Microsoft 365 Defender is a unified pre- and post-breach enterprise defense suite that natively coordinates detection, prevention, investigation, and response across endpoints, identities, email, and applications to provide integrated protection against sophisticated attacks.
The Polarity Microsoft 365 Defender Integration allows you to search for Emails assigned to Alerts, Incidents, and Devices, along with the ability to run Advanced Threat Hunting Kusto Queries on all entity types from Microsoft 365 Defender.
You can also optionally enable Device Isolation and File Quarantine for Device and Alert Found Files.
To learn more about Microsoft 365 Defender, visit the official website.
NOTE: Instructions on how to setup your Azure Instance and User Options for the integration are found below in the Microsoft 365 Defender Azure Integration Setup section below.
Your Azure AD Registered App's Client ID associated with your Microsoft 365 Defender Instance.
Your Azure AD Registered App's Tenant ID associated with your Microsoft 365 Defender Instance.
Your Azure AD Registered App's Client Secret associated with your Microsoft 365 Defender Instance.
Kusto Query String to execute for Advanced Threat Hunting. All available tables can be found HERE. Example: union withsource=SourceTable AlertInfo, AlertEvidence | search "{{ENTITY}}" | where Timestamp >= ago(30d) | take 10
NOTE: According to the documentation found HERE, the max time you can look back is 30d.
Available Tables
AlertEvidence, AlertInfo, DeviceEvents, DeviceFileCertificateInfo, DeviceFileEvents, DeviceImageLoadEvents, DeviceInfo, DeviceLogonEvents, DeviceNetworkEvents, DeviceNetworkInfo, DeviceProcessEvents, DeviceRegistryEvents, DeviceTvmSecureConfigurationAssessment, DeviceTvmSecureConfigurationAssessmentKB, DeviceTvmSoftwareInventory, DeviceTvmSoftwareVulnerabilities, DeviceTvmSoftwareVulnerabilitiesKB, EmailAttachmentInfo, EmailEvents, EmailPostDeliveryEvents, EmailUrlInfo, IdentityInfo
| Table Name | Description |
|---|---|
| AlertEvidence | Files, IP addresses, URLs, users, or devices associated with alerts |
| AlertInfo | Alerts from Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Defender for Cloud Apps, and Microsoft Defender for Identity, including severity information and threat categorization |
| DeviceEvents | Multiple event types, including events triggered by security controls such as Microsoft Defender Antivirus and exploit protection |
| DeviceFileCertificateInfo | Certificate information of signed files obtained from certificate verification events on endpoints |
| DeviceFileEvents | File creation, modification, and other file system events |
| DeviceImageLoadEvents | DLL loading events |
| DeviceInfo | Machine information, including OS information |
| DeviceLogonEvents | Sign-ins and other authentication events on devices |
| DeviceNetworkEvents | Network connection and related events |
| DeviceNetworkInfo | Network properties of devices, including physical adapters, IP and MAC addresses, as well as connected networks and domains |
| DeviceProcessEvents | Process creation and related events |
| DeviceRegistryEvents | Creation and modification of registry entries |
| DeviceTvmSecureConfigurationAssessment | Microsoft Defender Vulnerability Management assessment events, indicating the status of various security configurations on devices |
| DeviceTvmSecureConfigurationAssessmentKB | Knowledge base of various security configurations used by Microsoft Defender Vulnerability Management to assess devices; includes mappings to various standards and benchmarks |
| DeviceTvmSoftwareInventory | Inventory of software installed on devices, including their version information and end-of-support status |
| DeviceTvmSoftwareVulnerabilities | Software vulnerabilities found on devices and the list of available security updates that address each vulnerability |
| DeviceTvmSoftwareVulnerabilitiesKB | Knowledge base of publicly disclosed vulnerabilities, including whether exploit code is publicly available |
| EmailAttachmentInfo | Information about files attached to emails |
| EmailEvents | Microsoft 365 email events, including email delivery and blocking events |
| EmailPostDeliveryEvents | Security events that occur post-delivery, after Microsoft 365 has delivered the emails to the recipient mailbox |
| EmailUrlInfo | Information about URLs on emails |
| IdentityInfo | Account information from various sources, including Azure Active Directory |
Comma delimited list of field values to include as part of the summary. These fields must be returned by your Kusto Query. This option must be set to "User can view and edit" or "User can view only".
Comma delimited list of Fields to not show from the Advanced Threat Hunting Results in the Overlay. This option must be set to "User can view and edit" or "User can view only".
Enable File Isolation for Files found in Alerts
Enable Device Isolation for found Device
Comma delimited list of Classifications that if found in Incidents or Alerts will not show up in search results. This option must be set to "User can view and edit" or "User can view only".
Comma delimited list of Determinations that if found in Incidents or Alerts will not show up in search results. This option must be set to "User can view and edit" or "User can view only".
Comma delimited list of Severities that if found in Incidents or Alerts will not show up in search results. This option must be set to "User can view and edit" or "User can view only".
Comma delimited list of Statuses that if found in Incidents or Alerts will not show up in search results. This option must be set to "User can view and edit" or "User can view only".
Comma delimited list of Service Sources that if found in Incidents or Alerts will not show up in search results. This option must be set to "User can view and edit" or "User can view only".
The number of days from today which Incidents or Alerts results will be returned based on when it was Created.
1. Navigate to App Registrations
2. Select New registration
3. Add a memorable name for the new registration then click Register
Our end goal for this section is to have all of these permissions granted with Admin Consent. More Detailed steps are listed below.
NOTE: The permissions
Machine.Isolate&Machine.StopAndQuarantineare optional, and only need to be added if you wish toEnable Device IsolationorEnable File Isolationin the Polarity User Options for the integration.
4. In your newly created app registration, navigate to API permissions in the left hand menu, then click Add a permission for each of the permissions listed below
5. Click Microsoft Graph
Application permissions
- Search for
SecurityIncidentand selectSecurityIncident.Read.Allthen clickAdd permissions
- Search for
SecurityAlertand selectSecurityAlert.Read.Allthen clickAdd permissions
- Search for
ThreatHuntingand selectThreatHunting.Read.Allthen clickAdd permissions
6. Under APIs my organization uses search for and click WindowsDefenderATP
Application permissions
- Search for
Alertand selectAlert.ReadWrite.Allthen clickAdd permissions
- Search for
Machineand selectMachine.ReadWrite.Allthen clickAdd permissions
- If you want to Quarantine Files using the integration, then Search for
Machineand selectMachine.StopAndQuarantinethen clickAdd permissions, and when working on theAdd User Options to Integrationsection below make sure turn on and save theEnable File Isolationuser option in Polarity.
- If you want to Isolate Devices using the integration, then Search for
Machineand selectMachine.Isolatethen clickAdd permissions, and when working on theAdd User Options to Integrationsection below make sure turn on and save theEnable Device Isolationuser option in Polarity.
7. Click Grant admin consent for <tenant name>
8. Wait a few minutes for the permissions to propagate before moving on to add your User Options to the Integration.
9. Navigate to the Overview tab in the left hand menu, then copy the Application (client) ID & Directory (tenant) ID to the relevant Polarity User Options
10. Click the Add certificate or secret link
11. Click New client secret
12. Add your desired secret key description then click Add
13. Copy your new client secret Value (Not ID) to the relevant Polarity User Option
13. Make sure to Click Save Configuration Changes for your Polarity User Options. It may take a few seconds for the options to save.
Installation instructions for integrations are provided on the PolarityIO GitHub Page.
Polarity is a memory-augmentation platform that improves and accelerates analyst decision making. For more information about the Polarity platform please see: