Microsoft Security

The Microsoft Security Event Source collects data from the Microsoft Security product suite using the Microsoft Graph API. This event source creates events from all Microsoft Security products, including Defender for Endpoint, Defender for Cloud, Defender for Identity, Defender for Cloud Apps, Defender O365, and Defender for Vulnerability Management.

The event types that InsightIDR can parse from this event source are:

  • Low-, medium-, and high-severity alerts (from the v2 Alerts API)

To set up Microsoft Security:

You can also:

Requirements

Before you start the configuration, you’ll need:

  • An administrator account for Microsoft Azure.

Configure Microsoft Security to send data to InsightIDR

Before you can send events to InsightIDR from Microsoft Security products, you'll first need to set up a Microsoft Azure application to access the Microsoft Graph API. The application needs a client secret attached to it in addition to the following application permissions (not delegated permissions) applied to the Microsoft Graph API:

  • SecurityEvents.Read.All
  • SecurityIncident.Read.All

During setup, make sure to copy the following values to a secure location as they are used in the next section:

  • Client ID: The Application (client) ID found in the App Registration overview.
  • Client Secret: The secret created in the App registration.
    • When the secret expires, you are required to reconfigure the event source.
    • You are only able to view and copy this value immediately after creating the client secret. If you log out or leave this page, you will not be able to copy the client secret value and will need to create another one.
  • Tenant ID: The Directory (tenant) ID found in the App Registration overview.

Visit the third-party vendor's documentation

For the most accurate information on configuring this event source, we recommend that you visit Microsoft Azure's documentation on registering an application, creating a client secret, and applying permissions.

Configure InsightIDR to collect data from the event source

After you complete the prerequisite steps and configure the event source to send data, you must add the event source in InsightIDR.

Single tenant support

The Microsoft Security Event Source currently only supports a single tenant, so if you have additional tenants within Microsoft Azure, you will need separate Event Sources for each tenant.

Task 1: Select Microsoft Security

  1. Go to Data Collection and click Setup Event Source > Add Event Source.
  2. Do one of the following:
    • Search for Microsoft Security in the event sources search bar.
    • In the Product Type filter, select Third Party Alerts.
  3. Select the Microsoft Security event source tile.

Task 2: Set up your collection method

You can send data from Microsoft Security products to InsightIDR through the cloud.

To add a Microsoft Security Event Source:

  1. Name the event source. This will become the name of the log that contains the event data in Log Search.
  2. Optionally, select the option to send unparsed data.
  3. Select an existing connection or click Add a New Connection.
    • If you decided to add a new connection:
      1. In the Create a Cloud Connection screen, enter a name for the new connection.
      2. In the Tenant ID field, enter the Directory (tenant) ID that you obtained in the previous section to send data to InsightIDR.
      3. In the Client ID field, enter the Application (client) ID that you obtained in the previous section to send data to InsightIDR.
      4. In the Client Secret field, select an existing credential or add a new one.
        1. If you decided to add a new credential:
          1. Click the field to display a drop-down menu.
          2. Click Add Credential.
          3. Name your credential.
          4. Describe your credential.
          5. Enter the Secret Key that you obtained in the previous section to send data to InsightIDR.
          6. Select which other Rapid7 solutions are able to use the credential.
        2. Click Save Connection.
      5. Click Save.

Test the configuration

Finally, you'll need to test the configuration to ensure it is properly sending event data to InsightIDR from Microsoft. The event types that InsightIDR can parse from this event source are:

  • Low-, medium-, and high-severity alerts (from the v2 Alerts API)

To test that event data is flowing into InsightIDR:

  1. From the Data Collection Management page, click the Event Sources tab.
  2. Find the event source you created and click View raw log. If the Raw Logs modal displays raw log entries, logs are successfully flowing to the Collector.
  3. Wait approximately 7 minutes, then open Log Search.

If event data is coming into InsightIDR, you'll also want to ensure that log entries are appearing in Log Search.

To verify log entries are appearing in Log Search:

  1. In InsightIDR, navigate to Log Search.
  2. In the Log Search filter panel, search for the event source you named in Configure InsightIDR to collect data from the event source. Microsoft Security logs should flow into the Third Party Alert log set.
  3. Select the log sets and the logs within them.
  4. Set the time range to Last 10 minutes and click Run.

The Results table displays all events that flowed into InsightIDR in the last 10 minutes. Pay attention to the keys and values that are displayed, which are helpful when you want to build a query and search your logs.

Sample Logs

In Log Search, the log that is generated uses the name of your event source by default. The log appears under the Third Party Alert log set. Here is a typical raw log entry that is created by the event source:

json
1
{'id': '<id>',
2
'providerAlertId': '<providerAlertId>',
3
'incidentId': '<incidentId>',
4
'status': 'new',
5
'severity': 'high',
6
'classification': None,
7
'determination': None,
8
'serviceSource': 'microsoftDefenderForEndpoint',
9
'detectionSource': 'antivirus',
10
'productName': 'Microsoft Defender for Endpoint',
11
'detectorId': '<detectorId>',
12
'tenantId': '<tenantId>',
13
'title': "'EICAR_Test_File' malware was prevented",
14
'description': 'Malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected machines. Some of these undesirable applications can replicate and spread from one machine to another. Others are able to receive commands from remote attackers and perform activities associated with cyber attacks.\n\nThis detection might indicate that the malware was stopped from delivering its payload. However, it is prudent to check the machine for signs of infection.',
15
'recommendedActions': 'Collect artifacts and determine scope\n•\tReview the machine timeline for suspicious activities that may have occurred before and after the time of the alert, and record additional related artifacts (files, IPs/URLs) \n•\tLook for the presence of relevant artifacts on other systems. Identify commonalities and differences between potentially compromised systems.\n•\tSubmit relevant files for deep analysis and review resulting detailed behavioral information.\n•\tSubmit undetected files to the MMPC malware portal\n\nInitiate containment & mitigation \n•\tContact the user to verify intent and initiate local remediation actions as needed.\n•\tUpdate AV signatures and run a full scan. The scan might reveal and remove previously-undetected malware components.\n•\tEnsure that the machine has the latest security updates. In particular, ensure that you have installed the latest software, web browser, and Operating System versions.\n•\tIf credential theft is suspected, reset all relevant users passwords.\n•\tBlock communication with relevant URLs or IPs at the organization’s perimeter.',
16
'category': 'Malware',
17
'assignedTo': 'john@test.com',
18
'alertWebUrl': 'https://security.microsoft.com/alerts/<providerAlertId>?tid=<tenantId>',
19
'incidentWebUrl': 'https://security.microsoft.com/incidents/<incidentId>?tid=<tenantId>',
20
'actorDisplayName': None,
21
'threatDisplayName': 'Virus:DOS/EICAR_Test_File',
22
'threatFamilyName': 'EICAR_Test_File',
23
'mitreTechniques': [],
24
'createdDateTime': '2024-03-18T19:10:49.0966667Z',
25
'lastUpdateDateTime': '2024-08-12T15:16:21.64Z',
26
'resolvedDateTime': '2024-08-12T15:16:21.4761349Z',
27
'firstActivityDateTime': '2024-03-18T19:09:48.947691Z',
28
'lastActivityDateTime': '2024-03-18T19:09:48.947691Z',
29
'systemTags': [],
30
'alertPolicyId': None,
31
'additionalData': None,
32
'comments': [{'comment': None,
33
'createdByDisplayName': 'john@test.com',
34
'createdDateTime': '2024-08-12T15:16:21.4761349Z'}],
35
'evidence': [{'@odata.type': '#microsoft.graph.security.deviceEvidence',
36
'createdDateTime': '2024-03-18T19:10:49.37Z',
37
'verdict': 'unknown',
38
'remediationStatus': 'none',
39
'remediationStatusDetails': None,
40
'roles': [],
41
'detailedRoles': ['PrimaryDevice'],
42
'tags': [],
43
'firstSeenDateTime': '2024-03-18T19:00:26.0724432Z',
44
'mdeDeviceId': '<mdeDeviceId>',
45
'azureAdDeviceId': None,
46
'deviceDnsName': 'mde',
47
'osPlatform': 'Windows10',
48
'osBuild': 19045,
49
'version': '22H2',
50
'healthStatus': 'inactive',
51
'riskScore': 'none',
52
'rbacGroupId': 0,
53
'rbacGroupName': None,
54
'onboardingStatus': 'onboarded',
55
'defenderAvStatus': 'unknown',
56
'lastIpAddress': '<ipAddress>',
57
'lastExternalIpAddress': '<ipAddress>',
58
'ipInterfaces': ['<ipAddress>',
59
'<ipv6Address>',
60
'<ipAddress>',
61
'::1'],
62
'vmMetadata': None,
63
'loggedOnUsers': [{'accountName': 'user', 'domainName': 'MDE'}]},
64
{'@odata.type': '#microsoft.graph.security.fileEvidence',
65
'createdDateTime': '2024-03-18T19:10:49.37Z',
66
'verdict': 'suspicious',
67
'remediationStatus': 'none',
68
'remediationStatusDetails': 'Entity was pre-remediated by Windows Defender',
69
'roles': [],
70
'detailedRoles': [],
71
'tags': [],
72
'detectionStatus': 'prevented',
73
'mdeDeviceId': '<mdeDeviceId>',
74
'fileDetails': {'sha1': '<sha>',
75
'sha256': '<sha256>',
76
'fileName': 'New Text Document.txt',
77
'filePath': 'C:\\Users\\user\\Desktop',
78
'fileSize': 68,
79
'filePublisher': None,
80
'signer': None,
81
'issuer': None}}]}