Dropzone AI Documentation
WebsiteTest Drive
  • Dropzone Documentation
  • Overview
    • Alert Sources
    • Data Sources
    • Communicators
    • On-prem Support - Dropzone Connector
    • Interactive Chat
    • Metrics Guide
  • Dropzone Administraton
    • Team Admin
      • Google Workspace SAML
      • Okta SAML
  • Dropzone Integrations
    • Alert + Data Source Integrations
      • Amazon Web Services (AWS)
        • Cross-Account Access via CloudFormation
        • Cross-Account Access via Console
      • CrowdStrike
      • Datadog
      • Elasticsearch
      • Google Workspace
      • Google GCP
      • Jira
      • Microsoft (MS 365 etc)
        • Microsoft 365 / Microsoft Defender
        • Microsoft Sentinel
        • Microsoft 365 Exchange Online Management
      • Palo Alto Networks Firewall
      • Panther
      • QRadar
      • SentinelOne
      • Splunk
      • Sumo Logic
    • Alert Integrations
      • Gem
      • ServiceNow
    • Communicators
      • Microsoft Teams
      • Slack Communicator
    • Data Source Integrations
      • AbuseIPDB
      • Active Directory (LDAP)
      • Archive Inspector
      • Blocklist.de
      • CAPA
      • Censys
      • Crowdstrike Falcon Intelligence
      • DNSResolver
      • Dropzone URL Sandbox
      • EchoTrail
      • File
      • GreyNoise
      • Hybrid Analysis
      • Host.io
      • IPInfo.io
      • IPQualityScore
      • MalwareBazaar
      • Nuclei
      • NVD
      • Okta
      • oletools
      • OpenSSL Sign Code
      • PDF Analysis
      • Perplexity AI
      • PhishTank
      • Shodan
      • TShark
      • QRadar
      • UnshortenMe
      • URLhaus
      • Urlscan.io
      • VirusTotal
      • Vision
      • WHOIS
      • YARAify
Powered by GitBook
On this page
  • Microsoft 365 / Microsoft Defender
  • Integration Overview
  • Set Application Permissions
  • Microsoft Graph Permissions
  • Microsoft Cloud Apps Security Permissions
  • Windows Defender ATP - Live Response
  • Locate Cloud Apps Information
  • Enable The Dropzone Data Source Integration
  • Enable The Dropzone Alert Source Integration

Was this helpful?

  1. Dropzone Integrations
  2. Alert + Data Source Integrations
  3. Microsoft (MS 365 etc)

Microsoft 365 / Microsoft Defender

PreviousMicrosoft (MS 365 etc)NextMicrosoft Sentinel

Last updated 3 days ago

Was this helpful?

Microsoft 365 / Microsoft Defender

This is a combined document for enabling the Dropzone AI Data Source and Alert Source for Microsoft 365 / Microsoft Defender services.

The Dropzone AI platform integrates with Entra ID, Exchange Online, and Microsoft Defender via the Microsoft Graph API. This document describes how to set up API credentials and install them into the Dropzone platform.

Integration Overview

To enable these integrations you will perform the following actions:

  • Register a new application in Microsoft Entra Admin Center

  • Locate your Client ID, Tenant ID, and create a Client Secret

  • Enable Dropzone Certificate Credentials

  • Assign necessary API permissions to the application

  • Install the credentials into your Dropzone tenant (Data Source and Alert Source)

  • Select integration parameters, such as which alert types to sync

See the page for instructions on how to register a new application, locate your Client ID and Tenant ID, and create a Client Secret.

Set Application Permissions

General instructions on how to assign API permissions to the application can be found in the page.

MS 365/MS Defender can utilize the following APIs:

API
Purpose

Microsoft Graph

Required for the integration to function

Microsoft Cloud Apps Security.

Required to query investigations from Microsoft Cloud Apps. When enabled, Dropzone is able to analyze cloud apps events

Windows Defender ATP - Live Response.

Required to extract quarantined files from Defender alerts. When enabled, Dropzone is able to independently analyze the files which will improve conclusion accuracy

Office 365 Exchange Online Management

Required to enable Office 365 Exchange Online Management, specifically to support retrieving quarantined emails during phishing analysis

Microsoft Graph Permissions

  • In the API permissions page, click "Add a permission"

  • Under the Microsoft API header, select "Microsoft Graph"

  • Click "Application Permissions"

Add the following permissions:

Permission
Purpose
Used By

AuditLog.Read.All

Retrieve audit information such as user MFA and administrator access status, for alert investigation and chat.

Data Source Integration

Directory.Read.All

Retrieve directory information such as users, group membership, directory roles, etc, for alert investigation and chat.

Data Source Integration

Mail.Read

Retrieve phishing emails for analysis; Retrieve phishing alerts in some configurations

Alert Source and Data Source Integrations

ThreatHunting.Read.All

Investigating Microsoft Defender alerts

Alert Source Integration

SecurityAlert.Read.All

Pulling Microsoft Defender alerts

Alert Source Integration

SecurityIncident.Read.All

Pulling Microsoft Defender alerts

Alert Source Integration

ThreatSubmission.Read.All

Pulling Phishing Alerts

Alert Source Integration

  • Once done selecting all the permissions, click "Add permissions"

  • Click "Grant admin consent for [mycompany.net]"

  • Click "Yes"

Microsoft Cloud Apps Security Permissions

  • In the API permissions page, click "Add a permission"

  • Navigate to "APIs my organization uses"

  • Type "Microsoft Cloud App Security" in the search bar

  • Click "Microsoft Cloud App Security"

  • Click "Application permissions"

Add the following permissions:

Permission
Purpose

investigation.read

Read Cloud App investigations

  • Once done selecting all the permissions, click "Add permissions"

  • Click "Grant admin consent for [mycompany.net]"

  • Click "Yes"

Windows Defender ATP - Live Response

  • In the API permissions page, click "Add a permission"

  • Navigate to "APIs my organization uses"

  • Type "WindowsDefenderATP" in the search bar

  • Click "WindowsDefenderATP"

  • Click "Application permissions"

Add the following permissions:

Permission
Purpose

File.Read.All

Read file details

Library.Manage

Extract quarantined files for analysis

Machine.LiveResponse

Extract quarantined files for analysis

Machine.Read.All

Read machine details

  • Once done selecting all the permissions, click "Add permissions"

  • Click "Grant admin consent for [mycompany.net]"

  • Click "Yes"

Locate Organization ID

  • In the left navigation, select Manage > Custom domain names

  • In the domain list you'll find one that ends in .onmicrosoft.com. Record this domain for use later in the Dropzone UI where it is called "Organization ID"

Locate Cloud Apps Information

  • In the left navigation, select Settings

  • Select Cloud Apps

Record the "API URL" for use later in the Dropzone UI where it is called "Portal URL".

Enable The Dropzone Data Source Integration

The Data source integration allows Dropzone AI to interact with Entra ID, Exchange Online, and Microsoft Defender to gather information for use in investigation analysis and interactive chat.

You'll need the following information:

Dropzone Field
Source

Client ID

The "Application (client) ID" from the Application Overview

Tenant ID

The "Directory (tenant) ID" from the Application Overview

Client Secret

The client secret "value" from the client secret page

Portal URL

Defender Cloud Apps API URL

To enable the Data Source integration, do the following:

  • Navigate to your Dropzone AI tenant home page e.g. https://mycompany.dropzone.app

  • In the bottom left hand corner, click Settings > Integrations

  • Click "Available"

  • In the Search bar, search MS 365/Defender, then click "Configure"

  • Under the Data Source heading, input the Client ID, Tenant ID, and Client Secret

  • Input your Cloud Apps Portal URL

  • If you wish, you may enable LiveResponse

  • Click "Test & Save" to finish

If you have any errors engage your Dropzone AI support representative.

Enable The Dropzone Alert Source Integration

The Alert source integration allows Dropzone AI to pull alerts from Exchange Online and Microsoft Defender for investigation.

You'll need the following information:

Dropzone Field
Source

Client ID

The "Application (client) ID" from the Application Overview

Tenant ID

The "Directory (tenant) ID" from the Application Overview

Client Secret

The client secret "value" from the client secret page

To enable the Alert Source integration, do the following:

  • Navigate to your Dropzone AI tenant home page e.g. https://mycompany.dropzone.app

  • In the bottom left hand corner, click Settings > Integrations

  • Click "Available"

  • In the Search bar, search MS 365/Defender, then click "Configure"

  • Under the Alert Source heading, input the Client ID, Tenant ID, and Client Secret

  • Select whether you want to ingest alerts or incidents from Microsoft Defender

  • If you chose to ingest alerts, select which alert types you wish to ingest

If you are enabling the PowerShell API integration to retrieve quarantined emails for phishing analysis

  • Find the section "PowerShell API Configuration (Advanced)"

  • Click "Enable PowerShell API"

  • Enter the Organization ID you saved earlier (ends in .onmicrosoft.com)

  • Click "Test & Save" to finish

You should begin ingesting alerts immediately.

If you have any errors engage your Dropzone AI support representative.

Sign into as an administrator

Go to

If your license does not support using , check to disable

Microsoft Integrations
Microsoft Integrations
Entra home
https://security.microsoft.com/
Advanced Hunting Query
Select Microsoft Graph
Select Application Permissions
Example - setting User.Read.All MSGraph Permission
Grant admin consent
Grant admin consent
Microsoft Cloud App Security
WindowsDefenderATP
Azure Custom Domain Names
Azure Custom Domain Names List
Defender Cloud Apps API URL
Integrations Dropdown
Click Available
The Microsoft 365/Defender Tile
The Microsoft 365/Defender Data Configuration (pt 1)
The Microsoft 365/Defender Data Configuration (pt 1)
Integrations Dropdown
Click Available
The Microsoft 365/Defender Source Tile
Configure the Alert Source
Configure PowerShell