MSDefender

Integrating Microsoft Defender API with ThreatDefence

This guide provides steps to enable MSDefender API access in your ThreatDefence SIEM. You need to have access to Microsoft 365 services and features mentioned in this guide, such as the Microsoft 365 Compliance Center and Azure Active Directory.

For MSDefender we require you to have Premium P1/P2 licenses from Microsoft. Our platform will automatically adjust and extract the available security events information based on your licensing tier.

Step 1: Grant API Permissions

1. After creating the application ID and secret, as shown in the M365 Guide, grant permissions to access the MSDefender APIs.
2. On your application page for ThreatDefence, select API Permissions > Add permission > APIs my organization uses >, type WindowsDefenderATP, and then select WindowsDefenderATP.
3. To add Microsoft Graph API permissions, click on Application permissions & add the following permissions;

Alert.Read.All
Alert.ReadWrite.All
Machine.Read.All
Score.Read.All;
SecurityBaselinesAssessment.Read.All
SecurityRecommendation.Read.All
Software.Read.All
Ti.Read.All
Vulnerability.Read.All
Incidents.Read.All

Click on Add Permissions.

Step 2: Configuration in ThreatDefence

1. Provide ThreatDefence with Client Information:

• Provide the following information to your ThreatDefence representative at support [at] threatdefence.com:

  • Application ID (Client ID) obtained in Step 1 or from the M365 Guide.
  • Tenant ID obtained in Step 1 or from the M365 Guide.

  If you have any questions or need further assistance, please feel free to contact us at support [at] threatdefence.com

Related Articles:

• FAQ - Microsoft 365 Monitoring
• Microsoft 365 License Requirements