Microsoft Defender

introduction this guide explains how to authenticate the microsoft defender connector in swimlane using oauth 2 0 client credentials you will create an azure application, assign required api permissions, collect necessary identifiers, and configure the connector in swimlane azure access requirements you must have azure permissions to register applications in azure ad assign api permissions grant admin consent generate client secrets required credentials during setup, you will collect client id client secret token url base defender api url defender permissions scope azure setup take the following steps to register the application navigate to azure portal > azure active directory > app registrations click new registration enter an application name choose accounts in this organizational directory only click register take the following steps to assign api permissions open api permissions tab click add a permission select apis my organization uses search for windowsdefenderatp add the required application permissions, such as alert read all alert readwrite all machine read all machine readwrite all advancedquery read all click add permissions click grant admin consent take the following steps to generate a client secret navigate to certificates & secrets click new client secret add description and expiration copy and save the value this saved value is client secret take the following step to collect required identifiers from app registration > overview , copy client id tenant id connector configuration in swimlane log in to turbine from the left hand navigation pane, click orchestration and click assets asset homepage opens click the plus icon to open the configure your connector asset window select microsoft defender from the asset type list fill in the asset settings and asset input as shown field description required url base defender api url required token url https //login microsoftonline com/%7btenant id%7d/oauth2/v2 0/token required client id client id from azure required client secret client secret from azure required scope defender permission scopes required verify ssl enable/disable ssl verification optional http proxy proxy configuration optional fields with marks are required click create troubleshooting if you encounter 403 forbidden error, ensure that admin consent is granted check for all the missing required api permissions check for incorrect permission type (application vs delegated) if you encounter 401 unauthorized error, check whether you have entered the correct client secret double check tenant id ensure the token url is formatted correctly if you encounter api errors during action execution, check if permission for that specific defender api was added ensure the token includes required scopes you have successfully authenticated the microsoft azure sentinel connector in swimlane