USM Anywhere™

Configuring the AlienApp for Microsoft Defender ATP

Role Availability Read-Only Analyst Manager

Before you configure the AlienApp for Microsoft Defender Advanced Threat Protection (ATP), you must have the following information from your Microsoft Azure account:

  • Defender Tenant ID
  • Application ID
  • Scope
  • Client Secret

Important: Because the AlienApp for Microsoft Defender ATP can only act on events received from Azure, you also need to configure log collection from Azure Event Hubs. See Collect Logs from Azure Event Hubs and follow the process documented on that page to set up Azure log collection.

Microsoft Defender ATP Configurations

To set up the AlienApp for Microsoft Defender ATP, you first need to create an Azure Active Directory (Azure AD) application and record your Tenant ID, Application ID, Scope, and Client Secret during that process. See the Microsoft Defender ATP setup documentation for full details on the steps.

To enable the AlienApp for Microsoft Defender ATP

  1. In USM Anywhere, go to Data Sources > AlienApps.
  2. Click the Available Apps tab.
  3. Search for the AlienApp, and then click the tile.
  4. Click Configure API.
  5. If you have more than one deployed USM Anywhere Sensor, select the sensor that you want to use for the enabled AlienApp.

    AlienApps operate through a deployed sensor and use APIs to integrate with the connected third-party technology. Select the sensor that can access the integration endpoint. The HTTPS connections to the API will originate from this sensor, so it is important to make sure the sensor has network access to the AlienApp API endpoints.

  6. Enter the following items:

    • Application ID
    • Tenant ID
    • Scope
    • Client Secret
  7. Click Save.
  8. Verify the connection.

    After USM Anywhere completes a successful connection to the Microsoft Defender ATP APIs, a icon displays in the Health column.

    If the icon appears, there is a problem with the connection. The Message column provides information about the issue. Repeat the steps to fix the configuration or troubleshoot your Microsoft Defender ATP connection.