To setup your Microsoft Defender app in Cobalt for OAuth, you will need the following credentials from your Microsoft Azure account:

  • Client ID
  • Client Secret
  • Tenant ID
  • Scopes

Pre-requisites

  1. Microsoft Azure Account. You can create one here.

Required Settings

  • Mandatory Scopes
  1. User.Read
If you haven’t already created an app in Microsoft Azure, you’d need to create one.

Creating an app in Microsoft Azure

To create a Microsoft Defender app and aquire the above mentioned credentials, please follow the steps mentioned below:

  1. Log in to your Microsoft Azure account.
  2. Search for Microsoft Entra ID and select it from Services in the top search bar.
  1. Navigate to Overview in the side menu > Click on +Add > Select App Registration.
  2. Enter the App Name for your application and select Accounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant) under Supported Account Types.
  3. Go to your Apps catalog in Cobalt > Search for Microsoft Defender > Settings > Use your credentials > Callback Url > Copy it.
  4. Under the Redirect URI section, select Platform as Web, paste the Callback Url as the URL and click Register.

If you already have an app created, then follows these steps to add Redirect URL:

Select your Application > Select Authentication in side menu > Under Platform configurations, press the Add a platform button > Select Web > Paste the Callback Url > Click on Configure > Click Save button at the bottom.

  1. Navigate to Manage > API permissions in the side menu > Click on + Add a permission.
  2. Choose the Microsoft Graph card under Microsoft APIs > Choose Application permissions > Select the mandatory scope > click on the Add Permissions button.
  3. For Defender specific scopes, navigate to APIs my organization uses tab > Search for WindowsDefenderATP and choose the required scopes from Delegated permissions.
  1. Navigate to Certificates and Secrets in the side menu and under Client Secrets tab, press the + New client secret button. Give a Description, select the best expiry for your application and click Add to create your credentials.
  2. Copy the displayed Client Secret under the Value column.
  1. Navigate to Overview in the side menu > Essentials tab > Copy the Client ID under Application (client) ID and Tenant ID under Directory (tenant) ID.

Configuring credentials in Cobalt

App settings page lets you configure the authentication settings for an OAuth 2.0 based application. For your customers to provide you authorization to access their data, they would first need to install your application. This page lets you set up your application credentials.

Cobalt lets you use pre-configured applications to play around. You can do so by selecting Use our credentials. However, if you wish to use your own application, select Use your own credentials. Provide the aquired Client Id and Client secret and save it.

Configuring Scopes

Cobalt lets you configure what permissions to ask from your users while they install your application. The scopes can be added or removed from the App settings page, under Permissions & Scopes section.

For some applications Cobalt sets mandatory scopes which cannot be removed. Additional scopes can be selected from the drop down. Cobalt also has the provision to add any custom scopes supported by the respective platform.

Once the scopes has been added to the application in Cobalt, go to your Microsoft Azure account and update the scopes as added on Cobalt.

Select the OAuth App created for Cobalt and follow Step 8 and 9 above.

If you are facing scopes missing or invalid scope error. Make sure you are not passing any custom scope not supported by the platform. And, the scopes selected here are identical to the ones selected in the platform.

Actions and triggers

Once the above setup is completed, you can create orchestrations of your use-cases using Microsoft Defender actions and triggers. Following are the set of Microsoft Defender actions and triggers supported by Cobalt.