <tenant>.

   

8. Click the Yes button on the consent confirmation. The required permissions are now added for the endpoints.

Create the Client ID and Client Secret

The final step in configuring the Graph API is creating a Client ID and Client Secret. To create these items, from the Azure Portal, follow the steps below.

1. Select the application created above.

2. Click Certificates & Secrets, and then click Client Secrets.

3. Click New client secret. The “Add a client secret” window appears.

   

4. Enter a ‘Description’ for this client secret.

5. Select the desired expiry period from the ‘Expires’ drop-list.

   

6. Click Add.

7. Copy the ‘Value’ field, which will be used to initialize the beat.