Microsoft Defender Incidents - need authentication / setup documentation

Greetings. Our CSM alerted us to the new ICON plugin “Microsoft Defender Incidents” today and I wanted to check it out. Link here: Rapid7 Extensions

That said, the “Setup” documentation is a bit sparse at this time, specifically how you go about setting up the authentication/credentials needed is not documented. Based on what it says, you need:

  • Client_id
  • Client_secret
  • Tenant_id
    Based on that, I am guessing it needs to be set up as an AzureAD “Enterprise Application” with a certain set of permissions? But what permissions?

Anyway - asking in case anyone else has figured it out and can share what worked!

1 Like

@nick_defoe you need to create an app and then you can get the client id etc.
Create a secret for client secret:
Some permissions that we used while testing:

Hope this helps. Kindly let us know if you still have any questions.