Skip to main content

Microsoft Defender

Updated

Qevlar AI platform integrates with Entra ID and Microsoft Defender via the Microsoft Graph API. This document describes how to set up API credentials and install them into the Qevlar platform.

Assign API Permissions

Now that the Azure AD application (service principal) is created with a client ID and secret, the next step is to grant it the necessary API permissions to read log data. This involves two parts: Microsoft Graph permissions (to allow reading directory or audit log info, if needed) and Azure Monitor Log Analytics API permissions (to allow querying Log Analytics). We will also grant admin consent for those permissions and assign the app access to the Log Analytics workspace via an Azure role.

Adding API permissions in Azure AD searching for the Log Analytics API to grant the app access to Azure Monitor Logs.

Minimum permissions to grant

Scopes Permissions Context
ThreatHunting.Read.All READ Microsoft Graph API
Data.Read.All READ Azure Monitor Logs API
  1. Open API Permissions
    Still on your app registration in Azure AD, click API permissions in the left menu. Then click the + Add a permission button.
Request API permissions interface
  1. Microsoft Graph Permissions (Application type)
    In the Request API permissions dialog, select Microsoft Graph (this is where you can allow the app to read Azure AD data via Graph). Choose Application permissions (since Qevlar will run as a background service, not as a signed-in user). Add the permissions your integration needs:
    • At minimum, for basic directory info, add Directory.Read.All (Read directory data). This allows the app to read users, groups, and other directory info which might be used to enrich security alerts.
    • If you plan to pull Azure AD activity logs (sign-in logs or audit logs) into Qevlar, also add AuditLog.Read.All (which permits reading of Azure AD audit and sign-in logs).
Microsoft Graph application permissions
  • After selecting the needed Graph permissions, click Add permissions. The new permissions will show up in the list as Not granted for [Your Tenant] initially (since they require admin approval).
  1. Grant Admin Consent for Graph
    Because the Graph permissions like Directory.Read.All are high-privilege (they allow access to all directory data), an admin must consent to them on behalf of the organization. If you are a Global Admin (or have the necessary role), click the Grant admin consent for YourTenant button on the API permissions page. Confirm the consent when prompted. This will approve the Graph API permissions so your app can use them. (If you are not an Azure AD admin, you'll need to ask one to sign in and grant these permissions for you.) After consent, the status should change to Granted for YourTenant.
Admin consent interface

  1. Azure Monitor Log Analytics API Permission
    Next, add the permission for Azure Monitor Logs:

    • Click Add a permission again. This time, under the APIs my organization uses tab (or Azure APIs), search for "Log Analytics API". Select Log Analytics API from the results.
     
    • Choose Delegated permissions (the Log Analytics API in this interface uses delegated permissions). From the available permissions, check Data.Read (allows read access to Log Analytics data).
    • Click Add permissions to add the Log Analytics Data.Read permission. This permission might show up as requiring user consent; however, since we'll be using the app's own credentials and have set up proper Azure role access, no interactive user consent is involved. You do not need to grant admin consent for this delegated permission in our scenario.Add requested API permissions

  2. Azure Role Assignment (Workspace Access)
    The app now has API permissions, but you must also give it access to the Log Analytics workspace itself:

    • In the Azure Portal, navigate to your Log Analytics Workspace that you want Qevlar to ingest logs from. Go to the workspace's Access control (IAM) settings.
    • Click Add role assignment (sometimes shown as + Add > Add role assignment). In the role selection, choose the Reader role for the workspace. This read-only role will allow the app to read log data.
    Workspace access control settings
    • For Assign access to, select User, group, or service principal, then click + Select members. Search for the name of the app you registered (e.g., "Qevlar Azure Monitor Integration"). Select the application from the results and click Select. 
       
    • Click Review + assign to finalize giving the app the Reader role on this workspace. After a moment, the service principal will be listed as a Reader in the Access control list for the workspace. (If you have multiple workspaces or subscriptions to integrate, repeat this role assignment for each one as needed.
Select members for role assignment
Info:

It can take up to 60 minutes for new role assignments or permissions to propagate in Azure. During this time, API calls (like log queries) might fail with a 403 Forbidden error until the permissions fully take effect. This is normal if you encounter permission errors on first try, wait a bit and try again once the permissions have propagated.

Gather Required Credentials

At this stage, you should have all the pieces of information required to configure the integration in Qevlar. Let's summarize and retrieve them:

Azure AD app overview showing the Application (client) ID and Directory (tenant) ID (blurred in this example).

Credential Description Location
Tenant ID The Directory (tenant) ID of your Azure AD tenant. This GUID can be found on the Azure AD overview page, or on the app's Overview page (as "Directory (tenant) ID"). It's the identifier for your Azure AD instance. Azure AD → App Overview page
Client ID The Application (client) ID of the app registration (the GUID for your Qevlar integration app). It's shown on the app's Overview page. Azure AD → App Overview page
Client Secret The client secret Value that you created earlier for the app. You will need to enter this in Qevlar. If the secret was lost or not saved, you'd have to generate a new one in Azure AD (as the value cannot be retrieved after creation). Saved securely when created

All these values: Tenant ID, Client ID, and Client Secret are required to set up the Azure Monitor Logs API connection. Keep them handy for the next step.

Configure Qevlar Integration

  1. Navigate to your Qevlar platform
  2. Select Integrations from the menu
Qevlar platform
  1. Locate Microsoft Graph and click +.
  2. In the dialog paste the Tenant ID, Client ID, and Client Secret you copied earlier.
Microsoft Defender Configuration Dialog
Warning:

Before proceeding, double-check each field for typos. An incorrect GUID or secret will cause the connection to fail. Ensure that the values correspond to the Azure app and workspace you set up.

  1. Click on Test to verify the connection and click on Test & Save to save the integration.
  2. The datasets will be automatically detected and selected.

Related articles