Microsoft Defender for Cloud is a unified cloud-native application protection platform that helps strengthen your security posture, enables protection against modern threats, and helps reduce risk throughout the cloud application lifecycle across multi-cloud and hybrid environments.

Integrating Microsoft Defender for Cloud Integration with Autobahn Fit allows you to view assets and vulnerabilities in Autobahn Fit. Once the integration is complete, Autobahn Fit scans the report's findings to correlate, consolidate, and contextualize the ingested data to impact risk and remediation priority.

Prerequisites and user permission

To enable the integration, you need to provide MS Defender for Cloud:

Tenant ID
App ID
App secret

To provide the information above, please make sure that:

Microsoft Defender for Cloud is enabled for your Azure subscriptions.
All subscriptions have the Defender for Cloud default policy enabled.
The following privileges are needed for a user in Azure to generate the connection details:
- Sufficient privileges/permissions to create an application.
- Sufficient privileges/permissions to create a Service Principal account.
- Sufficient privileges/permissions to assign the Service Principal account a "Reader" role to the relevant subscriptions.

Register new application on MS Defender for Cloud

1 - Log in to the Azure Portal.

2 - Navigate to Azure Active Directory. Go to the App registrations and click the New Registration button.

3 - On the app registration page:

Name: Enter a name of your choice (e.g. Autobahn Security)
AccountType: Accounts in the organizational directory only (Default Directory only - Single Tenant)
Redirect URI: This can be left blank.

4 - Click the Register button.

Get the Client ID and Tenant ID

1 - Go to the Application overview page you have created above.

2 - Save the Client ID and Tenant ID on your system for later usage while configuring Autobahn Fit integration.

Create the Client’s Secret

When we register a new application in Azure, it does not have any client secrets. To create a Client Secret:

1 - Navigate to Certificates & Secrets from the left navigation.

2 - Click the New Client Secret button.

3 - Enter the Description and Expiry for the Client Secret and click the Add button.

4 - The system adds the Client Secret and displays the details on the same page.

5 - Save the Client Secret on your system for later usage while configuring the Azure in Autobahn Security.

Assign reader role in the subscriptions to the created app

After collecting the Client ID and Tenant ID, navigate to the Subscription page and assign a reader role to the subscriptions to sync Azure with Autobahn Security. To assign the reader role:

1 - In the Azure Portal, search Subscriptions in the search bar and click it.

2 - On the subscriptions page, the system displays all your Azure subscriptions.

2 - Search and click the subscription to which you want to assign the reader role for the app. Then go to the Subscription Overview page on the Azure Portal.

3 - Click the Access Control (IAM) button from the left navigation.

4 - Click the Add button and then click the Add role assignment option.

If you don't have permission to assign roles, the Add role assignment option will be disabled.

5 - On the Role tab of the Add role assignment page, select the Reader role and click Next.

6 - Navigate to the Members tab, and click the + Select members button.

7 - A dropdown will appear. Select the App that you previously registered from the list.

8 - Navigate to Review + assign tab. If all the data all correct, click the Review + assign button then you are done. 🎉

Integrate MS Defender for Cloud with Autobahn

After the preparation on the MS Defender for Cloud is completed, log into your Autobahn Fit account and navigate to the Integrations page. On this page:

1 - Click on the Microsoft Defender for Cloud tile

2 - In the MS Defender for Cloud integration page, set up the Connector as follows with the information you generated earlier.

For Tenant ID, enter the Azure App ID.
For the App ID, enter the Azure Subscription ID.
For API Token (Client Secret), enter the Azure App Secret.

Then click the Test and Save button.

2 - To confirm the integration is complete, navigate to the Integration page. Once connected the Microsoft Defender for Cloud tile will show an active toggle and the possibility to edit.

View your pulled scans on the Scans page

After you integrate your MS Defender for Cloud with Autobahn Fit, it will take a maximum of 10 minutes for the data to be imported into Autobahn Fit.

Once the data is imported, you can view your vulnerabilities and assets data taken from MS Defender for Cloud on the Individual Issues and Assets page. Filter the data by origin/source to view the assets and issues pulled from MS Defender for Cloud.

Enable/Disable integration

After adding multiple instances to Autobahn Fit, you can disable the integration to temporarily fetch new data from MS Defender for Cloud by clicking the toggle button.

The credentials and previously fetched data will remain in Autobahn Fit. To disable the active integration, click the toggle in the instance card.

You can re-enable the integration by switching the toggle back. When re-enabled, the system will fetch the data from the last fetching date.

Integration data mapping

After the integration is completed, Autobahn Fit pull vulnerabilities and assets data and map it into Autobahn Fit pages and fields.

Data mapping machine / Assets

Based on the machine data that we got from MSDC, here is how we map the data.

Microsoft Defender for Cloud	Autobahn Fit asset
publicIpId	external_id
name	name
publicIp	IP
fqdn	DNS

Note: MS Defender for Cloud does not provide tags related to the underlying assets. However, if you also enable the Microsoft Azure integration the mapping will automatically happen and we can ingest the tags related to your Azure assets.

Data mapping assessments / Vulnerabilities

Based on the assessment data that we get from MSDC, here is how we map the data.

Microsoft Defender for Cloud	Autobahn Fit Issue
description	title
severity	severity
cves.title	cve (Decoupled into a single issue for each CVE)

Vulnerability score mapping

All the collected issues from Microsoft Defender for Cloud are assessed and enriched with our threat intelligence to reflect the severity. Microsoft Defender for Cloud relies on two built-in scanners for their results:

Scanner powered by Qualys
Scanner powered by Microsoft Defender Vulnerability Management

Status update mechanisms

Every day, the Autobahn Fit syncs with the MSDC platform to get updates on existing vulnerabilities and assets and to retrieve new ones (if any are added).

The table below lists how the status update mechanism works in the Microsoft Defender for Cloud connector for the vulnerabilities and assets in the Autobahn Fit.

Update type

Mechanism

Change of issue status from "Active" to "Remediated"

Please be aware that our MSDC integration updates daily, covering 100% of their scope. For non-scan-based integrations, any issues previously reported by the same asset but not present in the latest update will be automatically resolved.

This ensures your issue tracking is always up-to-date. In multi-credential scenarios, issue origin will be considered for accurate updates.

Note: Asset or vulnerability updates on the vendor side are reflected on Autobahn Fit only on the next scheduled connector sync (the next day).

API Endpoints in Use

To get the data from Microsoft Defender for Cloud we are using Azure Resource Graph. We are using the Official JavaScript library from Azure to communicate with Azure Resource Graph.

Quickstart: Your first JavaScript query - Azure Resource Graph

Machines or assets

microsoft.compute/virtualmachines
microsoft.network/networkinterfaces
microsoft.network/publicipaddresses

Assessments of vulnerabilities

microsoft.security/assessments
microsoft.security/assessments/subassessments