Configuring the BlueApp for Microsoft Defender ATP

Role Availability Read-Only Investigator Analyst Manager

Before you configure the BlueApp for Microsoft Defender Advanced Threat Protection (ATP), you must have the following information from your Microsoft Azure account:

  • Defender Tenant ID
  • Application ID
  • Scope
  • Client Secret

See the Microsoft Defender ATP setup documentation for full details on creating an app to retrieve the aforementioned information.

To ensure successful configuration, you must select the following permissions for your app:

  • Alert.Read.All

  • Machine.Isolate

  • Machine.StopandQuarantine

  • Ti.ReadWrite.All

  • Machine.Read.All

  • Machine.Scan

  • SecurityAlert.Read.All

  • SecurityIncident.Read.All

BlueApp for Microsoft Defender ATP Configurations

To set up the BlueApp for Microsoft Defender ATP, you first need to create an Azure Active Directory (Azure AD) application and record your Tenant ID, Application ID, Scope, and Client Secret during that process.

To enable the BlueApp for Microsoft Defender ATP

  1. In USM Anywhere, go to Data Sources > BlueApps.
  2. Click the Available Apps tab.
  3. Search for the BlueApp, and then click the tile.
  4. Click Configure API.
  5. If you have more than one deployed USM Anywhere Sensor, select the sensor that you want to use for the enabled BlueApp.

    BlueApps operate through a deployed sensor and use APIs to integrate with the connected third-party technology. Select the sensor that can access the integration endpoint. The HTTPS connections to the API will originate from this sensor, so it is important to make sure the sensor has network access to the BlueApp API endpoints.

  6. Enter the following items:

    • Application ID
    • Tenant ID
    • Scope
    • Client Secret
  7. Click Save.
  8. Verify the connection.

    After USM Anywhere completes a successful connection to the Microsoft Defender ATP APIs, a icon displays in the Health column.

    If the icon displays, there is a problem with the connection. The Message column provides information about the issue. Repeat the steps to fix the configuration or troubleshoot your Microsoft Defender ATP connection.

Collect Logs from Microsoft Defender ATP

There are two ways to collect logs from Microsoft Defender ATP:

  • Through the Microsoft Defender for Endpoints API
  • From Azure Event Hubs.

Important: Do not configure both methods because it will create duplicate events.

The API Method

For the API method, since you've already connected to the API when configuring the BlueApp for Microsoft Defender ATP, the remaining task is to enable the log collection scheduler job in USM Anywhere.

To collect logs using the API

  1. In the USM Anywhere main menu, go to Settings > Scheduler and search for the collection job for the BlueApp.
  2. Enable the job if it is not already enabled. To customize the log collection rate, click the edit icon and set the desired interval for log collection.

The Azure Event Hubs Method

If you want to use Azure Event Hubs instead, you must first stream the logs from Microsoft Defender ATP to Azure Event Hubs, and then enable the Event Hubs log collection on your Azure Sensor.

To stream logs from Azure Event Hubs

  1. Log in to the Azure portal.
  2. Create an event hub. See Microsoft Azure Quickstart: Create an event hub using Azure portal for instructions.
  3. Go to the event hub you just created and click Shared access policies in the sidebar.
  4. Create or edit a policy, and then select Manage, Send, and Listen. Streaming to Event Hubs requires these permissions.
  5. Copy the connection string listed in the policy under Connection string-primary key.

    You need to enter this string when configuring the Event Hubs connection in USM Anywhere.

  6. Configure streaming for Microsoft Defender ATP logs. See Configure Microsoft Defender ATP to stream Advanced Hunting events to your Azure Event Hubs for instructions from Microsoft.

    Note: Make sure to enable Stream to an event hub and select the Event Hub you just created as the destination.

To configure Event Hubs in USM Anywhere

  1. Go to Data Sources > Sensors and open the Azure Sensor.
  2. Click the Configurations tab.
  3. Complete the three fields:

    • Event Hub Name: The name of the event hub created during initial setup.
    • Event Hub Connection String: A string containing unique configuration data about your Azure Event Hubs implementation. This string was discovered during the previous procedure.
    • Event Hub Consumer Group: The name of your Event Hubs consumer group. You can locate this name by opening your Event Hubs overview in the Azure portal and scrolling to the bottom of the page.
  4. (Optional.) Select Process generic events? to collect events for which USM Anywhere currently does not have a parser. These events will display as "GENERIC event" under Activity > Events.
  5. Click Save.
  6. Click the Event Hub tab to check the connection status and the number of events processed by each data source.