Admin Guide
Synapse-Microsoft-Defender Admin Guide
Configuration
Microsoft Defender for Endpoint
Use of the Microsoft Defender for Endpoint commands requires an API client configuration.
The client must be configured with the following WindowsDefenderATP API application permissions:
Alert.Read.All
For information on how to create an application, please visit the Microsoft Defender for Endpoint API documentation.
Setting the API client for global use
To set-up a global API client configuration:
> microsoft.defender.endpoint.setup.client my_tenant my_client_id my_client_secret
Setting Microsoft Defender for Endpoint API client configuration for all users.
Using per-user API clients
A user may set-up their own API client configuration:
> microsoft.defender.endpoint.setup.client --self my_tenant my_client_id my_client_secret
Setting Microsoft Defender for Endpoint API client configuration for the current user.
Microsoft Defender 365
Use of the Microsoft Defender 365 commands requires an API client configuration.
The client must be configured with the following Microsoft Graph API application permissions:
SecurityIncident.Read.All
SecurityAlert.Read.All
For information on how to create a client application, please visit the Microsoft Graph Security API authorization documentation.
Setting the API client for global use
To set-up a global API client configuration:
> microsoft.defender.365.setup.client my_tenant my_client_id my_client_secret
Setting Microsoft Defender 365 API client configuration for all users.
Using per-user API clients
A user may set-up their own API client configuration:
> microsoft.defender.365.setup.client --self my_tenant my_client_id my_client_secret
Setting Microsoft Defender 365 API client configuration for the current user.
Microsoft Defender Threat Intelligence
Use of the Microsoft Defender TI commands requires an API client configuration.
The client must be configured with the following Microsoft Graph API application permissions:
ThreatIntelligence.Read.All
For information on how to create a client application, please visit the Microsoft Graph Security API authorization documentation.
Setting the API client for global use
To set-up a global API client configuration:
> microsoft.defender.ti.setup.client my_tenant my_client_id my_client_secret
Setting Microsoft Defender TI API client configuration for all users.
Using per-user API clients
A user may set-up their own API client configuration:
> microsoft.defender.ti.setup.client --self my_tenant my_client_id my_client_secret
Setting Microsoft Defender TI API client configuration for the current user.
Dependencies
Synapse-Microsoft-Defender does not have any dependencies.
Permissions
Package (synapse-microsoft-defender) defines the following permissions:
power-ups.microsoft-defender.user : Controls user access to Synapse-Microsoft-Defender. ( default: false )
You may add rules to users/roles directly from Storm:
> auth.user.addrule visi power-ups.microsoft-defender.user
Added rule power-ups.microsoft-defender.user to user visi.
or:
> auth.role.addrule ninjas power-ups.microsoft-defender.user
Added rule power-ups.microsoft-defender.user to role ninjas.
Workflows
Synapse-Microsoft-Defender provides the following workflows in Optic:
Title: Configuration
Node Actions
Synapse-Microsoft-Defender does not provide any node actions in Optic.