Add Microsoft Defender Permissions

Add the Microsoft Defender data connector.

In this guide, you will set up a trusted relationship between Radiant and your Microsoft Defender account to allow Radiant to collect endpoint events, alerts, actions, and activity.

Grant the registered application the appropriate permissions

  1. Log in to Azure Admin portal.

  2. From the left side menu, click Microsoft Entra ID, then click App Registration.

  3. Under All applications, search for radiantsecurity-connector and open the app.

  4. On the left side menu, click API Permissions.

  5. Click + Add a permission.

  6. From the pop-out menu, select APIs my organization uses.

  7. Select WindowsDefenderATP and then select Application permissions.

  8. Select the following permissions:

API

Permission name

Required for Data Ingestion?

Use Case

WindowsDefenderATP

AdvancedQuery.Read.All

Yes

Collect endpoint events

WindowsDefenderATP

Alert.Read.All

Yes

Collect endpoint alerts

WindowsDefenderATP

File.Read.All

Yes

Collect additional info on files

WindowsDefenderATP

Ip.Read.All

Yes

Endpoint activity—give the application permissions to collect additional info on IPs

WindowsDefenderATP

Machine.Isolate

No

Endpoint actions—allow the app to isolate compromised hosts (either automatically or through one-click)

WindowsDefenderATP

Machine.Read.All

Yes

Endpoint activity—give the application permissions to collect additional info on users involved

WindowsDefenderATP

Ti.ReadWrite, Ti.ReadWrite.All

No

Endpoint actions—allow the app to allow/deny IOCs (either automatically or through one-click)

WindowsDefenderATP

URL.Read.All

Yes

Endpoint activity—give the application permissions to collect additional info on domains

WindowsDefenderATP

User.Read.All

Yes

Endpoint activity—give the application permissions to collect additional info on users involved

  1. Click Add permissions to save your changes.

  2. Notice that the new permissions have been added. However, there is a warning message that admin consent is missing.

  3. To resolve this, click Grant admin consent for the Defender API.

  4. Click Yes in the confirmation pop-up window. The warnings have now been resolved.

Enable the data feed in Radiant Security

  1. Log in to Radiant Security.

  2. From the navigation menu, click Settings > Data Connectors.

  3. Under the Data Connectors page, find Microsoft O365.

  4. Hover over the connector and click Enable to enable data ingestion from Defender.

PreviousDefender for Endpoint via Event HubNextDragos Platform

Last updated