Integrate MS Defender for Cloud with Autobahn Fit

Learn how to integrate Microsoft Defender for Cloud with Autobahn Fit

Table of content

1. Why integrate Microsoft Defender for Cloud with Autobahn Fit


Microsoft Defender for Cloud is a cloud-native application protection platform that helps strengthen your security posture, enables protection against modern threats, and helps reduce risk throughout the cloud application lifecycle across multi-cloud and hybrid environments.

Integrating Microsoft Defender for Cloud with Autobahn Fit allows you to see assets and vulnerabilities MS Defender discovered directly in Autobahn Fit. Once the integration is complete, Autobahn Fit scans the report's findings to correlate, consolidate, and contextualize the ingested data to impact risk and remediation priority.

2. Prerequisites and user permission

To enable the integration, you need to provide Autobahn Fit with the following MS Defender for Cloud data:

  • Tenant ID

  • App ID

  • App secret

To provide the information above, please make sure that:

  • Microsoft Defender for Cloud is enabled for your Azure subscription(s).

  • All subscriptions have the Defender for Cloud default policy enabled. 

  • The following privileges are needed for a user in Azure to generate the connection details:

    • Sufficient privileges/permissions to create an application.

    • Sufficient privileges/permissions to create a Service Principal account.

    • Sufficient privileges/permissions to assign the Service Principal account a "Reader" role to the relevant subscriptions.

a. Register new application

1 - Log in to the Azure Portal.

2 - Navigate to Azure Active Directory. Go to the App registrations and click the New Registration button.

 

3 - On the app registration page:

  • Name: Enter a name of your choice (e.g. Autobahn Fit)

  • AccountType: Accounts in the organizational directory only (Default Directory only - Single Tenant)

  • Redirect URI: This can be left blank.

4 - Click the Register button.

b. Get Client ID and Tenant ID

1 - Go to the Application overview page you have created above.

2 - Save the Client ID and Tenant ID so you can later use it to configure the Autobahn Fit integration.

c. Create Client Secret

When we register a new application in Azure, it does not have any client secrets. To create a Client Secret:

1 - Navigate to Certificates & Secrets from the left navigation.

2 - Click the New Client Secret button.

3 - Enter the Description and Expiry for the Client Secret and click the Add button. Once the secret expires, you will have to create a new one and set it up again in Autobahn Fit.

4 - The system adds the Client Secret and displays the details on the same page.

5 - Save the Client Secret to use it later in this article.

d. Assign reader role

After collecting the Client ID and Tenant ID, navigate to the Subscription page and assign a reader role to the subscriptions to sync Azure with Autobahn Fit. To assign the reader role:

1 - In the Azure Portal, search Subscriptions in the search bar and click it.

2 - On the subscriptions page, the system displays all Azure subscriptions

3 - Search and click the subscription to which you want to assign the reader role for the app. Then go to the Subscription Overview page on the Azure Portal.

4 - Click the Access Control (IAM) button from the left navigation.

5 - Click the Add button and then click the Add role assignment option.

If you don't have permission to assign roles, the Add role assignment option will be disabled.

6 - On the Role tab of the Add role assignment page, select the Reader role and click Next.

7 - Navigate to the Members tab, and click the + Select members button.

8 - A dropdown will appear. Select the app that you previously created from the list.

9 - Navigate to Review + assign tab. If you filled all data correctly, click the Review + assign button and you are done.

3. Integrate MS Defender for Cloud with Autobahn

After you completed the above preparation, login to your Autobahn Fit account and navigate to the Integrations page. On this page:

1 - Click on the Microsoft Defender for Cloud tile

2 - In the MS Defender for Cloud integration page, set up the connector as followed with the information you generated earlier.

  • For Tenant ID, enter the Azure App ID.

  • For the App ID, enter the Azure Subscription ID.

  • For API Token (Client Secret), enter the Azure App Secret. 

Then click the Test and Save button.

3 - To confirm the integration is complete, navigate to the Integration page. Once connected the Microsoft Defender for Cloud tile will show an active toggle and gives you the possibility to edit.

4. View imported scans on the Scans page

After you integrate MS Defender for Cloud with Autobahn Fit, it will take a maximum of 10 minutes for the data to be imported into the platform.

Once the data is imported, you can view vulnerability and asset data taken from MS Defender for Cloud on the Individual Issues and Assets pages. You can filter the data by origin/source to show this conveniently.

5. Enable/disable integration

After adding multiple instances to Autobahn Fit, you can disable the integration to temporarily fetch new data from MS Defender for Cloud by clicking the toggle button.

The credentials and previously fetched data will remain in Autobahn Fit. To disable the active integration, click the toggle in the instance card.

You can re-enable the integration by switching the toggle back 'on'. When re-enabled, the system will fetch data starting from the last fetching date.

6. Integration data mapping

After the integration is completed, Autobahn Fit pulls vulnerabilities and assets, and maps these into specific fields.

a. Data mapping machine / Assets

Based on the machine data that Autobahn Fit gets, here is how we map the data.

Microsoft Defender for Cloud

Autobahn Fit asset

publicIpId

external_id

name

name

publicIp

IP

fqdn

DNS

Note: MS Defender for Cloud does not provide tags related to the underlying assets. However, if you also enable the Microsoft Azure integration, the mapping will automatically happen and we can ingest the tags related to your Azure assets.

b. Data mapping assessments / Vulnerabilities

Based on the assessment data that Autobahn Fit gets, here is how we map the data.

Microsoft Defender for Cloud

Autobahn Fit vulnerability

description

title

severity

severity

cves.title

cve (Decoupled into a single issue for each CVE)

7. Vulnerability score mapping

All collected issues from Microsoft Defender for Cloud are assessed and enriched with our threat intelligence to reflect the - in our eyes - correct severity. Microsoft Defender for Cloud relies on two built-in scanners for their results:

8. Status update mechanisms

Every day, Autobahn Fit syncs with the MS Defender for Cloud platform to get updates on existing vulnerabilities and assets, as well as to retrieve new ones (if any are added).

The table below lists how the status update mechanism works in the Microsoft Defender for Cloud connector for the vulnerabilities and assets in the Autobahn Fit.

Update type

Mechanism

Change of issue status from "Active" to "Remediated"

Please be aware that our MSDC integration updates daily, covering 100% of their scope. For non-scan-based integrations, any issues previously reported by the same asset but not present in the latest update will be automatically resolved.

This ensures issue tracking is always up-to-date. In multi-credential scenarios, issue origin will be considered for accurate updates.

Note: Asset or vulnerability updates on the vendor side are reflected on Autobahn Fit only on the next scheduled connector sync (the next day).

9. API Endpoints in Use

To get the data from Microsoft Defender for Cloud we use the Azure Resource Graph. We use the Official JavaScript library from Azure to communicate with Azure Resource Graph.

Quickstart: Your first JavaScript query - Azure Resource Graph

Machines or assets

microsoft.compute/virtualmachines
microsoft.network/networkinterfaces
microsoft.network/publicipaddresses

Assessments of vulnerabilities

microsoft.security/assessments
microsoft.security/assessments/subassessments