Microsoft 365 / Microsoft Defender
This is a combined document for enabling the Dropzone AI Data Source and Alert Source for Microsoft 365 / Microsoft Defender services.
The Data Source is named "Entra ID / Exchange Online / Microsoft Defender".
The Alert Source is named "Exchange Online / Microsoft Defender".
The Dropzone AI platform integrates with Entra ID, Exchange Online, and Microsoft Defender via the Microsoft Graph API. This document describes how to set up API credentials and install them into the Dropzone platform.
Integration Overview
To enable these integrations you will perform the following actions:
Register a new application in Microsoft Entra Admin Center
Create credentials
Enable necessary permissions on the application
Install the credentials into your Dropzone tenant (Data Source and Alert Source)
Select integration parameters, such as which alert types to sync
Register Dropzone Application in Microsoft Entra Admin Center
Microsoft's documentation for registering an application is available at https://learn.microsoft.com/en-us/graph/auth-register-app-v2
As an Admin, go to to Entra home - https://entra.microsoft.com/#home
From the left sidebar, go to Identity > Applications > App registrations
Click New registration
On the "Register an application" page:
Name: "Dropzone AI"
Supported account types: "Accounts in this organizational directory only"
Leave "Redirect URI" as-is
Click "Register" to complete registering the application
Once registered, you will find yourself at the Application Overview of the new app you just created.
Record the "Application (client) ID" and "Directory (tenant) ID" for use later in the Dropzone UI where they are called "Client ID" and "Tenant ID" respectively.
Create Client Credentials
Microsoft's documentation for creating client credentials for an application is available at https://learn.microsoft.com/en-us/graph/auth-register-app-v2#add-credentials
From the Application overview page, click "Manage" > "Certificates & Secrets":
Click the "Client secrets" tab
Click the "+ New client secret" button
"Add a client secret" will pop from the side
Description: "Dropzone AI Integration Key"
Expires: Custom
Start: today's date
End: today + 2 years
Your Dropzone integration will stop working when the client secret expires. Consider setting a calendar reminder to update the key prior to expiration.
Click "Add" to finish adding client secret to the application
Record the "Value" for use later in the Dropzone UI where it is called "Client Secret"
This value is not shown after you leave this page - be sure to record it immediately.
Set Application Permissions
Setting the application permissions is done in two sections:
Microsoft Graph Permissions
Windows Defender ATP - Live Response
Setting Microsoft Graph Permissions
Return to the Application Overview for our new application
Applications > App Registration > All Applications > Dropzone AI
Click "API Permissions"
Click "Add a permission"
Select "Microsoft Graph"
Select "Application Permissions"
The table below lists the permissions we'll be adding and how they're used by the Dropzone platform.
Permission | Purpose | Used By |
---|---|---|
| Retrieve audit information such as user MFA and administrator access status, for alert investigation and chat. | Data Source Integration |
| Retrieve directory information such as users, group membership, directory roles, etc, for alert investigation and chat. | Data Source Integration |
| Retrieve phishing emails for analysis; Retrieve phishing alerts in some configurations | Alert Source and Data Source Integrations |
| Investigating Microsoft Defender alerts | Alert Source Integration |
| Pulling Microsoft Defender alerts | Alert Source Integration |
| Pulling Microsoft Defender alerts | Alert Source Integration |
| Pulling Phishing Alerts | Alert Source Integration |
For each Permission listed above
Type it in the "Select Permissions" box to filter the list
Expand the section that starts with the permission name by clicking the ">" icon
Click the checkbox
Do not click the "Add permissions" button yet!
Repeat for the all the permissions in the list
Click "Add permissions" once done selecting all the permissions
You should now see the permissions, similar to the following:
Click "Grant admin consent for <your_company>"
Click "Yes" to confirm
Now you should see all the required permissions from the table above listed with a green check mark:
Enable Microsoft Cloud Apps Security
The following permissions are required to query investigations from Microsoft Cloud Apps. When enabled, Dropzone is able to analyze cloud apps events.
Return to the Application Overview for our new application
Applications > App Registration > All Applications > Dropzone AI
Click "API Permissions"
Click "Add a permission"
Click "APIs my organization uses"
Type "Microsoft Cloud App Security" in the search bar
Click "Microsoft Cloud App Security"
Click "Application permissions"
We will add the following permissions:
Permission | Purpose |
---|---|
| Read Cloud App investigations |
For each Permission string listed above:
Type it in the "Select Permissions" box to filter the list
Expand the section that starts with the permission name by clicking the ">" icon
Click the checkbox
Do not click the "Add permissions" button yet!
Repeat for the all the permissions in the list
Click "Add permissions" once done selecting all the permissions
Click "Grant admin consent for <your_company>"
Click "Yes" to confirm
You should now see the new permissions with a green check mark
Enable Windows Defender ATP - Live Response
The following permissions are required to extract quarantined files from Defender alerts. When enabled, Dropzone is able to independently analyze the files which will improve conclusion accuracy.
Return to the Application Overview for our new application
Applications > App Registration > All Applications > Dropzone AI
Click "API Permissions"
Click "Add a permission"
Click "APIs my organization uses"
Type "WindowsDefenderATP" in the search bar
Click WindowsDefenderATP
Click "Application permissions"
We will add the following permissions:
Permission | Purpose |
---|---|
| Read file details |
| Extract quarantined files for analysis |
| Extract quarantined files for analysis |
| Read machine details |
For each Permission string listed above:
Type it in the "Select Permissions" box to filter the list
Expand the section that starts with the permission name by clicking the ">" icon
Click the checkbox
Do not click the "Add permissions" button yet!
Repeat for the all the permissions in the list
Click "Add permissions" once done selecting all the permissions
Click "Grant admin consent for <your_company>"
Click "Yes" to confirm
You should now see the new permissions with a green check mark
Gather Cloud Apps Information
In the left navigation, select Settings
Select Cloud Apps
Record the "API URL" for use later in the Dropzone UI where it is called "Portal URL".
Enable The Dropzone Data Source Integration
The Data source integration allows Dropzone AI to interact with Entra ID, Exchange Online, and Microsoft Defender to gather information for use in investigation analysis and interactive chat.
You'll need the following information:
Dropzone Field | Source |
---|---|
Client ID | The "Application (client) ID" from the Application Overview |
Tenant ID | The "Directory (tenant) ID" from the Application Overview |
Client Secret | The client secret "value" from the client secret page |
Portal URL | Defender Cloud Apps API URL |
To enable the Data Source integration, do the following:
Navigate to your Dropzone AI tenant home page e.g. https://mycompany.dropzone.ai
Click System > Integrations
Click "Data Sources" in the top left corner
Find the "Entra ID" / "Exchange Online" / "Microsoft Defender" tile and click "Connect"
Input the Client ID, Tenant ID, and Client Secret, and the Cloud Apps Portal URL
If you wish to enable Live Response capability, check the "Use LiveResponse" box
Click "Test & Save" to finish
If you have any errors engage your Dropzone AI support representative.
Enable The Dropzone Alert Source Integration
The Alert source integration allows Dropzone AI to pull alerts from Exchange Online and Microsoft Defender for investigation.
You'll need the following information:
Dropzone Field | Source |
---|---|
Client ID | The "Application (client) ID" from the Application Overview |
Tenant ID | The "Directory (tenant) ID" from the Application Overview |
Client Secret | The client secret "value" from the client secret page |
To enable the Alert Source integration, do the following:
Navigate to your Dropzone AI tenant home page e.g. https://mycompany.dropzone.ai
Click System > Integrations
Click on "Alert Sources" in the top left corner
Find the "Exchange Online" / "Microsoft Defender" tile and click "Connect"
Input the Client ID, Tenant ID, and Client Secret
Check the alert sources you want to ingest
Click "Test & Save" to finish
You should begin ingesting alerts immediately.
If you have any errors engage your Dropzone AI support representative.
Last updated