Microsoft Defender for Office 365

📘

TL;DR

To integrate Microsoft Defender for Office 365 with Query:

  • Setup the required connection parameters in Microsoft Graph Security API mentioned in the 'Prerequisites' section of this document.
  • Add a Microsoft Defender for Office 365 connection source in Query with the connection parameters.
  • Test the integration with Test connection link.
  • Perform searches for malicious email by looking up the sender.

Overview

Microsoft Defender for Office 365 safeguards your organization against malicious threats from email messages, links (URLs), and collaboration tools. By integrating with Query, you can:

  • Search emails based on malicious emails using to, cc, and subject as search parameters.

Prerequisites

Configuring Microsoft Graph Security API to access Defender for Office 365 data.

You must do the following steps to use the APIs and create the connection credentials. You can access Defender API with Application Context or User Context. Query will need the Application Context (Link) to perform searches.

  • Create an Azure Active Directory application.
  • Get an access token using this application.

Microsoft Graph API permissions

The following API permissions at a minimum are necessary for Query.

  • ThreatHunting.Read.All
  • User.Read.All
Azure AD Application Connection Parameters

Make sure you have the following connection parameters from Microsoft Graph to add it as a connection source in Query.

  • Server URL - The API access URL
  • Tenant ID - Azure Tenant ID
  • Client ID - Azure Client/Application ID
  • Client Secret - Azure Client Secret

Adding a connection source in Query

  1. Go to the Connections page, click Add Connections, and select Microsoft Defender for Office 365 source from the Endpoint category.
  2. In the General tab, add the following details
    • Server URL - The API access URL
    • Tenant ID - Azure Tenant ID
    • Client ID - Azure Client/Application ID
    • Client Secret - Azure Client Secret
  3. Click the Save button on the top right corner of the screen to save the connection source.
  4. To test the connection credentials, click on 'Test Connection.' You will see a successful connection message if the credentials are valid. If the test connection fails, then check if the connection parameters are correct. If necessary, change appropriately and retest.

Resources