Microsoft 365 / Microsoft Defender
Microsoft 365 / Microsoft Defender
This is a combined document for enabling the Dropzone AI Data Source and Alert Source for Microsoft 365 / Microsoft Defender services.
The Dropzone AI platform integrates with Entra ID, Exchange Online, and Microsoft Defender via the Microsoft Graph API. This document describes how to set up API credentials and install them into the Dropzone platform.
Integration Overview
To enable these integrations you will perform the following actions:
Register a new application in Microsoft Entra Admin Center
Locate your Client ID, Tenant ID, and create a Client Secret
Enable Dropzone Certificate Credentials
Assign necessary API permissions to the application
Install the credentials into your Dropzone tenant (Data Source and Alert Source)
Select integration parameters, such as which alert types to sync
See the Microsoft Integrations page for instructions on how to register a new application, locate your Client ID and Tenant ID, and create a Client Secret.
Set Application Permissions
General instructions on how to assign API permissions to the application can be found in the Microsoft Integrations page.
MS 365/MS Defender can utilize the following APIs:
Microsoft Graph
Required for the integration to function
Microsoft Cloud Apps Security.
Required to query investigations from Microsoft Cloud Apps. When enabled, Dropzone is able to analyze cloud apps events
Windows Defender ATP - Live Response.
Required to extract quarantined files from Defender alerts. When enabled, Dropzone is able to independently analyze the files which will improve conclusion accuracy
Office 365 Exchange Online Management
Required to enable Office 365 Exchange Online Management, specifically to support retrieving quarantined emails during phishing analysis
Microsoft Graph Permissions
In the API permissions page, click "Add a permission"
Under the Microsoft API header, select "Microsoft Graph"

Click "Application Permissions"

Add the following permissions:
AuditLog.Read.All
Retrieve audit information such as user MFA and administrator access status, for alert investigation and chat
Data Source Integration
Calendars.Read
Allow access to Microsoft Calendar, for use in investigations to determine user OOO / travel status
Data Source Integration - Calendar Features
Calendars.ReadBasic.All
Retrieve basic calendar information for use in investigations to determine user OOO / travel status
Data Source Integration - Calendar Features
MailboxSettings.Read
Retrieve mailbox settings, such as OOO or vacation status
Data Source Integration - Calendar Features
Presence.Read.All
Retrieves presence information, such as availability status, location, etc
Data Source Integration - Calendar Features
Directory.Read.All
Retrieve directory information such as users, group membership, directory roles, etc, for alert investigation and chat
Data Source Integration
Mail.Read
Retrieve phishing emails for analysis; retrieve phishing alerts in some configurations
Alert Source and Data Source Integrations
ThreatHunting.Read.All
Investigating Microsoft Defender alerts
Alert Source Integration
SecurityAlert.Read.All
Pulling Microsoft Defender alerts
Alert Source Integration
SecurityIncident.Read.All
Pulling Microsoft Defender alerts
Alert Source Integration
ThreatSubmission.Read.All
Pulling Phishing Alerts
Alert Source Integration

Once done selecting all the permissions, click "Add permissions"
Click "Grant admin consent for [mycompany.net]"

Click "Yes"

Microsoft Cloud Apps Security Permissions
In the API permissions page, click "Add a permission"
Navigate to "APIs my organization uses"
Type "Microsoft Cloud App Security" in the search bar

Click "Microsoft Cloud App Security"
Click "Application permissions"
Add the following permissions:
investigation.read
Read Cloud App investigations
Once done selecting all the permissions, click "Add permissions"
Click "Grant admin consent for [mycompany.net]"
Click "Yes"
Windows Defender ATP - Live Response
In the API permissions page, click "Add a permission"
Navigate to "APIs my organization uses"
Type "WindowsDefenderATP" in the search bar

Click "WindowsDefenderATP"
Click "Application permissions"
Add the following permissions:
File.Read.All
Read file details
Library.Manage
Extract quarantined files for analysis
Machine.LiveResponse
Extract quarantined files for analysis
Machine.Read.All
Read machine details
Once done selecting all the permissions, click "Add permissions"
Click "Grant admin consent for [mycompany.net]"
Click "Yes"
Locate Organization ID
Sign into Entra home as an administrator
In the left navigation, select Manage > Custom domain names

In the domain list you'll find one that ends in
.onmicrosoft.com
. Record this domain for use later in the Dropzone UI where it is called "Organization ID"

Locate Cloud Apps Information
In the left navigation, select Settings
Select Cloud Apps

Record the "API URL" for use later in the Dropzone UI where it is called "Portal URL".
Enable The Dropzone Data Source Integration
The Data source integration allows Dropzone AI to interact with Entra ID, Exchange Online, and Microsoft Defender to gather information for use in investigation analysis and interactive chat.
You'll need the following information:
Client ID
The "Application (client) ID" from the Application Overview
Tenant ID
The "Directory (tenant) ID" from the Application Overview
Client Secret
The client secret "value" from the client secret page
Portal URL
Defender Cloud Apps API URL
To enable the Data Source integration, do the following:
Navigate to your Dropzone AI tenant home page e.g. https://mycompany.dropzone.app
In the bottom left hand corner, click Settings > Integrations

Click "Available"

In the Search bar, search MS 365/Defender, then click "Configure"

Under the Data Source heading, input the Client ID, Tenant ID, and Client Secret
Input your Cloud Apps Portal URL

If you wish, you may enable LiveResponse
If your license does not support using Advanced Hunting Query, check to disable

Under "Calendar Features", if you wish to enable Dropzone's AI analyst to determine user location (such as OOO or travel status) for use in investigations, check the box labeled "Enable Calendar, Presence & Mailbox Settings Access"
Click "Test & Save" to finish
If you have any errors engage your Dropzone AI support representative.
Enable The Dropzone Alert Source Integration
The Alert source integration allows Dropzone AI to pull alerts from Exchange Online and Microsoft Defender for investigation.
You'll need the following information:
Client ID
The "Application (client) ID" from the Application Overview
Tenant ID
The "Directory (tenant) ID" from the Application Overview
Client Secret
The client secret "value" from the client secret page
To enable the Alert Source integration, do the following:
Navigate to your Dropzone AI tenant home page e.g. https://mycompany.dropzone.app
In the bottom left hand corner, click Settings > Integrations

Click "Available"

In the Search bar, search MS 365/Defender, then click "Configure"

Under the Alert Source heading, input the Client ID, Tenant ID, and Client Secret
Select whether you want to ingest alerts or incidents from Microsoft Defender
If you chose to ingest alerts, select which alert types you wish to ingest

If you are enabling the PowerShell API integration to retrieve quarantined emails for phishing analysis
Find the section "PowerShell API Configuration (Advanced)"
Click "Enable PowerShell API"
Enter the Organization ID you saved earlier (ends in
.onmicrosoft.com
)

Click "Test & Save" to finish
You should begin ingesting alerts immediately.
If you have any errors engage your Dropzone AI support representative.
Last updated
Was this helpful?