HomeMITRECVE JournalCarbonpediaDocsReleases
Microsoft 365 Defender

Microsoft 365 Defender

This guide explains how to integrate Microsoft 365 Defender (Microsoft Defender XDR) with RedCarbon.

Overview

The Microsoft 365 Defender integration allows RedCarbon to ingest incidents and alerts from the unified Microsoft XDR platform, including Defender for Endpoint, Identity, and Office 365.

Configuration

To configure the integration, you need to register an application in Azure Active Directory (Entra ID) and grant it permissions to access Microsoft 365 Defender APIs.

Step 1: Register an Application

  1. Log in to the Azure Portal with an account that has the Global Administrator role.
  2. Navigate to Azure Active Directory > App registrations > New registration.
  3. Enter a name (e.g., RedCarbon-Defender).
  4. Click Register.

App Registration

Step 2: Grant API Permissions

  1. On the application page, select API Permissions.

  2. Click Add permissions and add the following permissions.

  3. Check the table API/Permissions name.

  4. Check that the following permissions in Microsoft Graph are enabled:

    • SecurityAlert.Read.All — Reads alerts from Microsoft Defender XDR (Endpoint, Identity, Office 365, and Cloud Apps) in a unified format. This is the primary permission for the Alerts v2 API.
    • SecurityIncident.Read.All — Reads Incidents, which are containers that group related alerts together to show the full timeline of an attack. Using incidents is the recommended approach to avoid alert fatigue.
    • ThreatHunting.Read.All — Executes KQL (Kusto Query Language) queries against raw event data such as process creations and network connections stored in Microsoft Defender XDR, providing deeper access than alert-level data.

  5. Check that the following permissions in Microsoft Threat Protection are enabled:

    • Incident.ReadWrite.All — Reads and modifies incidents. Required if RedCarbon needs to ingest and update incidents, change their severity, or assign them to SOC analysts via the API.

  6. Important: Click Grant admin consent for [Organization Name] to activate the permissions.

Grant Permissions Grant Consent

Step 3: Create a Client Secret

  1. Navigate to Certificates & secrets.
  2. Click New client secret.
  3. Add a description and expiration period.
  4. Click Add.
  5. Copy the Secret Value immediately.

Step 4: Gather Required IDs

From the Overview page of your application, copy:

  • Application (Client) ID
  • Directory (Tenant) ID

Overview

Step 5: Configure RedCarbon

  1. Log in to the RedCarbon Dashboard.
  2. Navigate to the customer's Integrations page.
  3. Select Microsoft 365 Defender.
  4. Paste the Tenant ID, Client ID, and Client Secret.
  5. Click Save and then Test.

Configure RedCarbon

Severity Mapping

Original SeverityRedCarbon Score
Informational0
Low10
Medium40
High70
Critical90