Microsoft 365 Defender
This document describes how to integrate Microsoft 365 Defender with Google Security Operations (Google SecOps).
Integration version: 19.0
Use cases
Integrating Microsoft 365 Defender with Google SecOps can help you solve the following use cases:
Automated incident response: use the Google SecOps capabilities to automatically isolate the affected endpoint and initiate a scan for further compromise.
Phishing investigation and remediation: use the Google SecOps capabilities to automatically extract relevant information, such as the sender, subject, and attachments, and enrich it with threat intelligence data.
Vulnerability management: use the Google SecOps capabilities to automate vulnerability scanning and remediation workflows.
Compliance reporting and auditing: use the Google SecOps capabilities to automate the collecting and reporting of security data from Microsoft 365 Defender, simplifying compliance audits, and demonstrating adherence to security standards.
Alert prioritization and triage: use the Google SecOps capabilities to analyze alerts from Microsoft 365 Defender and prioritize them based on severity and potential impact.
Automated malware analysis: use the Google SecOps capabilities to automatically submit the sample of a malware that Microsoft 365 Defender has detected to a sandbox environment for dynamic analysis.
Before you begin
Before configuring the integration in the Google SecOps platform, complete the following steps:
Create the Microsoft Entra application.
Configure the API permissions for your app.
Create a client secret.
Create the Microsoft Entra application
To create the Microsoft Entra application, complete the following steps:
Sign in to the Azure portal as a user administrator or a password administrator.
Select Microsoft Entra ID.
Go to App registrations > New registration.
Enter the name of the application.
Click Register.
Save the Application (client) ID and Directory (tenant) ID values to use them later when configuring the integration parameters.
Configure the API permissions
To configure the API permissions for the integration, complete the following steps:
In the Azure portal, go to Manage > API Permissions > Add a permission.
In the Request API permissions window, select APIs my organization uses.
Select Microsoft Graph > Application permissions.
Select the following permissions:
SecurityAlert.Read.All
SecurityIncident.ReadWrite.All
Click Add permissions.
In the Request API permissions window, select APIs my organization uses.
Select Microsoft Threat Protection > Application permissions.
Select the following permission:
AdvancedHunting.Read.All
Click Add permissions.
Click Grant admin consent for
YOUR_ORGANIZATION_NAME
.When the Grant admin consent confirmation dialog appears, click Yes.
Create a client secret
To create a client secret, complete the following steps:
Navigate to Certificates and secrets > New client secret.
Provide a description for a client secret and set its expiration deadline.
Click Add.
Save the value of the client secret (not the secret ID) to use it as the
Client Secret
parameter value when configuring the integration.The client secret value is only displayed once.
Integrate Microsoft 365 Defender with Google SecOps
The Microsoft 365 Defender integration requires the following parameters:
Parameter | Description |
---|---|
Login API Root |
Required The login API root of the Microsoft 365 Defender instance. The default value is
|
Graph API Root |
Required The API root of the Microsoft Graph service. The default value is |
API Root |
Required
The API root of the Microsoft 365 Defender instance. The default value is |
Tenant ID |
Required
The Microsoft Entra ID (tenant ID) value of your Microsoft Entra ID account. |
Client ID |
Required
The application (client) ID value of your Microsoft Entra ID account. |
Client Secret |
Required
The client secret value of the Microsoft Entra ID application. |
Verify SSL |
Optional
If selected, the integration verifies that the SSL certificate for connecting to the Microsoft 365 Defender server is valid. Selected by default. |
For instructions about configuring an integration in Google SecOps, see Configure integrations.
You can make changes at a later stage if needed. After you configure an integration instance, you can use it in playbooks. For more information about configuring and supporting multiple instances, see Supporting multiple instances.
Actions
For more information about actions, see Respond to pending actions from your workdesk and Perform a manual action.
Add Comment To Incident
Use the Add Comment To Incident action to add a comment to an incident in Microsoft 365 Defender.
This action doesn't run on Google SecOps entities.
Action inputs
The Add Comment To Incident action requires the following parameters:
Parameter | Description |
---|---|
Incident ID |
Required
The ID of the incident to add the comment to. |
Comment |
Required
The comment to add to the incident. |
Action outputs
The Add Comment To Incident action provides the following outputs:
Action output type | Availability |
---|---|
Case wall attachment | Not available |
Case wall link | Not available |
Case wall table | Not available |
Enrichment table | Not available |
JSON result | Not available |
Output messages | Available |
Script result | Available |
Output messages
The Add Comment To Incident action can return the following output messages:
Output message | Message description |
---|---|
Successfully added comment to incident INCIDENT_ID in Microsoft 365 Defender. |
The action succeeded. |
Error executing action "Add Comment To Incident". Reason:
ERROR_REASON |
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Add Comment To Incident action:
Script result name | Value |
---|---|
is_success |
True or False |
Execute Custom Query
Use the Execute Custom Query action to execute a custom hunting query in Microsoft 365 Defender.
This action doesn't run on Google SecOps entities.
Action inputs
The Execute Custom Query action requires the following parameters:
Parameter | Description |
---|---|
Query |
Required
The query to execute in Microsoft 365 Defender for result filtering. |
Max Results To Return |
Optional
The maximum number of results to return from the query. The default value is `50`. |
Action outputs
The Execute Custom Query action provides the following outputs:
Action output type | Availability |
---|---|
Case wall attachment | Not available |
Case wall link | Not available |
Case wall table | Not available |
Enrichment table | Not available |
JSON result | Available |
Output messages | Available |
Script result | Available |
JSON result
The following example shows the JSON result output received when using the Execute Custom Query action:
{"Results": [
{
"Timestamp": "2021-04-12T07:25:00Z",
"AlertId": "fa7a318954-6c4c-eaab-3200-08d8fd82af35",
"Title": "CC_Sensitive information",
"Category": "InitialAccess",
"Severity": "Medium",
"ServiceSource": "Microsoft Defender for Office 365",
"DetectionSource": "Microsoft Defender for Office 365",
"AttackTechniques": ""
}
]}
Output messages
The Execute Custom Query action can return the following output messages:
Output message | Message description |
---|---|
|
The action succeeded. |
Error executing action "Execute Custom Query". Reason:
ERROR_REASON |
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Execute Custom Query action:
Script result name | Value |
---|---|
is_success |
True or False |
Execute Entity Query
Use the Execute Entity Query action to execute a hunting query that is based on entities in Microsoft 365 Defender.
This action uses a where
filter that is based on entities.
This action runs on the following Google SecOps entities:
IP Address
Host
User
Hash
URL
You can use the Execute Entity Query action to retrieve information that is related to entities, such as retrieve the results from a table and filter the results based on entities.
Unlike the Execute Query action that requires you to use specific formatting, the Execute Entity Query action doesn't use the query input.
When using the Execute Query action to retrieve the alerts that are related
to an endpoint, format the | where
clause as follows:
AlertInfo | where DeviceName == "Host-1" or IPAddress == "192.0.2.1" | top 100
by Timestamp desc
To retrieve the alerts that are related to an endpoint, the Execute Entity
Query action requires you to configure the Table
, IP Entity Key
,
Hostname Entity Key
, and Cross Entity Operator
parameters as follows:
Parameter | AlertInfo value |
---|---|
IP Entity Key |
IPAddress |
Hostname Entity Key |
DeviceName |
Cross Entity Operator |
OR |
To check how many endpoints the provided hashes affect, the Execute Entity
Query action requires you to enter the SHA1
value for the
File Hash Entity Key
parameter.
The Cross Entity Operator
only impacts the query when you configure multiple
values for the Entity Keys
parameter.
Action inputs
The Execute Entity Query action requires the following parameters:
Parameter | Description |
---|---|
Table Names |
Required
A comma-separated list of tables to query in Microsoft 365 Defender. |
Time Frame |
Optional
The time period for the query results. The default value is The possible values are as follows:
|
Start Time |
Optional
The start time for the query results. If you set the |
End Time |
Optional
The end time for the query results. If you don't set a value and
set the |
Fields To Return |
Optional
A comma-separated list of fields to include in the results. |
Sort Field |
Optional
The field to sort the results by. The default value is |
Sort Order |
Optional
The order to sort the results (ascending or descending). The default value is The possible values are as follows:
|
Max Results To Return |
Optional
The maximum number of results to return. The default value is |
IP Entity Key |
Optional
The key to use for filtering by the |
Hostname Entity Key |
Optional
The key to use for filtering by the |
File Hash Entity Key |
Optional
The key to use for filtering by the |
User Entity Key |
Optional
The key to use for filtering by the |
URL Entity Key |
Optional
The key to use for filtering by the |
Email Address Entity Key |
Optional
The key to use for filtering by the |
Stop If Not Enough Entities |
Optional
If selected, the action runs if all specified entity types are present. Selected by default. |
Cross Entity Operator |
Required
The logical operator to use between different entity types in the query. The default value is The possible values are as follows:
|
Action outputs
The Execute Entity Query action provides the following outputs:
Action output type | Availability |
---|---|
Case wall attachment | Not available |
Case wall link | Not available |
Case wall table | Not available |
Enrichment table | Not available |
JSON result | Available |
Output messages | Available |
Script result | Available |
JSON result
The following example shows the JSON result output received when using the Execute Entity Query action:
{
"Timestamp": "2021-04-12T07:25:00Z",
"AlertId": "fa7a318954-6c4c-eaab-3200-08d8fd82af35",
"Title": "CC_Sensitive information",
"Category": "InitialAccess",
"Severity": "Medium",
"ServiceSource": "Microsoft Defender for Office 365",
"DetectionSource": "Microsoft Defender for Office 365",
"AttackTechniques": ""
}
Output messages
The Execute Entity Query action can return the following output messages:
Output message | Message description |
---|---|
|
The action succeeded. |
Error executing action "Execute Entity Query". Reason:
ERROR_REASON |
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Execute Entity Query action:
Script result name | Value |
---|---|
is_success |
True or False |
Execute Query
Use the Execute Query action to execute hunting queries in Microsoft 365 Defender.
This action doesn't run on Google SecOps entities.
Action inputs
The Execute Query action requires the following parameters:
Parameter | Description |
---|---|
Table Names |
Required
A comma-separated list of table names to query in Microsoft 365 Defender. |
Query |
Optional
A query to execute. Use this parameter to provide the
|
Time Frame |
Optional
The time period for the query results. The default value is The possible values are as follows:
|
Start Time |
Optional
The start time for the query results in the ISO 8601 format. If you
set the |
End Time |
Optional
The end time for the query results in the ISO 8601 format. If you
don't set a value and set the |
Fields To Return |
Optional
A comma-separated list of fields to include in the results. |
Sort Field |
Optional
The field to sort the results by. The default value is |
Sort Order |
Optional
The order to sort the results (ascending or descending). The default value is The possible values are as follows:
|
Max Results To Return |
Optional
The maximum number of results to return. The default value is |
Action outputs
The Execute Query action provides the following outputs:
Action output type | Availability |
---|---|
Case wall attachment | Not available |
Case wall link | Not available |
Case wall table | Not available |
Enrichment table | Not available |
JSON result | Available |
Output messages | Available |
Script result | Available |
JSON result
The following example shows the JSON result output received when using the Execute Query action:
{"Results": [
{
"Timestamp": "2021-04-12T07:25:00Z",
"AlertId": "fa7a318954-6c4c-eaab-3200-08d8fd82af35",
"Title": "CC_Sensitive information",
"Category": "InitialAccess",
"Severity": "Medium",
"ServiceSource": "Microsoft Defender for Office 365",
"DetectionSource": "Microsoft Defender for Office 365",
"AttackTechniques": ""
}
]}
Output messages
The Execute Query action can return the following output messages:
Output message | Message description |
---|---|
|
The action succeeded. |
Error executing action "Execute Query". Reason:
ERROR_REASON |
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Execute Query action:
Script result name | Value |
---|---|
is_success |
True or False |
Ping
Use the Ping action to test the connectivity to Microsoft 365 Defender.
The action doesn't run on Google SecOps entities.
Action inputs
None.
Action outputs
The Ping action provides the following outputs:
Action output type | Availability |
---|---|
Case wall attachment | Not available |
Case wall link | Not available |
Case wall table | Not available |
Enrichment table | Not available |
JSON result | Not available |
Output messages | Available |
Script result | Available |
JSON result
The following example shows the JSON result output received when using the Ping action:
Output messages
The Ping action can return the following output messages:
Output message | Message description |
---|---|
Successfully connected to the Microsoft 365 Defender server
with the provided connection parameters! |
The action succeeded. |
Failed to connect to the Microsoft 365 Defender server! Error is
ERROR_REASON |
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Ping action:
Script result name | Value |
---|---|
is_success |
True or False |
Update Incident
Use the Update Incident action to update incidents in Microsoft 365 Defender.
Following the API limitations, this action doesn't fail even if you set an
invalid username value to the Assign To
parameter.
This action doesn't run on Google SecOps entities.
Action inputs
The Update Incident action requires the following parameters:
Parameter | Description |
---|---|
Incident ID |
Required
The ID of the incident to update in Microsoft 365 Defender. |
Status |
Optional
The status to set for the incident in Microsoft 365 Defender. The default value is The possible values are as follows:
|
Classification |
Optional
The classification to set for the incident in Microsoft 365 Defender. The default value is The possible values are as follows:
|
Determination |
Optional
The determination to set for the incident in Microsoft 365 Defender. This parameter only applies if the The default value is The possible values are as follows:
|
Assign To |
Optional
The user to assign the incident to in Microsoft 365 Defender. |
Action outputs
The Update Incident action provides the following outputs:
Action output type | Availability |
---|---|
Case wall attachment | Not available |
Case wall link | Not available |
Case wall table | Not available |
Enrichment table | Not available |
JSON result | Not available |
Output messages | Available |
Script result | Available |
Output messages
The Update Incident action can return the following output messages:
Output message | Message description |
---|---|
Successfully updated incident INCIDENT_ID in Microsoft 365 Defender. |
The action succeeded. |
Error executing action "Update Incident". Reason:
ERROR_REASON |
The action failed. Check the connection to the server, input parameters, or credentials. |
Connectors
For detailed instructions on how to configure a connector in Google SecOps, see Ingest your data (connectors).
Microsoft 365 Defender – Incidents Connector
Use the Microsoft 365 Defender – Incidents Connector to pull information about incidents and their related alerts from Microsoft 365 Defender.
The dynamic list works with an incident name.
Connector limitations
The Microsoft 365 Defender – Incidents Connector uses the API requests
with strict API limits. To stabilize the connector, set the
Max Incidents To Fetch
parameter to 10
and the Run Every
parameter to
1 minute
. You can still reach the rate limit because the Microsoft Graph
API endpoint that is used to fetch alerts only allows 20 requests for every
minute.
To prevent data loss at reaching the rate limit, the connector stops processing the current incident and waits for 90 seconds before processing any other incident. In 90 seconds, the rate limit returns to its maximum value and the connector reprocesses the incident that was not properly processed in the previous iteration.
Connector inputs
The Microsoft 365 Defender – Incidents Connector requires the following parameters:
Parameter | Description |
---|---|
Product Field Name |
Required The name of the field where the product name is stored. The default value is |
Event Field Name |
Required The field name used to determine the event name (subtype). The default value is |
Login API Root |
Required The login API root of the Microsoft 365 Defender instance. The default value is
|
Graph API Root |
Required The API root of the Microsoft Graph service. The default value is |
API Root |
Required
The API root of the Microsoft 365 Defender instance. The default value is |
Tenant ID |
Required
The Microsoft Entra ID (tenant ID) value of your Microsoft Entra ID account. |
Client ID |
Required
The application (client) ID value of your Microsoft Entra ID account. |
Client Secret |
Required
The client secret value of the Microsoft Entra ID application. |
Verify SSL |
Optional
If selected, the integration verifies that the SSL certificate for connecting to the Microsoft 365 Defender server is valid. Selected by default. |
Lowest Severity To Fetch |
Optional
The lowest severity of incidents to fetch. |
Max Hours Backwards |
Optional
The number of hours before the first connector iteration to retrieve incidents from. This parameter applies to the initial connector iteration after you enable the connector for the first time or the fallback value for an expired connector timestamp. The default value is |
Max Incidents To Fetch |
Optional
The maximum number of incidents to fetch for every connector iteration. The default value is |
Dynamic List Field |
Optional
The value that the dynamic list uses for filtering. The possible
values are The default value is |
Incident Status Filter |
Optional
A comma-separated list of incident statuses to ingest. The default value is The possible values are as follows:
|
Alert Detection Source Filter |
Optional
A comma-separated list of alert detection sources to ingest, such as
|
Alert Service Source Filter |
Optional
A comma-separated list of alert service sources to ingest, such as
|
Use whitelist as a blacklist |
Optional
If selected, the connector uses the dynamic list as a blocklist. Not selected by default. |
Disable Overflow |
Optional If selected, the connector ignores the Google SecOps overflow mechanism during alert creation. Selected by default. |
Lowest Alert Severity To Fetch |
Optional
The lowest severity of alerts to fetch. |
Environment Field Name |
Optional
The name of the field containing the environment name. |
Environment Regex Pattern |
Optional
A regular expression pattern to run on the value found in the
Use the default value If the regular expression pattern is null or empty, or the environment value is null, the final environment result is the default environment. |
PythonProcessTimeout |
Required
The timeout limit in seconds for the Python process that runs the current script. The default value is |
Proxy Server Address |
Optional The address of the proxy server to use. |
Proxy Username |
Optional The proxy username to authenticate with. |
Proxy Password |
Optional The proxy password to authenticate with. |
Connector rules
- The connector supports proxies.
- The connector supports the dynamic lists and blocklists.