Configuring Microsoft Defender for Cloud Apps

Configuration Guide

Overview

This document describes how to retrieve the credentials needed to monitor the logs from your Microsoft Defender for Cloud Apps environment, previously known as Microsoft Cloud App Security (MCAS), using the Microsoft Graph API.

Note: Throttling may occur if too many requests are made to the Microsoft Graph API. This throttling threshold is reached due to a high volume of requests from multiple applications within a single Azure tenant or from a single application across all Azure tenants. Contention between the Arctic Wolf® service and other applications running in the Azure tenant can affect timely log retrieval. See the Microsoft Graph throttling guidance documentation on the Microsoft website for more information.

As part of this configuration, you must provide the following registration information about your Defender for Cloud Apps application from the Microsoft Azure Portal to Arctic Wolf® using the Arctic Wolf Portal:

Note: The Client Secret is only available to view during the application registration. If this information is lost before it is submitted to Arctic Wolf on the Arctic Wolf Portal, you must create a new Client Secret for the application.

Before you begin

This process requires that you have a:

Registering the application

Registering an application in the Microsoft Azure Portal creates the necessary credentials to allow Arctic Wolf to properly retrieve logs from your Defender for Cloud Apps environment.

To register the application:

  1. Sign in to the Microsoft Azure Portal console.

  2. Open the navigation menu, and then select Azure Active Directory.

  3. Select App registrations from the navigation pane.

  4. Select New registration to open the Register an application page.

  5. Enter a memorable name for the application in the Name text box.

  6. In the Supported Account types section, confirm that Accounts in this organizational directory only (<Organization-Name> only - Single Tenant) is selected.

    Note: You can leave all other fields as their default.

  7. Click Register. This opens the page for the newly registered application.

  8. Make note of these values:

    • Application (client) ID
    • Directory (tenant) ID

    Note: You need to provide these values to Arctic Wolf as part of Providing credentials to Arctic Wolf.

  9. In the navigation pane, under Manage, select Certificates & secrets.

  10. In the Client secrets section, select + New client secret, and then create the secret:

    1. Enter a meaningful description for the client secret.
    2. Select your desired option for the Expires field.

    Tip: You must submit updated credentials to Arctic Wolf before the credentials expire.

    1. Click Add.
  11. Verify that your new client secret appears in the Client secrets section, and then copy the Client Secret to a secure location. You need to provide this value to Arctic Wolf as part of Providing credentials to Arctic Wolf.

    Note: This value is only available to view during the application registration.

Configuring application API permissions

To configure API permissions for the registered application:

  1. In the navigation pane, under Manage, select API permissions.

  2. Find the User.Read permission which is enabled by default, and then click ... to open the menu.

  3. Select Remove permission and then select Yes, remove.

  4. In the Configured permissions section, click +Add a permission to open the Request API permissions page.

  5. In the Select an API section, select Microsoft APIs, and then, in the Commonly used Microsoft APIs section, select Microsoft Graph.

  6. Select Application permission to open the permission type list.

  7. Search for the following permissions types and select the corresponding checkbox for each to allow appropriate permissions:

    • SecurityActionsSecurityActions.Read.All
    • SecurityEventsSecurityEvents.Read.All
    • OrganizationOrganization.Read.All
  8. Click Add permissions to apply. This returns you to the API permissions page where the new permissions appear in a list.

  9. In the Configured permissions section, click Grant admin consent for <Organization Name>, and then click Yes to confirm the change.

    Tip: If you cannot select Grant admin consent, your user account does not have the appropriate permissions. You must sign in with the appropriate account to proceed.

Providing credentials to Arctic Wolf

To provide your application registration details to Arctic Wolf on the Arctic Wolf Portal:

  1. Sign in to the Arctic Wolf Portal.

  2. Select Connected Accounts in the banner menu to open the Connected Accounts page.

    Connected Accounts menu

  3. Select + Add Account to open the Add Account form.

  4. Select Cloud Threat Detection as the Account Type.

  5. Select Defender for Cloud Apps from the list of cloud services.

    1. Enter a descriptive name for the credentials.

    2. Paste these values from steps 7 and 10 of Registering the application:

      • Application (client) ID
      • Directory (tenant) ID
      • Client Secret
  6. Select Submit to CST.

  7. When prompted with the confirmation message, review your submission, and then select Done. You are returned to the Connected Accounts page.

  8. Verify that the newly-submitted credential entry appears in the cloud services list with the status Connection Pending.

After your Concierge Security® Team (CST) provisions security monitoring for your application environment, the status of your credentials changes to Connected.

Note: All third-party API integrations that are part of the Arctic Wolf® Managed Detection and Response (MDR) offering are designed with a polling frequency of approximately 15 minutes. Time-based events are polled with a 5-to-40-minute delay to ensure data availability within the third-party API endpoint. For new deployments, after the API integration is successfully configured with the necessary credentials, we begin polling and reviewing activity from approximately 1 hour prior to configuration success.

If credentials fail, for example due to expired credentials, we notify you and request a new set of API credentials. After a polling failure, we only replay data for a period of 12 hours starting from when the refreshed credentials are provided.