Microsoft Defender for Cloud Apps Monitoring

Updated Sep 27, 2023

Configure Microsoft Defender for Cloud Apps monitoring

This document describes how to retrieve the credentials needed to monitor the logs from your Microsoft Defender for Cloud Apps® environment, previously known as Microsoft Cloud App Security (MCAS), using the Microsoft Graph API.

Notes:

  • Throttling may occur if too many requests are made to the Microsoft Graph API. This throttling threshold is reached due to a high volume of requests from multiple applications within a single Azure tenant or from a single application across all Azure tenants. Contention between the Arctic Wolf® service and other applications running in the Azure tenant can affect timely log retrieval. See the Microsoft Graph throttling guidance documentation on the Microsoft website for more information.

As part of this configuration, you must provide this registration information about your Defender for Cloud Apps application from the Microsoft Azure Portal to Arctic Wolf® using the Arctic Wolf Portal:

Before you begin

This process requires that you have a:

Register the application

Registering an application in the Microsoft Azure Portal creates the necessary credentials to allow Arctic Wolf to properly retrieve logs from your Defender for Cloud Apps environment.

  1. Sign in to the Microsoft Azure Portal.

  2. Open the navigation menu, and then select Azure Active Directory.

  3. Select App registrations from the navigation pane.

  4. Select + New registration.

  5. Enter a memorable name for the application in the Name field.

  6. In the Supported Account types section, confirm that Accounts in this organizational directory only (<Organization-Name> only - Single Tenant) is selected.

    Note: Leave all other fields as their defaults.

  7. Click Register. This opens the page for the newly registered application.

  8. Record the Application (client) ID and Directory (tenant) ID values to provide to Arctic Wolf in a later step.

  9. In the navigation pane, under Manage, select Certificates & secrets.

  10. In the Client secrets section, select + New client secret, and then create the secret:

    1. Enter a meaningful description for the Client Secret.

    2. Select your desired option for the Expires field.

      Tip: You must submit updated credentials to Arctic Wolf before the credentials expire.

    3. Click Add.

  11. Verify that your new Client Secret appears in the Client secrets section, and then copy the Value field to a secure location. You must provide this value to Arctic Wolf later.

Screenshot of the Certificates and Secrets page on the Microsoft Azure Portal. The Value field and text is highlighted by an orange box.

Note: Ensure that you copy the Value field before exiting the page, as this value is only viewable immediately after creation. Do not copy the Secret ID field.

  1. Proceed to Configure API permissions.

Configure API permissions

To configure API permissions for the registered application:

  1. In the navigation pane, under Manage, click API permissions.

  2. Find the User.Read permission which is enabled by default, and then click Menu to open the menu.

  3. Click Remove permission and then click Yes, remove.

  4. In the Configured permissions section, click + Add a permission.

  5. In the Select an API section, click Microsoft APIs, and then, in the Commonly used Microsoft APIs section, click Microsoft Graph.

  6. Click Application permission to open the permission type list.

  7. Search for these permissions types and select the corresponding checkbox for each to allow appropriate permissions:

    • SecurityActionsSecurityActions.Read.All
    • SecurityEventsSecurityEvents.Read.All
    • OrganizationOrganization.Read.All
  8. Click Add permissions to apply. This returns you to the API permissions page where the new permissions appear in a list.

  9. In the Configured permissions section, click Grant admin consent for <Organization Name>, and then click Yes to confirm the change.

    Tip: If you cannot select Grant admin consent, your user account does not have the appropriate permissions. You must sign in with the appropriate account to proceed.

  10. Proceed to Provide credentials to Arctic Wolf.

Provide credentials to Arctic Wolf

Note: If API credentials fail, for example, due to expired credentials, Arctic Wolf will notify you and request a new set of credentials. After receiving refreshed credentials, Arctic Wolf can only retrieve data from the previous 12 hours. Provide refreshed credentials within 12 hours of expiry to ensure complete data polling and coverage. See MDR polling frequency for more information.

  1. Sign in to the Arctic Wolf Unified Portal.

  2. In the menu bar, click Telemetry Management > Connected Accounts.

  3. Click Add Account +.

  4. On the Add Account page, from the Account Type list, select Cloud Detection and Response.

  5. From the list of cloud services, select Defender for Cloud Apps.

  6. On the Add Account page, complete these steps:

    1. Account Name — Enter a unique and descriptive name for the account.
    2. For each of these fields, paste the appropriate value from Register the application:
      • Application (client) ID
      • Directory (tenant) ID
      • Client Secret
    3. Credential Expiry — (Optional) Enter the expiration date if the credentials have an expiry date.
  7. Click Test and Submit Credentials.

    After your Concierge Security® Team (CST) enables security monitoring for this account, the connected account status changes to Healthy.

MDR polling frequency

Arctic Wolf® Managed Detection and Response (MDR) polls third-party API integrations at regular intervals. Time-based events are polled with a delay to make sure data is available within the third-party API endpoint. For new deployments, after the API integration is successfully configured with the necessary credentials, Arctic Wolf begins polling and reviewing activity from approximately 1 hour prior to configuration success.