Microsoft 365 Defender
This document describes how to integrate Microsoft 365 Defender with Google Security Operations (Google SecOps).
Integration version: 19.0
Use cases
Integrating Microsoft 365 Defender with Google SecOps can help you solve the following use cases:
-
Automated incident response:use the Google SecOps capabilities to automatically isolate the affected endpoint and initiate a scan for further compromise.
-
Phishing investigation and remediation:use the Google SecOps capabilities to automatically extract relevant information, such as the sender, subject, and attachments, and enrich it with threat intelligence data.
-
Vulnerability management:use the Google SecOps capabilities to automate vulnerability scanning and remediation workflows.
-
Compliance reporting and auditing:use the Google SecOps capabilities to automate the collecting and reporting of security data from Microsoft 365 Defender, simplifying compliance audits, and demonstrating adherence to security standards.
-
Alert prioritization and triage:use the Google SecOps capabilities to analyze alerts from Microsoft 365 Defender and prioritize them based on severity and potential impact.
-
Automated malware analysis:use the Google SecOps capabilities to automatically submit the sample of a malware that Microsoft 365 Defender has detected to a sandbox environment for dynamic analysis.
Before you begin
Before configuring the integration in the Google SecOps platform, complete the following steps:
-
Create the Microsoft Entra application.
-
Configure the API permissions for your app.
-
Create a client secret.
Create the Microsoft Entra application
To create the Microsoft Entra application, complete the following steps:
-
Sign in to the Azure portal as a user administrator or a password administrator.
-
Select Microsoft Entra ID.
-
Go to App registrations > New registration.
-
Enter the name of the application.
-
Click Register.
-
Save the Application (client) IDand Directory (tenant) IDvalues to use them later when configuring the integration parameters.
Configure the API permissions
To configure the API permissions for the integration, complete the following steps:
-
In the Azure portal, go to Manage > API Permissions > Add a permission.
-
In the Request API permissionswindow, select APIs my organization uses.
-
Select Microsoft Graph > Application permissions.
-
Select the following permissions:
-
SecurityAlert.Read.All -
SecurityIncident.ReadWrite.All
-
-
Click Add permissions.
-
In the Request API permissionswindow, select APIs my organization uses.
-
Select Microsoft Threat Protection > Application permissions.
-
Select the following permission:
-
ThreatHunting.Read.All
-
-
Click Add permissions.
-
Click Grant admin consent for
YOUR_ORGANIZATION_NAME.When the Grant admin consent confirmationdialog appears, click Yes.
Create a client secret
To create a client secret, complete the following steps:
-
Navigate to Certificates and secrets > New client secret.
-
Provide a description for a client secret and set its expiration deadline.
-
Click Add.
-
Save the value of the client secret (not the secret ID) to use it as the
Client Secretparameter value when configuring the integration.The client secret value is only displayed once.
Integrate Microsoft 365 Defender with Google SecOps
The Microsoft 365 Defender integration requires the following parameters:
| Parameter | Description |
|---|---|
Login API Root
|
Required
The login API root of the Microsoft 365 Defender instance. The default value is |
Graph API Root
|
Required
The API root of the Microsoft Graph service. The default value is |
API Root
|
Required
The API root of the Microsoft 365 Defender instance. The default value is |
Tenant ID
|
Required
The Microsoft Entra ID (tenant ID) value of your Microsoft Entra ID account. |
Client ID
|
Required
The application (client) ID value of your Microsoft Entra ID account. |
Client Secret
|
Required
The client secret value of the Microsoft Entra ID application. |
Verify SSL
|
Optional
If selected, the integration verifies that the SSL certificate for connecting to the Microsoft 365 Defender server is valid. Selected by default. |
For instructions about configuring an integration in Google SecOps, see Configure integrations .
You can make changes at a later stage if needed. After you configure an integration instance, you can use it in playbooks. For more information about configuring and supporting multiple instances, see Supporting multiple instances .
Actions
For more information about actions, see Respond to pending actions from your workdesk and Perform a manual action .
Add Comment To Incident
Use the Add Comment To Incidentaction to add a comment to an incident in Microsoft 365 Defender.
This action doesn't run on Google SecOps entities.
Action inputs
The Add Comment To Incidentaction requires the following parameters:
| Parameter | Description |
|---|---|
Incident ID
|
Required
The ID of the incident to add the comment to. |
Comment
|
Required
The comment to add to the incident. |
Action outputs
The Add Comment To Incidentaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Output messages | Available |
| Script result | Available |
Output messages
The Add Comment To Incidentaction can return the following output messages:
| Output message | Message description |
|---|---|
Successfully added comment to incident INCIDENT_ID
in Microsoft 365 Defender.
|
The action succeeded. |
Error executing action "Add Comment To Incident". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Add Comment To Incidentaction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
Execute Custom Query
Use the Execute Custom Queryaction to execute a custom hunting query in Microsoft 365 Defender.
This action doesn't run on Google SecOps entities.
Action inputs
The Execute Custom Queryaction requires the following parameters:
| Parameter | Description |
|---|---|
Query
|
Required
The query to execute in Microsoft 365 Defender for result filtering. |
Max Results To Return
|
Optional
The maximum number of results to return from the query. The default value is `50`. |
Action outputs
The Execute Custom Queryaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example shows the JSON result output received when using the Execute Custom Queryaction:
{
"Results"
:
[
{
"Timestamp"
:
"2021-04-12T07:25:00Z"
,
"AlertId"
:
"fa7a318954-6c4c-eaab-3200-08d8fd82af35"
,
"Title"
:
"CC_Sensitive information"
,
"Category"
:
"InitialAccess"
,
"Severity"
:
"Medium"
,
"ServiceSource"
:
"Microsoft Defender for Office 365"
,
"DetectionSource"
:
"Microsoft Defender for Office 365"
,
"AttackTechniques"
:
""
}
]}
Output messages
The Execute Custom Queryaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Execute Custom Query". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Execute Custom Queryaction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
Execute Entity Query
Use the Execute Entity Queryaction to execute a hunting query that is based on entities in Microsoft 365 Defender.
This action uses a where
filter that is based on entities.
This action runs on the following Google SecOps entities:
-
IP Address -
Host -
User -
Hash -
URL
You can use the Execute Entity Queryaction to retrieve information that is related to entities, such as retrieve the results from a table and filter the results based on entities.
Unlike the Execute Query action that requires you to use specific formatting, the Execute Entity Queryaction doesn't use the query input.
When using the Execute Queryaction to retrieve the alerts that are related
to an endpoint, format the | where
clause as follows:
AlertInfo | where DeviceName == "Host-1" or IPAddress == "192.0.2.1" | top 100
by Timestamp desc
To retrieve the alerts that are related to an endpoint, the Execute Entity
Queryaction requires you to configure the Table
, IP Entity Key
, Hostname Entity Key
, and Cross Entity Operator
parameters as follows:
| Parameter | AlertInfo
value |
|---|---|
IP Entity Key
|
IPAddress
|
Hostname Entity Key
|
DeviceName
|
Cross Entity Operator
|
OR
|
To check how many endpoints the provided hashes affect, the Execute Entity
Queryaction requires you to enter the SHA1
value for the File Hash Entity Key
parameter.
The Cross Entity Operator
only impacts the query when you configure multiple
values for the Entity Keys
parameter.
Action inputs
The Execute Entity Queryaction requires the following parameters:
Table Names
A comma-separated list of tables to query in Microsoft 365 Defender.
Time Frame
The time period for the query results.
The default value is Last Hour
.
The possible values are as follows:
-
Last Hour -
Last 6 Hours -
Last 24 Hours -
Last Week -
Last Month -
Custom
Start Time
The start time for the query results.
If you set the Time
Frame
parameter to Custom
, this parameter is
required.
End Time
The end time for the query results.
If you don't set a value and
set the Time Frame
parameter to Custom
, the action
sets this parameter to the current time value by default.
Fields To Return
A comma-separated list of fields to include in the results.
Sort Field
The field to sort the results by.
The default value is Timestamp
.
Sort Order
The order to sort the results (ascending or descending).
The default value is ASC
.
The possible values are as follows:
-
ASC -
DESC
Max Results To Return
The maximum number of results to return.
The default value is 50
.
IP Entity Key
The key to use for filtering by the IP Address
entity.
Hostname Entity Key
The key to use for filtering by the Hostname
entity.
File Hash Entity Key
The key to use for filtering by the File Hash
entity.
User Entity Key
The key to use for filtering by the User
entity.
URL Entity Key
The key to use for filtering by the URL
entity.
Email Address Entity Key
The key to use for filtering by the Email Address
entity.
The action accepts the User
entity that matches the email
regular expression.
Stop If Not Enough Entities
If selected, the action runs if all specified entity types are present.
Selected by default.
Cross Entity Operator
The logical operator to use between different entity types in the query.
The default value is OR
.
The possible values are as follows:
-
OR -
AND
Action outputs
The Execute Entity Queryaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example shows the JSON result output received when using the Execute Entity Queryaction:
{
"Timestamp"
:
"2021-04-12T07:25:00Z"
,
"AlertId"
:
"fa7a318954-6c4c-eaab-3200-08d8fd82af35"
,
"Title"
:
"CC_Sensitive information"
,
"Category"
:
"InitialAccess"
,
"Severity"
:
"Medium"
,
"ServiceSource"
:
"Microsoft Defender for Office 365"
,
"DetectionSource"
:
"Microsoft Defender for Office 365"
,
"AttackTechniques"
:
""
}
Output messages
The Execute Entity Queryaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Execute Entity Query". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Execute Entity Queryaction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
Execute Query
Use the Execute Queryaction to execute hunting queries in Microsoft 365 Defender.
This action doesn't run on Google SecOps entities.
Action inputs
The Execute Queryaction requires the following parameters:
Table Names
A comma-separated list of table names to query in Microsoft 365 Defender.
Query
A query to execute.
Use this parameter to provide the | where
clause. The time filter, limiting, and sorting are
optional.
Time Frame
The time period for the query results.
The default value is Last Hour
.
The possible values are as follows:
-
Last Hour -
Last 6 Hours -
Last 24 Hours -
Last Week -
Last Month -
Custom
Start Time
The start time for the query results in the ISO 8601 format.
If you
set the Time Frame
parameter to Custom
, this
parameter is required.
End Time
The end time for the query results in the ISO 8601 format.
If you
don't set a value and set the Time Frame
parameter to Custom
, the action sets this parameter to the current time
value by default.
Fields To Return
A comma-separated list of fields to include in the results.
Sort Field
The field to sort the results by.
The default value is Timestamp
.
Sort Order
The order to sort the results (ascending or descending).
The default value is ASC
.
The possible values are as follows:
-
ASC -
DESC
Max Results To Return
The maximum number of results to return.
The default value is 50
.
Action outputs
The Execute Queryaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example shows the JSON result output received when using the Execute Queryaction:
{
"Results"
:
[
{
"Timestamp"
:
"2021-04-12T07:25:00Z"
,
"AlertId"
:
"fa7a318954-6c4c-eaab-3200-08d8fd82af35"
,
"Title"
:
"CC_Sensitive information"
,
"Category"
:
"InitialAccess"
,
"Severity"
:
"Medium"
,
"ServiceSource"
:
"Microsoft Defender for Office 365"
,
"DetectionSource"
:
"Microsoft Defender for Office 365"
,
"AttackTechniques"
:
""
}
]}
Output messages
The Execute Queryaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Execute Query". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Execute Queryaction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
Ping
Use the Pingaction to test the connectivity to Microsoft 365 Defender.
The action doesn't run on Google SecOps entities.
Action inputs
None.
Action outputs
The Pingaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example shows the JSON result output received when using the Pingaction:
Output messages
The Pingaction can return the following output messages:
| Output message | Message description |
|---|---|
Successfully connected to the Microsoft 365 Defender server
with the provided connection parameters!
|
The action succeeded. |
Failed to connect to the Microsoft 365 Defender server! Error is ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Pingaction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
Update Incident
Use the Update Incidentaction to update incidents in Microsoft 365 Defender.
Following the API limitations, this action doesn't fail even if you set an
invalid username value to the Assign To
parameter.
This action doesn't run on Google SecOps entities.
Action inputs
The Update Incidentaction requires the following parameters:
Incident ID
The ID of the incident to update in Microsoft 365 Defender.
Status
The status to set for the incident in Microsoft 365 Defender.
The default value is Select One
.
The possible values are as follows:
-
Select One -
Active -
Resolved
Classification
The classification to set for the incident in Microsoft 365 Defender.
The default value is Select One
.
The possible values are as follows:
-
Select One -
False Positive -
True Positive
Determination
The determination to set for the incident in Microsoft 365 Defender.
This parameter only applies if the Classification
parameter
value is True Positive
.
The default value is Select One
.
The possible values are as follows:
-
Select One -
Not Available -
Apt -
Malware -
Security Personnel -
Security Testing -
Unwanted Software -
Other
Assign To
The user to assign the incident to in Microsoft 365 Defender.
Action outputs
The Update Incidentaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Output messages | Available |
| Script result | Available |
Output messages
The Update Incidentaction can return the following output messages:
| Output message | Message description |
|---|---|
Successfully updated incident INCIDENT_ID
in Microsoft 365 Defender.
|
The action succeeded. |
Error executing action "Update Incident". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Connectors
For detailed instructions on how to configure a connector in Google SecOps, see Ingest your data (connectors) .
Microsoft 365 Defender – Incidents Connector
Use the Microsoft 365 Defender – Incidents Connectorto pull information about incidents and their related alerts from Microsoft 365 Defender.
The dynamic list works with an incident name.
Connector limitations
The Microsoft 365 Defender – Incidents Connectoruses the API requests
with strict API limits. To stabilize the connector, set the Max Incidents To Fetch
parameter to 10
and the Run Every
parameter to 1 minute
. You can still reach the rate limit because the Microsoft Graph
API endpoint that is used to fetch alerts only allows 20 requests for every
minute.
To prevent data loss at reaching the rate limit, the connector stops processing the current incident and waits for 90 seconds before processing any other incident. In 90 seconds, the rate limit returns to its maximum value and the connector reprocesses the incident that was not properly processed in the previous iteration.
Connector inputs
The Microsoft 365 Defender – Incidents Connectorrequires the following parameters:
Product Field Name
The name of the field where the product name is stored.
The default value is event_type
.
Event Field Name
The field name used to determine the event name (subtype).
The default value is @odata.type
.
Login API Root
The login API root of the Microsoft 365 Defender instance.
The default value is https://login.microsoftonline.com
.
Graph API Root
The API root of the Microsoft Graph service.
The default value is https://graph.microsoft.com
.
API Root
The API root of the Microsoft 365 Defender instance.
The default value is https://api.security.microsoft.com
.
Tenant ID
The Microsoft Entra ID (tenant ID) value of your Microsoft Entra ID account.
Client ID
The application (client) ID value of your Microsoft Entra ID account.
Client Secret
The client secret value of the Microsoft Entra ID application.
Verify SSL
If selected, the integration verifies that the SSL certificate for connecting to the Microsoft 365 Defender server is valid.
Selected by default.
Lowest Severity To Fetch
The lowest severity of incidents to fetch.
Max Hours Backwards
The number of hours before the first connector iteration to retrieve incidents from. This parameter applies to the initial connector iteration after you enable the connector for the first time or the fallback value for an expired connector timestamp.
The default value is 1
.
Max Incidents To Fetch
The maximum number of incidents to fetch for every connector iteration.
The default value is 10
.
Incident Status Filter
A comma-separated list of incident statuses to ingest.
The default value is active, inProgress
.
The possible values are as follows:
-
active -
inProgress -
resolved -
redirected
Redirected incidents can be empty in most cases.
Use whitelist as a blacklist
If selected, the connector uses the dynamic list as a blocklist.
Not selected by default.
Lowest Alert Severity To Fetch
The lowest severity of alerts to fetch.
Disable Alert Tracking
If enabled, the connector stops tracking updates for alerts.
Disabled by default.
Environment Field Name
The name of the field containing the environment name.
Environment Regex Pattern
A regular expression pattern to run on the value found in the Environment Field Name
field. This parameter lets you manipulate
the environment field using the regular expression logic.
Use the default value .*
to retrieve the required raw Environment Field Name
value.
If the regular expression pattern is null or empty, or the environment value is null, the final environment result is the default environment.
PythonProcessTimeout
The timeout limit in seconds for the Python process that runs the current script.
The default value is 180
.
Dynamic List Field
The value that the dynamic list uses for filtering.
The possible
values are Incident Name
and Alert Name
.
The default value is Incident Name
.
Alert Detection Source Filter
A comma-separated list of alert detection sources to ingest, such as antivirus, microsoftDefenderForEndpoint
.
Alert Service Source Filter
A comma-separated list of alert service sources to ingest, such as antivirus, microsoftDefenderForEndpoint
.
Disable Overflow
If selected, the connector ignores the Google SecOps overflow mechanism during alert creation.
Enabled by default.
Proxy Server Address
The address of the proxy server to use.
Proxy Username
The proxy username to authenticate with.
Proxy Password
The proxy password to authenticate with.
Connector rules
- The connector supports proxies.
- The connector supports the dynamic lists and blocklists.
Need more help? Get answers from Community members and Google SecOps professionals.
