Blue Hexagon integrates with Windows Defender ATP using Azure App API
To prepare the Azure App and setup API permissions log into Azure AD portal at https://portal.azure.com/#home
Once logged in navigate to Azure Active Directory on the navigation bar
Inside Azure Active Directory select App Registrations and you should see the screen below. To grant Blue Hexagon API access a New Application will need to be created. Select New Registration > Register an application.
After creating the new application, in Manage > API Permissions this application will need WindowsDefenderATP permissions (with Admin consent) BlueHexagon requires the ability to Read and write all IOCs, Isolate machine, Stop and quarantine file, Collect Forensics, Run advanced queries. After adding these permissions select Grant admin consent for Blue Hexagon.
Once the permissions are set and admin consent is granted select Certificates & secrets from the navigation bar and generate a new client secret .
Once the Client secret is generated send the Application ID, Directory ID (found on Overview) along with the the Client Secret value to support@bluehexagon.ai to have our integration enabled.
Once enabled BlueHexagon detections can be found at Settings > Indicators on the navigation bar in https://securitycenter.microsoft.com/
