Configuring Microsoft Defender for Cloud Apps

Configuration Guide

Updated Nov 30, 2022

Configuring Microsoft Defender for Cloud Apps

Overview Direct link to this section

This document describes how to retrieve the credentials needed to monitor the logs from your Microsoft Defender for Cloud Apps environment, previously known as Microsoft Cloud App Security (MCAS), using the Microsoft Graph API.

Notes:

As part of this configuration, you must provide the following registration information about your Defender for Cloud Apps application from the Microsoft Azure Portal to Arctic Wolf® using the Arctic Wolf Portal:

Before you begin Direct link to this section

This process requires that you have a:

Register the application Direct link to this section

Registering an application in the Microsoft Azure Portal creates the necessary credentials to allow Arctic Wolf to properly retrieve logs from your Defender for Cloud Apps environment.

  1. Sign in to the Microsoft Azure Portal.

  2. Open the navigation menu, and then select Azure Active Directory.

  3. Select App registrations from the navigation pane.

  4. Select New registration to open the Register an application page.

  5. Enter a memorable name for the application in the Name text box.

  6. In the Supported Account types section, confirm that Accounts in this organizational directory only (<Organization-Name> only - Single Tenant) is selected.

    Note: Leave all other fields as their defaults.

  7. Click Register. This opens the page for the newly registered application.

  8. Record the Application (client) ID and Directory (tenant) ID values to provide to Arctic Wolf as part of Provide credentials to Arctic Wolf.

  9. In the navigation pane, under Manage, select Certificates & secrets.

  10. In the Client secrets section, select + New client secret, and then create the secret:

    1. Enter a meaningful description for the client secret.

    2. Select your desired option for the Expires field.

      Tip: You must submit updated credentials to Arctic Wolf before the credentials expire.

    3. Click Add.

  11. Verify that your new client secret appears in the Client secrets section, and then copy the Value field to a secure location. You must provide this value to Arctic Wolf as part of Provide credentials to Arctic Wolf.

Screenshot of the Certificates and Secrets page on the Microsoft Azure Portal. The Value field and text is highlighted by an orange box.

Note: Ensure that you copy the Value field before exiting the page, as this value is only viewable immediately after creation. Do not copy the Secret ID field.

  1. Proceed to Configure API permissions.

Configure API permissions Direct link to this section

To configure API permissions for the registered application:

  1. In the navigation pane, under Manage, select API permissions.

  2. Find the User.Read permission which is enabled by default, and then click ... to open the menu.

  3. Select Remove permission and then select Yes, remove.

  4. In the Configured permissions section, click +Add a permission to open the Request API permissions page.

  5. In the Select an API section, select Microsoft APIs, and then, in the Commonly used Microsoft APIs section, select Microsoft Graph.

  6. Select Application permission to open the permission type list.

  7. Search for the following permissions types and select the corresponding checkbox for each to allow appropriate permissions:

    • SecurityActionsSecurityActions.Read.All
    • SecurityEventsSecurityEvents.Read.All
    • OrganizationOrganization.Read.All

  8. Click Add permissions to apply. This returns you to the API permissions page where the new permissions appear in a list.

  9. In the Configured permissions section, click Grant admin consent for <Organization Name>, and then click Yes to confirm the change.

    Tip: If you cannot select Grant admin consent, your user account does not have the appropriate permissions. You must sign in with the appropriate account to proceed.

  10. Proceed to Provide credentials to Arctic Wolf.

Provide credentials to Arctic Wolf Direct link to this section

To provide your application registration details to Arctic Wolf on the Arctic Wolf Portal:

  1. Sign in to the Arctic Wolf Portal.

  2. Select Connected Accounts in the banner menu to open the Connected Accounts page.

    Connected Accounts menu

  3. Select +Add Account to open the Add Account form.

  4. Select Cloud Detection and Response as the Account Type.

  5. Select Defender for Cloud Apps from the list of cloud services.

    1. Enter a descriptive name for the credentials.

    2. Paste these values from steps 7 and 10 of Register the application:

      • Application (client) ID
      • Directory (tenant) ID
      • Client Secret

  6. Select Submit to CST.

  7. When prompted with the confirmation message, review your submission, and then select Done. You are returned to the Connected Accounts page.

  8. Verify that the newly-submitted credential entry appears in the cloud services list with the status Connection Pending.

After your Concierge Security® Team provisions security monitoring for your account, the status of your credentials changes to Connected.

Note: All third-party API integrations that are part of the Arctic Wolf® Managed Detection and Response (MDR) offering are designed with a polling frequency of approximately 15 minutes. Time-based events are polled with a 5-to-40-minute delay to ensure data availability within the third-party API endpoint. For new deployments, after the API integration is successfully configured with the necessary credentials, we begin polling and reviewing activity from approximately 1 hour prior to configuration success.

If credentials fail, for example, due to expired credentials, we notify you and request a new set of API credentials. After a polling failure, we only replay data for a period of 12 hours starting from when the refreshed credentials are provided.