Microsoft Defender Analytics Setup Guide
This manual offers detailed steps for configuring Microsoft Defender Analytics, assisting security teams in effortlessly setting up insights, automating the data gathering process, and maintaining a secure and efficient analytics environment.
Install Azure Defender Analytics
Setting up Azure Defender Analytics is straightforward. There is no need for on-premises infrastructure, as the app can be installed directly from Microsoft AppSource into your Power BI tenant. After installation, you have the option to explore the application with the provided sample data or request a fully functional trial license that lasts 30 days.
Prerequisites
To carry out this step, the user must possess a Power BI Pro license, a Power BI Premium Per User license, or the Power BI tenant must have a Power BI Premium license. For individuals interested in testing Azure Defender Analytics without immediately purchasing Microsoft licenses, Microsoft provides a free trial for the Power BI Pro license through self-service sign-up. Authorization to create an App Registration in Azure AD is necessary to set up the trial.
- Head to app.powerbi.com.
- Go to Apps
- Click Get apps
- Search for Defender Analytics.
- Click on Defender Analytics.
- Click on Get It Now.
- Click Install.
- A notification indicating that Defender Analytics is being installed will appear. After this notification has disappeared, you will know that Defender Analytics has been successfully installed. You can now access the app with the sample data provided, or you can connect your own data requesting a trial license key. Install.
- When you access the Defender Analytics workspace, you might see a notification that states, “You’re viewing this app with sample data. Connect your data.” This can be disregarded without concern. If you’re interested in exploring Defender Analytics prior to linking your data, it comes pre-installed with sample data. However, if you’d rather view your own data, continue to the next step in our documentation.
Request a Trial License Key
Please complete the following form to receive a trial license key by email. You should receive the key within 10 min of submitting the form. If you do not see the email, please check your junk folder. Note that only one key per email domain will be generated, if you or someone else from your organization has previously requested a key contact us at subscriptions@brickclay.com for assistance.
Sign-up for a fully functional 30-day free trial.
Send Trial Key RequestConfigure Power BI to Use Azure Microsoft Defender Analytics App
Now that your Azure App Registration is ready, let’s plug those values into your Power BI workspace so it can securely pull data from Microsoft Defender for Endpoint using the Azure Microsoft Defender Analytics product.
Step-by-Step Guide to Connect the App in Power BI
Go to Your Workspace
- Open https://app.powerbi.com
- From the left-hand navigation, click on Workspaces
- Click on the workspace where you deployed Azure Microsoft Defender Analytics App
Open Dataset Settings
- In your workspace, find the Azure Microsoft Defender Analytics semantic model (dataset)
- Hover your mouse over it — click the three vertical dots (⋮)
- Select Settings
Enter Your App Details in Parameters
- Scroll down to the Parameters section.
- You’ll see fields that require your Azure App Registration info.
- Fill in the following:
- Click Apply to save.
| Field Label | What to Enter |
|---|---|
| API Key | This is provided by Brickclay. |
| Azure AD Client ID | Paste your Application (client) ID from Azure. |
| Azure AD Client Secret |
Paste the Value from the client secret you created.
Don’t use the “Secret ID”!
|
| Azure AD Tenant ID | Paste your Directory (tenant) ID from Azure. |
Set Up Data Source Credentials
- Scroll down to Data source credentials
- For each listed data source, follow these steps:
-
Click Edit credentials
-
Select Authentication method as Anonymous
-
Set Privacy level to Organizational
-
Check Check Skip test connection
-
Click Sign In
- Repeat the above steps for each API URL listed under data source credentials
Set Up Data Source Credentials
Now that credentials and parameters are set:
- Go back to your semantic model
- Click the three dots (⋮) again
- Select Refresh now
- If all your information is correct, the data will start syncing securely from Microsoft Defender for Endpoint into Power BI.
That’s It!
- You’ve now:
- Created and secured an Azure App
- Granted API permissions for Microsoft Defender
- Connected the app with Power BI
- Configured credentials
- Refreshed live data
- Your Azure Microsoft Defender Analytics dashboard is now pulling in real-time insights from Microsoft Defender for Endpoint.
Step-by-Step Guide: How to Create an Azure App Registration for Microsoft Defender Analytics
This simple guide helps you set up a secure connection between Microsoft Defender for Endpoint and Azure Microsoft Defender Analytics using an Azure App Registration. Even if you have never done this before, just follow each step carefully.
What You Need Before Starting:
- A Microsoft Azure account.
- You must be logged in as a Global Administrator.
- You must also have Subscription Admin permission.
Part 1: Register the Application in Azure
Open App Registrations
- Go to:https://portal.azure.com
- Sign in using your Global Administrator account.
- In the search bar at the top, type App registrations and click on it.
- Click on the “+ New registration” button.”
Fill Out App Registration Details
- Enter a name for the app. Example: DefenderAnalyticsApp
- Under Supported account types, select:
- “Accounts in this organizational directory only”
- Leave the Redirect URI empty.
- Click the Register button.
Part 2: Add API Permissions to the App
We need to tell Azure what data this app can access.
Open API Permissions
- After registration, you’ll be taken to the app’s page.
- Click on “API permissions” from the left menu.
- Remove any default permissions by clicking the three dots … next to User.Read and selecting Remove permission
Add Microsoft Graph Permissions
- Click “+ Add a permission”.
- Click Microsoft Graph > Application permissions.
- Use the search box to find and check the following permissions:
- Application.Read.All
- Use the search box to find and check the following permissions:
- SecurityAlert.Read.All
- SecurityEvents.Read.All
- Use the search box to find and check the following permissions:
- SecurityIncident.Read.All
- Use the search box to find and check the following permissions:
- User.Read.All
- Click Add permissions at the bottom.
Add Defender Permissions
- Click “+ Add a permission”.
- Click “APIs my organization uses”.
- Search for WindowsDefenderATP and click it.
- Click Application permissions.
- Search and check the following:
- Alert.Read.All
- Search and check the following:
- Machine.Read.All
- Search and check the following:
- Score.Read.All
- Search and check the following:
- SecurityRecommendation.Read.All
- Search and check the following:
- Software.Read.All
- Search and check the following:
- User.Read.All
- Search and check the following:
- Vulnerability.Read.All
- Click Add permissions.
Grant Admin Consent
- Back in the API permissions page, click
- “Grant admin consent for [Your Org Name]”.
- Click “API permissions” from the left menu.
- Click Yes when asked for confirmation.
Part 3: Create a Secret Key (Password)
This is like a password your app will use to connect to Microsoft services.
Generate a Client Secret
- On the left menu, click Certificates & secrets.
- Click on “+ New client secret”.
- In the Description, enter something like DefenderSecretKey.
- Choose how long it should last (6 months, 12 months, etc.)
- Click Add.
- Copy the Value shown immediately. This is your secret key. You won’t be able to see it again later!
Part 4: Save Important IDs
- Click on Overview from the left menu.
- You will see these values:
- Application (client) ID -> Save this as your Client ID
- Directory (tenant) ID -> Save this as your Tenant ID
- You will use these along with the Client Secret to connect from Power BI or Fabric.
Summary of Required Permissions
| API | Permission Name | Description |
|---|---|---|
| Microsoft Graph | Application.Read.All | Read all applications |
| Microsoft Graph | SecurityAlert.Read.All | Read all security alerts |
| Microsoft Graph | SecurityEvents.Read.All | Read organization’s security events |
| Microsoft Graph | SecurityIncident.Read.All | Read all security incidents |
| Microsoft Graph | User.Read.All | Read full user profiles |
| WindowsDefenderATP | Alert.Read.All | Read Defender alerts |
| WindowsDefenderATP | Machine.Read.All | Read Defender machine profiles |
| WindowsDefenderATP | Score.Read.All | Read risk/vulnerability scores |
| WindowsDefenderATP | SecurityRecommendation.Read.All | Read security recommendations |
| WindowsDefenderATP | Software.Read.All | Read installed software |
| WindowsDefenderATP | User.Read.All | Read Defender user profiles |
| WindowsDefenderATP | Vulnerability.Read.All | Read vulnerability data |
You’re Done!
- Your app is now ready to connect securely with Microsoft Defender. You can use it to pull data into Power BI, Microsoft Fabric, or other systems securely.
- Make sure you store your Client ID, Tenant ID, and Client Secret (Value) in a safe place!
Configure Data Synchronization
Data is synchronized from the data sources to Power BI on a schedule as described here. Most customers sync approximately 3 times per day.
- Select Workspaces.
- Select the BI for Defender workspace.
- Select the Microsoft Defender Analytics workspace.
- Hover over the Azure Defender Analytics Semantic model Semantic model to reveal a menu (three vertical dots).
- Select Settings
- Expand Expand refresh.
- Enable Configure a refresh Schedule slider to On.
- Select Add another time and enter up to 8 times for the data synchronization to happen.
- Optionally, enter contacts to be notified of synchronization failures.
- Select Apply.