Configuring Defender ATP

Configuration Guide

Overview

This document describes how to retrieve the credentials needed to monitor the logs from your Defender Advanced Threat Detection (ATP) environment, using the Microsoft Graph API.

Note: Throttling may occur if too many requests are made to the Microsoft Graph API. This throttling threshold is reached due to a high volume of requests from multiple applications within a single Azure tenant or from a single application across all Azure tenants. Contention between the Arctic Wolf® service and other applications running in the Azure tenant can affect timely log retrieval. See the Microsoft Graph throttling guidance documentation on the Microsoft website for more information.

As part of this configuration, you must provide the following information about your Defender ATP application from the Microsoft Azure Portal to Arctic Wolf® using the Arctic Wolf Portal:

Note: The Client Secret is only available to view during the application registration. If this information is lost before it is submitted to Arctic Wolf on the Arctic Wolf Portal, you must create a new Client Secret for the application.

Before you begin

This process requires that you are an administrator of a Microsoft account with one of the following licenses:

Registering the application

Registering your Defender ATP application in the Microsoft Azure Portal creates the necessary credentials and sets the correct permissions to allow Arctic Wolf to properly retrieve logs from your Defender ATP endpoints.

To register the application:

  1. Sign in to the Microsoft Azure Portal console.

  2. Open the navigation menu, and then select Azure Active Directory.

  3. Select App registrations from the navigation pane.

  4. Select New registration to open the Register an application page.

  5. Enter a memorable name for the application in the Name text box.

  6. In the Supported Account types section, confirm that Accounts in this organizational directory only (<Organization-Name> only - Single Tenant) is selected.

    Note: You can leave all other fields as their default.

  7. Click Register. This opens the page for the newly registered application.

  8. Make note of these values:

    • Application (client) ID
    • Directory (tenant) ID

    Note: You need to provide these values to Arctic Wolf as part of Providing credentials to Arctic Wolf.

  9. In the navigation pane, under Manage, select Certificates & secrets.

  10. In the Client secrets section, select + New client secret, and then create the secret:

    1. Enter a meaningful description for the client secret.
    2. Select your desired option for the Expires field.

    Tip: You must submit updated credentials to Arctic Wolf before the credentials expire.

    1. Click Add.
  11. Verify that your new client secret appears in the Client secrets section, and then copy the Client Secret to a secure location. You need to provide this value to Arctic Wolf as part of Providing credentials to Arctic Wolf.

    Note: This value is only available to view during the application registration.

Configuring application API permissions

To configure API permissions for the registered application:

  1. In the navigation pane, under Manage, select API permissions.

  2. Find the User.Read permission which is enabled by default, and then click ... to open the menu.

  3. Select Remove permission and then select Yes, remove.

  4. In the Configured permissions section, click +Add a permission to open the Request API permissions page.

  5. In the Select an API section, select Microsoft APIs, and then, in the Commonly used Microsoft APIs section, select Microsoft Graph.

  6. Select Application permission to open the permission type list.

  7. Search for the following permissions types and check the corresponding checkboxes for each to allow appropriate permissions:

    • SecurityActionsSecurityActions.Read.All
    • SecurityEventsSecurityEvents.Read.All
    • OrganizationOrganization.Read.All
  8. Click Add permissions to apply. This returns you to the API permissions page where the new permissions appear in a list.

  9. In the Configured permissions section, click Grant admin consent for <Organization Name>, and then click Yes to confirm the change.

Providing credentials to Arctic Wolf

To provide your Defender ATP application registration details to Arctic Wolf on the Arctic Wolf Portal:

  1. Sign in to the Arctic Wolf Portal.

  2. Select Connected Accounts in the banner menu to open the Connected Accounts page.

    Connected Accounts menu

  3. Select + Add Account to open the Add Account form.

  4. Select Cloud Threat Detection as the Account Type.

  5. Select Defender ATP from the list of cloud services.

    1. Enter a descriptive name for the credentials.

    2. Paste these values from steps 7 and 10 of Registering the application:

      • Application (client) ID
      • Directory (tenant) ID
      • Client Secret
  6. Click Submit to CST.

  7. When prompted with the confirmation message, review your submission and then click Done. This returns you to the Connected Accounts page.

  8. Verify that the newly-submitted credential entry appears in the cloud services list with the status Connection Pending.

After your Concierge Security® Team (CST) provisions security monitoring for your Defender ATP environment, the status of your Defender ATP credentials changes to Connected.

All third-party API integrations that are part of the Arctic Wolf® Managed Detection and Response (MDR) offering are designed with a polling frequency of approximately 15 minutes. Time-based events are polled with a 5-to-40-minute delay to ensure data availability within the third-party API endpoint. For new deployments, after the API integration is successfully configured with the necessary credentials, we begin polling and reviewing activity from approximately 1 hour prior to configuration success.

If credentials fail, for example due to expired credentials, we notify you and request a new set of API credentials. After a polling failure, we only replay data for a period of 12 hours starting from when the refreshed credentials are provided.