Microsoft 365 Defender is a unified platform for preventative protection, post-breach detection, automated investigation, and response. This connector facilitates the automated operations related to indicators such as files, machines, IP, Domain, or actor.
This document provides information about the Microsoft 365 Defender Connector, which facilitates automated interactions, with a Microsoft 365 Defender server using FortiSOAR™ playbooks. Add the Microsoft 365 Defender Connector as a step in FortiSOAR™ playbooks and perform automated operations with Microsoft 365 Defender.
Connector Version: 1.2.0
FortiSOAR™ Version Tested on: 7.6.0-5012
Microsoft 365 defender Version Tested on: Cloud Instance
Authored By: Fortinet
Certified: Yes
Following enhancements have been made to the Microsoft 365 Defender Connector in version 1.2.0:
Filter Query in the action Get Incidents List.NOTE: To use the new Data Ingestion features, reconfigure the connector and data ingestion. To change the default alert mapping for ingestion, refer to the Configuration step of the Data Ingestion section.
Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command as a root user to install the connector:
yum install cyops-connector-microsoft-365-defender
For the procedure to configure a connector, click here
In FortiSOAR™, on the Connectors page, click the Microsoft 365 Defender connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
| Parameter | Description |
|---|---|
| Get Access Token | Select the method using which you will get authentication tokens used to access the Microsoft 365 Defender APIs. You can choose from one of the following options:
|
| Server URL | The service-based URL to which you connect and perform the automated operations. |
| Directory (tenant) ID | The ID of the tenant that you have been provided for your Azure Network Security Group instance. |
| Application (client) ID | Unique ID of the Azure Network Security Group application that is used to create an authentication token required to access the API. |
| Application (Client) Secret | Unique Client Secret of the Azure Network Security Group application that is used to create an authentication token required to access the API. |
| Authorization Code | (Only Applicable to On behalf of User - Delegate Permission) The authorization code that you acquired during the authorization step. For more information, see the Getting Access Tokens using the On behalf of the user - Delegate Permission method section. |
| Redirect URI | (Only Applicable to On behalf of User - Delegate Permission) The redirect_uri of your app, where authentication responses can be sent and received by your app. The redirect URL that you specify here must exactly match one of the redirect_uri's you have registered in your app registration portal. |
| Verify SSL | Specifies whether the SSL certificate for the server is to be verified. By default, this option is set to True. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations:
| Function | Description | Annotation and Category |
|---|---|---|
| Get Incidents List | Retrieves a list of incidents along with their status for users to sort through and create an informed cybersecurity response. It exposes a collection of incidents that were flagged in your network, based on the time range, incident owner and other details that you have specified. | list_incidents Investigation |
| Get Incident Details | Retrieves the details of a specific incident based on the incident ID that you have specified. | get_incident Investigation |
| Update Incident | Updates the owner, status, comments, and other details of existing incidents based on the incident ID that you have specified. | update_incident Investigation |
| Advanced Hunting | Retrieves data from the past 30 days based on the query that you have specified. | advanced_hunting Investigation |
| Parameter | Description |
|---|---|
| Last Updated Time | Specify the time when the incident was last updated on the server. |
| Created Time | Specify the time when incident was first created. |
| Status | Specify the current status of the incident. You can choose from the following options:
|
| Assigned To | Specify the incident owner's email address. |
| Filter Query | (Optional) Specify the query to filter results retrieved from Microsoft 365 Defender. For query syntax and other information, refer to https://learn.microsoft.com/en-us/graph/filter-query-parameter |
| Offset | (Optional) Specify the count of the first few records to skip while retrieving response from Defender Endpoint API. |
| Limit | (Optional) Specify the maximum number of incidents that this operation should return from Microsoft 365 Defender. The maximum values it can return is 100. |
| Get All Records | Select to retrieve all records present and ignore the parameters Offset and Limit. By default, this is selected, i.e. set to true. |
The output contains the following populated JSON schema:
{
"@odata.context": "",
"value": [
{
"incidentId": "",
"incidentUri": "",
"redirectIncidentId": "",
"incidentName": "",
"createdTime": "",
"lastUpdateTime": "",
"assignedTo": "",
"classification": "",
"determination": "",
"status": "",
"severity": "",
"tags": [],
"comments": [],
"alerts": [
{
"alertId": "",
"providerAlertId": "",
"incidentId": "",
"serviceSource": "",
"creationTime": "",
"lastUpdatedTime": "",
"resolvedTime": "",
"firstActivity": "",
"lastActivity": "",
"title": "",
"description": "",
"category": "",
"status": "",
"severity": "",
"investigationId": "",
"investigationState": "",
"classification": "",
"determination": "",
"detectionSource": "",
"detectorId": "",
"assignedTo": "",
"actorName": "",
"threatFamilyName": "",
"mitreTechniques": [],
"devices": [],
"entities": [
{
"entityType": "",
"evidenceCreationTime": "",
"verdict": "",
"remediationStatus": "",
"accountName": "",
"userSid": "",
"aadUserId": "",
"userPrincipalName": ""
}
]
}
]
}
]
}
| Parameter | Description |
|---|---|
| Incident ID | Specify the unique identifier that represents the incident to fetch its details. |
The output contains the following populated JSON schema:
{
"@odata.context": "",
"incidentId": "",
"incidentUri": "",
"redirectIncidentId": "",
"incidentName": "",
"createdTime": "",
"lastUpdateTime": "",
"assignedTo": "",
"classification": "",
"determination": "",
"status": "",
"severity": "",
"tags": [],
"comments": [],
"alerts": [
{
"alertId": "",
"providerAlertId": "",
"incidentId": "",
"serviceSource": "",
"creationTime": "",
"lastUpdatedTime": "",
"resolvedTime": "",
"firstActivity": "",
"lastActivity": "",
"title": "",
"description": "",
"category": "",
"status": "",
"severity": "",
"investigationId": "",
"investigationState": "",
"classification": "",
"determination": "",
"detectionSource": "",
"detectorId": "",
"assignedTo": "",
"actorName": "",
"threatFamilyName": "",
"mitreTechniques": [],
"devices": [],
"entities": [
{
"entityType": "",
"evidenceCreationTime": "",
"verdict": "",
"remediationStatus": "",
"accountName": "",
"userSid": "",
"aadUserId": "",
"userPrincipalName": ""
}
]
}
]
}
| Parameter | Description |
|---|---|
| Incident ID | Specify the unique identifier that represents the incident to update it. |
| Status | Select from drop-down the status with which to update the incident. You can choose from the following options:
|
| Assigned To | Specify the incident owner's email address. |
| Classification | Select from drop-down the specification of the incident:
|
| Tags | Specify a list of incident tags. |
| Comment | Specify a comment to be added to the incident. |
The output contains the following populated JSON schema:
{
"status": "",
"assignedTo": "",
"classification": "",
"determination": "",
"tags": [],
"comments": [
{
"comment": "",
"createdBy": "",
"createdTime": ""
}
]
}
| Parameter | Description |
|---|---|
| Query | Specify a query to examine the past 30 days of event data in Microsoft 365 Defender. For more information on the queries, refer to Microsoft 365 Defender Advanced hunting. |
The output contains the following populated JSON schema:
{
"Stats": {
"ExecutionTime": "",
"resource_usage": {
"cache": {
"memory": {
"hits": "",
"misses": "",
"total": ""
},
"disk": {
"hits": "",
"misses": "",
"total": ""
}
},
"cpu": {
"user": "",
"kernel": "",
"total cpu": ""
},
"memory": {
"peak_per_node": ""
}
},
"dataset_statistics": [
{
"table_row_count": "",
"table_size": ""
}
]
},
"Schema": [
{
"Name": "",
"Type": ""
}
],
"Results": [
{
"Timestamp": "",
"FileName": "",
"InitiatingProcessFileName": ""
},
{
"Timestamp": "",
"FileName": "",
"InitiatingProcessFileName": ""
}
]
}
The Sample - Microsoft 365 Defender - 1.2.0 playbook collection comes bundled with the Microsoft 365 Defender connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Microsoft 365 Defender connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection, since the sample playbook collection gets deleted during connector upgrade and delete.
You can get authentication tokens to access the security graph APIs using two methods:
Incident.ReadIncident.ReadWriteAdvancedHunting.ReadTENANT_ID, CLIENT_ID, and REDIRECT_URI with your own tenant ID, client ID, and redirect URI: https://login.microsoftonline.com/TENANT_ID/oauth2/v2.0/authorize?response_type=code&scope=offline_access https://api.security.microsoft.com/.default&client_id=CLIENT_ID&redirect_uri=REDIRECT_URIREDIRECT_URI?code=AUTH_CODE&session_state=SESSION_STATEAUTH_CODE (without the code= prefix) and paste it in your instance configuration in the Authorization Code parameter.Incident.Read.AllIncident.ReadWrite.AllAdvancedHunting.Read.AllUse the Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling data from Defender for Endpoint. For more information on the Data Ingestion Wizard, see the Connectors Guide in the FortiSOAR™ product documentation.
You can configure data ingestion using the Data Ingestion Wizard to seamlessly map Microsoft 365 Defender content to related FortiSOAR™ modules.
The Data Ingestion Wizard enables you to configure scheduled pulling of data from Microsoft 365 Defender into FortiSOAR™. It also lets you pull some sample data from Microsoft 365 Defender using which you can define the mapping of data between Microsoft 365 Defender and FortiSOAR™. The mapping of common fields is generally already done by the Data Ingestion Wizard; users mostly require to only map any custom fields that are added to the Microsoft 365 Defender incident.
To begin configuring data ingestion, click Configure Data Ingestion on the Microsoft 365 Defender connector's Configurations page. Click Let's Start by fetching some data, to open the Fetch Sample Data screen.
Sample data is required to create a field mapping between Microsoft 365 Defender data and FortiSOAR™. The sample data is pulled from connector actions or ingestion playbooks.
On the Fetch Data screen, provide the configurations required to fetch Microsoft 365 Defender data.
Users can choose to pull data, i.e., incidents, from Microsoft 365 Defender by specifying incidents created or updated in the Last X Minutes, Status, Owner of Incident fields, and choosing to ingest alerts separately in Alerts module, to filter incidents pulled from Microsoft 365 Defender. The fetched data is used to create a mapping between the Microsoft 365 Defender data and FortiSOAR™ incidents.
NOTE: To use the Ingest Alerts Separately in Alerts Module feature, reconfigure the connector and data ingestion again.
NOTE: If you have selected Ingest Alerts Separately in Alerts Module and intend to make changes to the default alert mapping, edit the Create Alerts step of the >> Microsoft 365 Defender >> Create Alert playbook.
Once you have completed specifying the configurations, click Fetch Data.
On the Field Mapping screen, map the fields of a Microsoft 365 Defender incident to the fields of an incident present in FortiSOAR™.
For more information on field mapping, see the Data Ingestionchapter in the "Connectors Guide" in the FortiSOAR™ product documentation. Once you have completed mapping fields, click Save Mapping & Continue.
(Optional) Use the Scheduling screen to configure schedule-based ingestion, i.e., specify the polling frequency to Microsoft 365 Defender, so that the content gets pulled from the Microsoft 365 Defender integration into FortiSOAR™.
On the Scheduling screen, from the Do you want to schedule the ingestion? drop-down list, select Yes.
In the Configure Schedule Settings section, specify the Cron expression for the schedule. For example, if you want to pull data from Microsoft 365 Defender every 5 minutes, click Every X Minute and in the minute box enter */5. This would mean that based on the configuration you have set up, data, i.e., incidents will be pulled from Microsoft 365 Defender every 5 minutes.
Once you have completed scheduling, click Save Settings & Continue.
The Summary screen displays a summary of the mapping done, and it also contains links to the Ingestion playbooks. Click Done to complete the data ingestion and exit the Data Ingestion Wizard.
Microsoft 365 Defender is a unified platform for preventative protection, post-breach detection, automated investigation, and response. This connector facilitates the automated operations related to indicators such as files, machines, IP, Domain, or actor.
This document provides information about the Microsoft 365 Defender Connector, which facilitates automated interactions, with a Microsoft 365 Defender server using FortiSOAR™ playbooks. Add the Microsoft 365 Defender Connector as a step in FortiSOAR™ playbooks and perform automated operations with Microsoft 365 Defender.
Connector Version: 1.2.0
FortiSOAR™ Version Tested on: 7.6.0-5012
Microsoft 365 defender Version Tested on: Cloud Instance
Authored By: Fortinet
Certified: Yes
Following enhancements have been made to the Microsoft 365 Defender Connector in version 1.2.0:
Filter Query in the action Get Incidents List.NOTE: To use the new Data Ingestion features, reconfigure the connector and data ingestion. To change the default alert mapping for ingestion, refer to the Configuration step of the Data Ingestion section.
Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command as a root user to install the connector:
yum install cyops-connector-microsoft-365-defender
For the procedure to configure a connector, click here
In FortiSOAR™, on the Connectors page, click the Microsoft 365 Defender connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
| Parameter | Description |
|---|---|
| Get Access Token | Select the method using which you will get authentication tokens used to access the Microsoft 365 Defender APIs. You can choose from one of the following options:
|
| Server URL | The service-based URL to which you connect and perform the automated operations. |
| Directory (tenant) ID | The ID of the tenant that you have been provided for your Azure Network Security Group instance. |
| Application (client) ID | Unique ID of the Azure Network Security Group application that is used to create an authentication token required to access the API. |
| Application (Client) Secret | Unique Client Secret of the Azure Network Security Group application that is used to create an authentication token required to access the API. |
| Authorization Code | (Only Applicable to On behalf of User - Delegate Permission) The authorization code that you acquired during the authorization step. For more information, see the Getting Access Tokens using the On behalf of the user - Delegate Permission method section. |
| Redirect URI | (Only Applicable to On behalf of User - Delegate Permission) The redirect_uri of your app, where authentication responses can be sent and received by your app. The redirect URL that you specify here must exactly match one of the redirect_uri's you have registered in your app registration portal. |
| Verify SSL | Specifies whether the SSL certificate for the server is to be verified. By default, this option is set to True. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations:
| Function | Description | Annotation and Category |
|---|---|---|
| Get Incidents List | Retrieves a list of incidents along with their status for users to sort through and create an informed cybersecurity response. It exposes a collection of incidents that were flagged in your network, based on the time range, incident owner and other details that you have specified. | list_incidents Investigation |
| Get Incident Details | Retrieves the details of a specific incident based on the incident ID that you have specified. | get_incident Investigation |
| Update Incident | Updates the owner, status, comments, and other details of existing incidents based on the incident ID that you have specified. | update_incident Investigation |
| Advanced Hunting | Retrieves data from the past 30 days based on the query that you have specified. | advanced_hunting Investigation |
| Parameter | Description |
|---|---|
| Last Updated Time | Specify the time when the incident was last updated on the server. |
| Created Time | Specify the time when incident was first created. |
| Status | Specify the current status of the incident. You can choose from the following options:
|
| Assigned To | Specify the incident owner's email address. |
| Filter Query | (Optional) Specify the query to filter results retrieved from Microsoft 365 Defender. For query syntax and other information, refer to https://learn.microsoft.com/en-us/graph/filter-query-parameter |
| Offset | (Optional) Specify the count of the first few records to skip while retrieving response from Defender Endpoint API. |
| Limit | (Optional) Specify the maximum number of incidents that this operation should return from Microsoft 365 Defender. The maximum values it can return is 100. |
| Get All Records | Select to retrieve all records present and ignore the parameters Offset and Limit. By default, this is selected, i.e. set to true. |
The output contains the following populated JSON schema:
{
"@odata.context": "",
"value": [
{
"incidentId": "",
"incidentUri": "",
"redirectIncidentId": "",
"incidentName": "",
"createdTime": "",
"lastUpdateTime": "",
"assignedTo": "",
"classification": "",
"determination": "",
"status": "",
"severity": "",
"tags": [],
"comments": [],
"alerts": [
{
"alertId": "",
"providerAlertId": "",
"incidentId": "",
"serviceSource": "",
"creationTime": "",
"lastUpdatedTime": "",
"resolvedTime": "",
"firstActivity": "",
"lastActivity": "",
"title": "",
"description": "",
"category": "",
"status": "",
"severity": "",
"investigationId": "",
"investigationState": "",
"classification": "",
"determination": "",
"detectionSource": "",
"detectorId": "",
"assignedTo": "",
"actorName": "",
"threatFamilyName": "",
"mitreTechniques": [],
"devices": [],
"entities": [
{
"entityType": "",
"evidenceCreationTime": "",
"verdict": "",
"remediationStatus": "",
"accountName": "",
"userSid": "",
"aadUserId": "",
"userPrincipalName": ""
}
]
}
]
}
]
}
| Parameter | Description |
|---|---|
| Incident ID | Specify the unique identifier that represents the incident to fetch its details. |
The output contains the following populated JSON schema:
{
"@odata.context": "",
"incidentId": "",
"incidentUri": "",
"redirectIncidentId": "",
"incidentName": "",
"createdTime": "",
"lastUpdateTime": "",
"assignedTo": "",
"classification": "",
"determination": "",
"status": "",
"severity": "",
"tags": [],
"comments": [],
"alerts": [
{
"alertId": "",
"providerAlertId": "",
"incidentId": "",
"serviceSource": "",
"creationTime": "",
"lastUpdatedTime": "",
"resolvedTime": "",
"firstActivity": "",
"lastActivity": "",
"title": "",
"description": "",
"category": "",
"status": "",
"severity": "",
"investigationId": "",
"investigationState": "",
"classification": "",
"determination": "",
"detectionSource": "",
"detectorId": "",
"assignedTo": "",
"actorName": "",
"threatFamilyName": "",
"mitreTechniques": [],
"devices": [],
"entities": [
{
"entityType": "",
"evidenceCreationTime": "",
"verdict": "",
"remediationStatus": "",
"accountName": "",
"userSid": "",
"aadUserId": "",
"userPrincipalName": ""
}
]
}
]
}
| Parameter | Description |
|---|---|
| Incident ID | Specify the unique identifier that represents the incident to update it. |
| Status | Select from drop-down the status with which to update the incident. You can choose from the following options:
|
| Assigned To | Specify the incident owner's email address. |
| Classification | Select from drop-down the specification of the incident:
|
| Tags | Specify a list of incident tags. |
| Comment | Specify a comment to be added to the incident. |
The output contains the following populated JSON schema:
{
"status": "",
"assignedTo": "",
"classification": "",
"determination": "",
"tags": [],
"comments": [
{
"comment": "",
"createdBy": "",
"createdTime": ""
}
]
}
| Parameter | Description |
|---|---|
| Query | Specify a query to examine the past 30 days of event data in Microsoft 365 Defender. For more information on the queries, refer to Microsoft 365 Defender Advanced hunting. |
The output contains the following populated JSON schema:
{
"Stats": {
"ExecutionTime": "",
"resource_usage": {
"cache": {
"memory": {
"hits": "",
"misses": "",
"total": ""
},
"disk": {
"hits": "",
"misses": "",
"total": ""
}
},
"cpu": {
"user": "",
"kernel": "",
"total cpu": ""
},
"memory": {
"peak_per_node": ""
}
},
"dataset_statistics": [
{
"table_row_count": "",
"table_size": ""
}
]
},
"Schema": [
{
"Name": "",
"Type": ""
}
],
"Results": [
{
"Timestamp": "",
"FileName": "",
"InitiatingProcessFileName": ""
},
{
"Timestamp": "",
"FileName": "",
"InitiatingProcessFileName": ""
}
]
}
The Sample - Microsoft 365 Defender - 1.2.0 playbook collection comes bundled with the Microsoft 365 Defender connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Microsoft 365 Defender connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection, since the sample playbook collection gets deleted during connector upgrade and delete.
You can get authentication tokens to access the security graph APIs using two methods:
Incident.ReadIncident.ReadWriteAdvancedHunting.ReadTENANT_ID, CLIENT_ID, and REDIRECT_URI with your own tenant ID, client ID, and redirect URI: https://login.microsoftonline.com/TENANT_ID/oauth2/v2.0/authorize?response_type=code&scope=offline_access https://api.security.microsoft.com/.default&client_id=CLIENT_ID&redirect_uri=REDIRECT_URIREDIRECT_URI?code=AUTH_CODE&session_state=SESSION_STATEAUTH_CODE (without the code= prefix) and paste it in your instance configuration in the Authorization Code parameter.Incident.Read.AllIncident.ReadWrite.AllAdvancedHunting.Read.AllUse the Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling data from Defender for Endpoint. For more information on the Data Ingestion Wizard, see the Connectors Guide in the FortiSOAR™ product documentation.
You can configure data ingestion using the Data Ingestion Wizard to seamlessly map Microsoft 365 Defender content to related FortiSOAR™ modules.
The Data Ingestion Wizard enables you to configure scheduled pulling of data from Microsoft 365 Defender into FortiSOAR™. It also lets you pull some sample data from Microsoft 365 Defender using which you can define the mapping of data between Microsoft 365 Defender and FortiSOAR™. The mapping of common fields is generally already done by the Data Ingestion Wizard; users mostly require to only map any custom fields that are added to the Microsoft 365 Defender incident.
To begin configuring data ingestion, click Configure Data Ingestion on the Microsoft 365 Defender connector's Configurations page. Click Let's Start by fetching some data, to open the Fetch Sample Data screen.
Sample data is required to create a field mapping between Microsoft 365 Defender data and FortiSOAR™. The sample data is pulled from connector actions or ingestion playbooks.
On the Fetch Data screen, provide the configurations required to fetch Microsoft 365 Defender data.
Users can choose to pull data, i.e., incidents, from Microsoft 365 Defender by specifying incidents created or updated in the Last X Minutes, Status, Owner of Incident fields, and choosing to ingest alerts separately in Alerts module, to filter incidents pulled from Microsoft 365 Defender. The fetched data is used to create a mapping between the Microsoft 365 Defender data and FortiSOAR™ incidents.
NOTE: To use the Ingest Alerts Separately in Alerts Module feature, reconfigure the connector and data ingestion again.
NOTE: If you have selected Ingest Alerts Separately in Alerts Module and intend to make changes to the default alert mapping, edit the Create Alerts step of the >> Microsoft 365 Defender >> Create Alert playbook.
Once you have completed specifying the configurations, click Fetch Data.
On the Field Mapping screen, map the fields of a Microsoft 365 Defender incident to the fields of an incident present in FortiSOAR™.
For more information on field mapping, see the Data Ingestionchapter in the "Connectors Guide" in the FortiSOAR™ product documentation. Once you have completed mapping fields, click Save Mapping & Continue.
(Optional) Use the Scheduling screen to configure schedule-based ingestion, i.e., specify the polling frequency to Microsoft 365 Defender, so that the content gets pulled from the Microsoft 365 Defender integration into FortiSOAR™.
On the Scheduling screen, from the Do you want to schedule the ingestion? drop-down list, select Yes.
In the Configure Schedule Settings section, specify the Cron expression for the schedule. For example, if you want to pull data from Microsoft 365 Defender every 5 minutes, click Every X Minute and in the minute box enter */5. This would mean that based on the configuration you have set up, data, i.e., incidents will be pulled from Microsoft 365 Defender every 5 minutes.
Once you have completed scheduling, click Save Settings & Continue.
The Summary screen displays a summary of the mapping done, and it also contains links to the Ingestion playbooks. Click Done to complete the data ingestion and exit the Data Ingestion Wizard.