MS 365 Defender Integration Error

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

MS 365 Defender Integration Error

L1 Bithead

Hi,

 

I'm installing MS 365 Defender Addon using the guide (https://xsoar.pan.dev/docs/reference/integrations/microsoft-365-defender), and the "Self-Deployed Application - Client Credentials Flow" method.

 

I have registered the app in Azure, and configured the addon with the App data (App Id, Secret, Tenant Id...) as in the guide.

 

When I execute the "!microsoft-365-defender-auth-start" command, I get an error:

 

MTubia_0-1673396136905.png

 

I have tested different values in the fields, but the command always returns this error.

 

How can I debug this error? Any clue?

 

Thanks for your help!!

Regards,

M.

1 ACCEPTED SOLUTION

Accepted Solutions

L2 Linker
6 REPLIES 6

L2 Linker

Hi , 


If its still not resolved, May be best to create a support case. 

For debugging, change the log level in the integration as well as application level to debug mode and try running this a few time.

You can check to see if there more info in the logs or attach the logs in support case.

L2 Linker

For client credential flow you don't have to run that command, the integration should be ready to pull incidents. AFAIK auth-start starts the device code flow

 

L2 Linker

Also don't forget to check the box where it says self deployed in the integration configuration

 

mmmm may be this is the point, I'm testing.

Anyway, when executing the "microsoft-365-defender-advanced-hunting" command i get an error:

Invalid URL 'api-eu.security.microsoft.com/api/advancedhunting/run': No scheme supplied. Perhaps you meant http://api-eu.security.microsoft.com/api/advancedhunting/run?

Reading the doc (https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/run-advanced-query-api?vi...), it says that the endpoint URL is "../api/advancedqueries/run", so I'm going to do some tests.

 

Thanks.

Regards.

M.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!