Microsoft Defender Advanced Threat Protection Connector

overview the microsoft defender connector allows for seamless integration with swimlane turbine, enabling automated security incident response and threat management microsoft defender is a comprehensive endpoint security solution that provides real time protection against a wide range of threats such as malware, phishing, and ransomware the microsoft defender turbine connector enables users to automate and orchestrate security workflows, enhancing threat detection and response capabilities within the swimlane turbine platform by leveraging this integration, security teams can streamline incident management, perform in depth investigations, and enforce security controls across their digital environment without manual intervention prerequisites before you can use the microsoft defender connector for turbine, ensure you have the following prerequisites oauth 2 0 client credentials authentication with these parameters url endpoint url for microsoft defender api client id application (client) id registered in azure ad client secret secret key generated for the application in azure ad scope the scope of the access request, which specifies the resources that the application should access delegated flow authentication with these parameters url endpoint url for microsoft defender api tenant id directory (tenant) id in azure ad username the username of the user on behalf of whom the application is authenticating password the password for the specified username client id application (client) id registered in azure ad client secret secret key generated for the application in azure ad authentication methods oauth 2 0 client credentials authentication with these parameters url endpoint for microsoft defender api client id application id registered in azure ad client secret key generated for the application in azure ad tenant id or token url at least one of these parameters is required for authentication tenant id identifier for the azure ad tenant token url token url for azure ad must start with https //login microsoftonline com/ https //login microsoftonline com/ , followed by the tenant id, and appended with /oauth2/v2 0/token scope permissions the application requires delegated flow authentication with these parameters url endpoint for microsoft defender api tenant id identifier for the azure ad tenant username the username for delegated access password the password for delegated access client id application id registered in azure ad client secret key generated for the application in azure ad login url login url default value is https //login microsoftonline com https //login microsoftonline com (optional) scope permissions the app requires optional field (optional) additional notes about asset please make sure to pass atleast one of the tenant id or token url in the inputs for the asset asset and permissions setup in order to set up the asset, you need the following azure application client id azure application client secret azure tenant id steps to create the azure app go to the app registration page https //portal azure com/#blade/microsoft aad registeredapps/applicationslistblade in the azure portal click new registration enter a name for your new application and choose accounts in this organizational directory only , then click register at the bottom navigate to the api permissions tab on the left navigation menu select add a permission select apis my organization uses tab or any permissions relevant tab select the relevant options or permissions for the action you want to test or run, then mark all the permissions you need for the actions you are using (see suggested permissions at the top of the asset setup section) click the add permissions button at the bottom of the page select grant admin consent for your organization, then your permissions should look as below navigate to the certificates & secrets tab and select new client secret fill out the description and expiration, then click the add button at the bottom the value of the secret you just created is the client secret needed for the swimlane asset navigate to the overview tab on the left menu the client id and tenant id needed in the asset are shown on this page the client id , tenant id , and client secret described in the steps above are the credentials you need for the asset capabilities the microsoft defender advanced threat protection integration provides the following capabilities cancel machine action create alert decode generated bearer token delete indicator by id get alert get alert domains get alert files get alert ips get alert machine information get alert user information get alerts get domain related alerts get domain related machines get domain seen organization get domain statistics get file information get file related alerts get file related machines get file statistics get incident get incidents list get indicators get investigation get investigation collection package get ip related alerts get ip related machines get ip seen organization get ip statistics get machine get machine action get machine logon users get machine related alerts get machines get user related alerts get user related machines get vulnerability by id import indicators invoke collection of investigation package isolate machine list all remediation activities list devices by vulnerability list vulnerabilities list vulnerabilities by machine and software offboard machine query advanced hunting remove app restriction restrict app execution run antivirus scan run query start investigation stop and quarantine file submit indicator unisolate machine update alert update incident by id notes use these scopes in the asset as per the action requirement https //api securitycenter microsoft com/ default https //api securitycenter microsoft com/ defaulthttps //security microsoft com/mtp/ default https //security microsoft com/mtp/ default whenever you are using a particular action, please make sure you visit the relevant api docs and provide the required permissions needed in your application for that action to run without issues additional information about capabilities the microsoft defender advanced threat protection api allows the user to run queries against their enrolled systems you can find information about the advanced hunting api here https //docs microsoft com/en us/windows/security/threat protection/microsoft defender atp/run advanced query api additionally, microsoft has provided example queries here https //github com/microsoft/windowsdefenderatp hunting queries installation considerations to utilize this connector, you must have access to an e5 license of microsoft defender atp additionally, you must create a new application in azure active directory start a new trial https //www microsoft com/en us/microsoft 365/windows/microsoft defender atp of microsoft defender atp or use your existing license to access the api if you have not done so already, please follow the initial setup instructions here https //docs microsoft com/en us/windows/security/threat protection/microsoft defender atp/licensing once you have a microsoft defender atp installed on a machine, then you will create a new application in azure active directory application permissions ti readwrite all required for import indicators action