Notice

If you have an existing Microsoft Defender for Cloud Apps (MDCA) security device, please use the instructions below to onboard a Microsoft Defender XDR security device in Workbench as soon as possible to avoid service disruption.

Please keep the MDCA device running along with your new XDR device; no action is needed on your part to remove it as Expel will disable the MDCA device in Workbench when appropriate.

What's Happening:

Microsoft is consolidating the alerting for Microsoft Defender for Cloud Apps (MDCA) and Defender for Identity into Microsoft Defender XDR. In conjunction with this, the API that Expel uses to support those integrations is changing and the current API will be retired, with all functionality moving to the Microsoft Defender XDR experience.

When the current API reaches end of life in March 2025, Expel will no longer receive data from Defender for Cloud Apps and Defender for Identity. By onboarding a Microsoft Defender XDR security device, Expel will continue monitoring these alerts without interruption.

This onboarding guide covers the provisioning of the Azure App needed to perform the graph API queries for the /security/alerts_v2, /security/incidents and /security/runHuntingQuery endpoints, which allows the Expel Workbench to collect logs for Microsoft Defender XDR.

Quick Start

Setup includes the following steps (select any step for detailed instructions):

1. Add a Service Account for Console Access
2. Enable Defender XDR Application Access
3. Add Microsoft Defender XDR as a Security Device in Workbench

Step 1: Add a Service Account for Console Access

Having read-only access to the interface of your technology allows Expel to dig deeper during incident investigations. Our device health team uses this access to investigate potential health issues with your tech.

Note
Expel secures all login information our SOC analysts need about your devices in an MFA password product. Access to this login information is protected using our internal MFA processes. Learn more about the IP addresses all Expel traffic comes from.

1. Log in to the Azure portal as a Global Admin user, as you will need to be able to assign the Global Reader role.
2. In the side navigation, select Microsoft Entra ID.
3. Under Manage, select Users.
4. Select New user > Invite external user.
5. On the Invite external user page, configure the following:
   
   • Email - enter "expel_analyst@expel.io".
   • Send invite message - leave this checked.
   • Message - enter a message (optional).
6. Select the Assignments tab.
7. Select Add role.
8. On the Directory roles screen, search for and select the Global Reader role.
   
9. Choose Select at the bottom.
10. Select Review + Invite and then Invite to automatically send the invitation.
11. After you send the invitation, the user account is added to the directory as a guest. Expel will accept the email invite and complete console access setup.

Step 2: Create a Custom Microsoft Entra ID Application

1. In the Azure portal, use the search bar to navigate to App registrations and select New registration.
2. On the Register an application screen, configure the following settings:
   • Name - enter "Expel Defender XDR".
   • Supported account types - select Accounts in this organizational directory only.
   • Leave all other defaults on this page as is.
3. Select Register.
4. The settings page for the new "Expel Defender XDR" application appears. Copy and save the following values provided on this page in a safe place as you will need to enter them into Workbench later:
   • Application (client) ID
   • Directory (tenant) ID
     Note
     If the new application page doesn't appear automatically, navigate to App Registrations > View all
     applications > Expel Defender XDR.
5. Under Client credentials, select Add a certificate or secret.
   
6. Select New client secret.
7. On the Add a client secret screen, configure the following settings:
   
   • Description - enter "Expel API".
   • Expires - select 730 days (24 months).
8. Select Add.
9. The Certificates & secrets page appears. Copy the Value and save it to a safe place as you will need it later and it will not be shown again after you leave this page.
   
10. In the left side navigation, select API permissions.
11. Select Add a permission.
12. Select Microsoft Graph > Application permissions.
13. Select Add a permission and provide the following permissions:
    • SecurityAlert.Read.All
    • SecurityEvents.Read.All
    • ThreatHunting.Read.All
    • SecurityIncident.Read.All
14. Select Add permissions.
15. Review the completed list of permissions and make sure they are all present, including the User.Read permission, which is required and automatically added for the Microsoft Graph API.
16. Make sure Admin consent is granted for the permissions by selecting Grant admin consent for [Tenant Name].
    

Step 3: Add Microsoft Defender XDR as a Security Device in Workbench

Now that you have the correct access configured and noted the credentials, you can integrate your tech with Workbench.

1. Log in to Workbench.
2. In the side menu, navigate to Organization Settings > Security Devices.
3. Select Add Security Device.
4. In the search box, type “XDR” and then select the Microsoft Defender XDR integration.
   
5. A configuration pane displays. Complete the fields as follows:
   • Name - enter a name that might help you more easily identify this integration, such as “CompanyName Microsoft Defender XDR”; this name will display in Workbench under the Name column, and is a text string that you can filter on.
   • Location - enter the location of your integration, for example “cloud;” this is also a text string that you can filter on, so we recommend being consistent with location naming across your Expel integrations.
   • Directory ID - enter the Directory (tenant) ID value from Step 2.
   • Application ID - enter the Application (client) ID value from Step 2.
   • Client secret - enter the Client secret Value from Step 2.
6. Select Save.
7. On the Why give Expel console access? screen, select Set up later from the dropdown, as Expel is completing console access setup on our side.