In order to connect to a Defender API, an Azure Active Directory application must exists on Azure. Please see the steps for Creating an app to access Microsoft Defender for Endpoint without a user
Before you begin, ensure you have:
- Created an Active Directory Application
- Log in to your Azure Console instance with administrative privileges.
- Click Certificates & secrets, and add a description and select Add.
- Keep the Secret value that appears, you will not be able to see is any other time.
In order to query for data from the MS Defender API, you must enable the proper permissions.
- Click Manage > API permissions
- Add the following permissions
- Microsoft Threat Protection
- Incident.Read
- Incident.Read.All
- WindowsDefenderATP
- AdvancedQuery.Read.All
- Alert.Read.All
- Machine.Isolate
- Machine.Read.All
- Score.Read.All
- Software.REad.All
- Application Insights API
- Data.Read
- Azure Service Management
- user_impersonation
- Microsoft.Graph
- Application.Read.All
- Device.Read.All
- Microsoft Threat Protection
- Make sure to Grant admin consent
Create your integration by supplying all of the required values below:
URL The Base Endpoint URL for your App Registration. See https://learn.microsoft.com/en-us/defender-endpoint/api/exposed-apis-list for help finding the correct API Endpoint URL. For example, https://api-us3.securiytcenter.microsoft.com (without "/api/")
ClientId This is the Client Id gathered in step 3
ClientSecret This is the Client Secret gathered in step 3
TenantId This is the value in the App Registration Console and was gathered in step 3