Endpoint Logs
      Back to home
      1. Radiant Help Center
      2. Getting Started
      3. Endpoint Logs

      Add Microsoft Defender Permissions

      Add the Microsoft Defender connector.

      Grant the registered application the appropriate permissions

      1. Log in to Azure Admin portal.
      2. From the left side menu, click Microsoft Entra ID, then click App Registration.
      3. Under All applications, search for radiantsecurity-connector and open the app.
      4. On the left side menu, click API Permissions.
      5. Click + Add a permission.
      6. From the pop-out menu, select APIs my organization uses.
        Untitled(1)
      7. Select WindowsDefenderATP and then select Application permissions.
        Untitled(2)
      8. Select the following permissions:
        API Permission name Required for Data Ingestion? Use Case
        WindowsDefenderATP AdvancedQuery.Read.All Yes Collect endpoint events
        WindowsDefenderATP Alert.Read.All Yes Collect endpoint alerts
        WindowsDefenderATP File.Read.All Yes Collect additional info on files
        WindowsDefenderATP Ip.Read.All Yes Endpoint activity - give the application permissions to collect additional info on IPs
        WindowsDefenderATP Machine.Isolate No Endpoint Actions - allow the app to isolate compromised hosts (either automatically or through one-click)
        WindowsDefenderATP Machine.Read.All Yes Endpoint activity - give the application permissions to collect additional info on users involved
        WindowsDefenderATP Ti.ReadWrite,
        Ti.ReadWrite.All        		 No Endpoint Actions - allow the app to allow/deny IOCs (either automatically or through one-click)
        WindowsDefenderATP URL.Read.All Yes Endpoint activity - give the application permissions to collect additional info on domains
        WindowsDefenderATP User.Read.All Yes Endpoint activity - give the application permissions to collect additional info on users involved
      9. Click Add permissions to save your changes.
      10. Notice that the new permissions have been added. However, there is a warning message that admin consent is missing.Screen Shot 2022-03-16 at 2.30.38 PM (1)
      11. To resolve this, click Grant admin consent for the Defender API.Screen Shot 2022-03-16 at 2.33.01 PM (1)
      12. Click Yes in the confirmation pop-up window. The warnings have now been resolved.
        Screen Shot 2022-03-16 at 2.37.29 PM (1)(1)

      Enable the Data Feed in Radiant Security

      1. Log in to Radiant Security.
      2. From the navigation menu, click Settings > Data Connectors.

      3. Under the Data Connectors page, find Microsoft O365.

      4. Hover over the connector and click Enable to enable data ingestion from Defender.

        Screenshot 2024-01-31 at 8.24.03 PM

       

      We value your opinion. Did you find this article helpful? Share your thoughts by clicking here or reach to our Product and Customer Success teams at support@radiantsecurity.ai 

       

      Last updated: 2024-08-23