Overview
This feature allows you to ingest asset inventory from your Microsoft Office 365 / Defender service. It will also ingest critical vulnerabilities highlighted by Defender and prioritize them using ThreatWorx’s threat intelligence.
Pre-requisites
Access to the Microsoft Defender APIs is required through an active subscription and an application entity with the required privileges.
The API endpoints that are currently accessed by this integration are:
https://api.securitycenter.microsoft.com/api/machines
https://api.securitycenter.microsoft.com/api/vulnerabilities/machinesVulnerabilities
Access to these APIs can be obtained by creating an app (Application) in Azure Portal as detailed here.
Please make sure the app has the READ permissions to the above APIs.
Twigs will use the ‘client ID’ and ‘client secret’ for the app to get an access token to connect to the APIs using OAuth.
Steps involved
Run the twigs command as follows to connect to O365 / Defender API service and ingest the asset inventory
twigs o365 --tenant_id AZURE_TENANT_ID --application_id CLIENT_ID --application_key CLIENT_SECRET
All inputs are mandatory.
Once the discovery is complete, all relevant assets / endpoints will be visible in the ThreatWorx console.