Interpres Application - Microsoft Graph

Type: Endpoint
Vendor: Microsoft
This app integrates with Microsoft Graph Advanced to get detections, alerts, and telemetry
Vendor setup
Login to https://portal.azure.com﻿
Search for App registrations
﻿
Click + New registration
﻿
Enter "Interpres" for the app name. Leave the other defaults (Single-tenant, no Redirect URI). Click "Register".
﻿
Copy the application (client) ID and the Directory (tenant) ID over to the Interpres integration setup page
﻿
Click Manifest
﻿
Replace requiredResourceAccess with the following:
JSON
"requiredResourceAccess": [
		{
			"resourceAppId": "00000003-0000-0000-c000-000000000000",
			"resourceAccess": [
				{
					"id": "e1fe6dd8-ba31-4d61-89e7-88639da4683d",
					"type": "Scope"
				},
				{
					"id": "34d3bd24-f6a6-468c-b67c-0c365c1d6410",
					"type": "Scope"
				},
				{
					"id": "45cc0394-e837-488b-a098-1918f48d186c",
					"type": "Role"
				},
				{
					"id": "472e4a4d-bb4a-4026-98d1-0b0d74cb74a5",
					"type": "Role"
				},
				{
					"id": "dd98c7f5-2d42-42d3-a0e4-633161547251",
					"type": "Role"
				},
				{
					"id": "dc377aa6-52d8-4e23-b271-2a7ae04cedf3",
					"type": "Role"
				},
				{
					"id": "246dd0d5-5bd0-4def-940b-0421030a5b68",
					"type": "Role"
				},
				{
					"id": "bf394140-e372-4bf9-a898-299cfc7564e5",
					"type": "Role"
				},
				{
					"id": "b0afded3-3588-46d8-8b3d-9842eff778da",
					"type": "Role"
				},
				{
					"id": "40f97065-369a-49f4-947c-6a255697ae91",
					"type": "Role"
				},
				{
					"id": "7ab1d382-f21e-4acd-a863-ba3e13f7da61",
					"type": "Role"
				},
				{
					"id": "f8f035bb-2cce-47fb-8bf5-7baf3ecbee48",
					"type": "Role"
				},
				{
					"id": "9e640839-a198-48fb-8b9a-013fd6f6cbcd",
					"type": "Role"
				},
				{
					"id": "c7fbd983-d9aa-4fa7-84b8-17382c103bc4",
					"type": "Role"
				},
				{
					"id": "ae73097b-cb2a-4447-b064-5d80f6093921",
					"type": "Role"
				}
			]
		}
	]
"requiredResourceAccess": [
		{
			"resourceAppId": "00000003-0000-0000-c000-000000000000",
			"resourceAccess": [
				{
					"id": "e1fe6dd8-ba31-4d61-89e7-88639da4683d",
					"type": "Scope"
				},
				{
					"id": "34d3bd24-f6a6-468c-b67c-0c365c1d6410",
					"type": "Scope"
				},
				{
					"id": "45cc0394-e837-488b-a098-1918f48d186c",
					"type": "Role"
				},
				{
					"id": "472e4a4d-bb4a-4026-98d1-0b0d74cb74a5",
					"type": "Role"
				},
				{
					"id": "dd98c7f5-2d42-42d3-a0e4-633161547251",
					"type": "Role"
				},
				{
					"id": "dc377aa6-52d8-4e23-b271-2a7ae04cedf3",
					"type": "Role"
				},
				{
					"id": "246dd0d5-5bd0-4def-940b-0421030a5b68",
					"type": "Role"
				},
				{
					"id": "bf394140-e372-4bf9-a898-299cfc7564e5",
					"type": "Role"
				},
				{
					"id": "b0afded3-3588-46d8-8b3d-9842eff778da",
					"type": "Role"
				},
				{
					"id": "40f97065-369a-49f4-947c-6a255697ae91",
					"type": "Role"
				},
				{
					"id": "7ab1d382-f21e-4acd-a863-ba3e13f7da61",
					"type": "Role"
				},
				{
					"id": "f8f035bb-2cce-47fb-8bf5-7baf3ecbee48",
					"type": "Role"
				},
				{
					"id": "9e640839-a198-48fb-8b9a-013fd6f6cbcd",
					"type": "Role"
				},
				{
					"id": "c7fbd983-d9aa-4fa7-84b8-17382c103bc4",
					"type": "Role"
				},
				{
					"id": "ae73097b-cb2a-4447-b064-5d80f6093921",
					"type": "Role"
				}
			]
		}
	]
﻿
As an alternative to Step 7, you can manually add the following permissions (as Application):
Text
Microsoft Graph
---------------
AuditLog.Read.All
DeviceManagementConfiguration.Read.All
Directory.Read.All
DirectoryRecommendations.Read.All
DirectoryRecommendations.Read.All
MailboxSettings.Read
Policy.Read.All
Policy.Read.PermissionGrant
RoleManagement.Read.All
SecurityAlert.Read.All
SecurityEvents.Read.All
SecurityIncident.Read.All
ThreatAssessment.Read.All
ThreatHunting.Read.All
User.Read
Microsoft Graph
---------------
AuditLog.Read.All
DeviceManagementConfiguration.Read.All
Directory.Read.All
DirectoryRecommendations.Read.All
DirectoryRecommendations.Read.All
MailboxSettings.Read
Policy.Read.All
Policy.Read.PermissionGrant
RoleManagement.Read.All
SecurityAlert.Read.All
SecurityEvents.Read.All
SecurityIncident.Read.All
ThreatAssessment.Read.All
ThreatHunting.Read.All
User.Read
﻿
Click Save
﻿
Click API permissions then Grant admin consent for YOUR_TENANT
﻿
Click Certificates & Secrets then New client secret
﻿
Enter "Interpres" for the description and choose "12 months".
﻿
Copy the client secret "Value" over to the Interpres integration setup.
App Configuration
App Parameters:
tenant_id (string): Tenant ID
client_id (string): Client ID
client_secret (password): Client Secret
max_search_size (numeric): The maximum number of alerts to grab per query frequency. The query frequency is set to 10 minutes by default.
App Validation
Check there is connectivity (green light) in the integration created.
Implemented Actions
get_alerts: Gets the latest alerts.
get_available_telemetry: Returns a list of telemetry identifiers with their current status.
get_detections: Returns a list of detections.
﻿
Did this page help you?
Interpres Application - Microsoft Defender for Endpoint
Interpres Application - Microsoft Sentinel