Microsoft Defender Incidents - need authentication / setup documentation

nick_defoe · June 8, 2022, 8:35pm

Greetings. Our CSM alerted us to the new ICON plugin “Microsoft Defender Incidents” today and I wanted to check it out. Link here: Rapid7 Extensions

That said, the “Setup” documentation is a bit sparse at this time, specifically how you go about setting up the authentication/credentials needed is not documented. Based on what it says, you need:

Client_id
Client_secret
Tenant_id
Based on that, I am guessing it needs to be set up as an AzureAD “Enterprise Application” with a certain set of permissions? But what permissions?

Anyway - asking in case anyone else has figured it out and can share what worked!

bindu_laxminarayan · June 14, 2022, 12:07pm

@nick_defoe you need to create an app and then you can get the client id etc.

Create a secret for client secret:

Some permissions that we used while testing:

Hope this helps. Kindly let us know if you still have any questions.

Thanks
Bindu

pkirwan · August 23, 2023, 9:23am

One year on and set up documentation still super minimal. Fact the little set up info that there is isn’t on ‘Set up guides’ on What is InsightConnect? | InsightConnect Documentation (rapid7.com) makes me wonder if this is even still supported

pkirwan · September 15, 2023, 2:06pm

apparently it is stills supported

pkirwan · September 28, 2023, 2:02pm

managed to get this running in a test tenant so progress