Interpres Application - Microsoft Graph

Type: Endpoint
Vendor: Microsoft

This app integrates with Microsoft Graph Advanced to get detections, alerts, and telemetry

Vendor setup

Login to https://portal.azure.com
Search for App registrations

1. Click + New registration

1. Enter "Interpres" for the app name. Leave the other defaults (Single-tenant, no Redirect URI). Click "Register".

1. Copy the application (client) ID and the Directory (tenant) ID over to the Interpres integration setup page

1. Click Manifest

1. Replace requiredResourceAccess with the following:

Microsoft Graph href=#__codelineno-0-1>"requiredResourceAccess": [ { "resourceAppId": "00000003-0000-0000-c000-000000000000", "resourceAccess": [ { "id": "e1fe6dd8-ba31-4d61-89e7-88639da4683d", "type": "Scope" }, { "id": "34d3bd24-f6a6-468c-b67c-0c365c1d6410", "type": "Scope" }, { "id": "45cc0394-e837-488b-a098-1918f48d186c", "type": "Role" }, { "id": "472e4a4d-bb4a-4026-98d1-0b0d74cb74a5", "type": "Role" }, { "id": "dd98c7f5-2d42-42d3-a0e4-633161547251", "type": "Role" }, { "id": "dc377aa6-52d8-4e23-b271-2a7ae04cedf3", "type": "Role" }, { "id": "246dd0d5-5bd0-4def-940b-0421030a5b68", "type": "Role" }, { "id": "bf394140-e372-4bf9-a898-299cfc7564e5", "type": "Role" }, { "id": "b0afded3-3588-46d8-8b3d-9842eff778da", "type": "Role" }, { "id": "40f97065-369a-49f4-947c-6a255697ae91", "type": "Role" }, { "id": "7ab1d382-f21e-4acd-a863-ba3e13f7da61", "type": "Role" }, { "id": "f8f035bb-2cce-47fb-8bf5-7baf3ecbee48", "type": "Role" }, { "id": "9e640839-a198-48fb-8b9a-013fd6f6cbcd", "type": "Role" }, { "id": "c7fbd983-d9aa-4fa7-84b8-17382c103bc4", "type": "Role" }, { "id": "ae73097b-cb2a-4447-b064-5d80f6093921", "type": "Role" } ] } ] class=err>`````` class=err>As an alternative to Step 7, you can manually add the following permissions (as Application):

AuditLog.Read.All DeviceManagementConfiguration.Read.All Directory.Read.All DirectoryRecommendations.Read.All DirectoryRecommendations.Read.All MailboxSettings.Read Policy.Read.All Policy.Read.PermissionGrant RoleManagement.Read.All SecurityAlert.Read.All SecurityEvents.Read.All SecurityIncident.Read.All ThreatAssessment.Read.All ThreatHunting.Read.All User.Read ```

Click Save

1. Click API permissions then Grant admin consent for YOUR_TENANT

1. Click Certificates & Secrets then New client secret

1. Enter "Interpres" for the description and choose "12 months".

1. Copy the client secret "Value" over to the Interpres integration setup.

App Configuration

App Parameters:

tenant_id (string): Tenant ID
client_id (string): Client ID
client_secret (password): Client Secret
max_search_size (numeric): The maximum number of alerts to grab per query frequency. The query frequency is set to 10 minutes by default.

App Validation

Check there is connectivity (green light) in the integration created.

Implemented Actions

get_alerts: Gets the latest alerts.
get_available_telemetry: Returns a list of telemetry identifiers with their current status.
get_detections: Returns a list of detections.