API & Integrations - Microsoft Defender Threat Share Integration

Overview 

When Mimecast’s Targeted Threat Protection inspects an email, threats identified as Malicious attachments, phishing sending domains, and Malicious URLs will result in action being taken on the email (depending on the transmission direction). 

This integration also allows Mimecast to send this telemetry to Microsoft’s Defender Threat Share platform, to help identify the threat if it arrives on an endpoint from another attack vector.

In addition to sending telemetry to Microsoft’s Defender Threat Share platform, Mimecast can receive telemetry from Microsoft alerts and the Indicators list. This telemetry can be used to block threats and remediate associated emails.

The Microsoft Defender Threat Share integration has the following benefits:

• Providing an additional layer of security that protects your organization’s devices from threats detected via Email.
• Providing enhanced email threat detection efficacy with shared intelligence across Mimecast Secure Email Gateway and Microsoft Defender Threat Share platforms.
• Exposes the threats and risks that your organization is facing today.

Prerequisites

Before you attempt to integrate Microsoft Defender Threat Share ensure that your Mimecast account has Targeted Threat Protection with:

• Attachment Protection pre-emptive sandbox or sandbox on demand options selected. See the Configuring Attachment Protection Definitions page for more information.
• Impersonation Protection domain similarity checks selected. See the Configuring Impersonation Protection Definitions page for more information.
• URL Protection Definitions configured. See Configuring URL Protection Definitions page for more information.

Configuring the Integration

1. In the Mimecast Administration Console, navigate to Integrations | Integrations Hub | Microsoft Defender Threat Share and select Configure New.
2. Under Details, provide:
   • Application Name: A friendly name to uniquely describe this integration configuration instance.
     • Note: This cannot be altered after the integration has been created.
   • Description: A way to uniquely describe this integration configuration instance.
   • Fetch From Duration: Number of days of historical threat information to be shared when the integration is initially configured. The available options are 7 days, 15 days, or 21 days of historical information to share.
3. Under the Send from Mimecast section, select the indicators to share from Mimecast to Microsoft Defender Threat Share:
   • Malicious Hashes from Attachment Protection: This will source SHA256 hashes from malicious Attachment Protection scan results.
     • Action on Malicious Hashes – This is the action that will be applied if Microsoft Defender Threat Share encounters a file matching this file hash. Available options are:
       1. Audit: Log the event in Microsoft Defender Threat Share only.
       2. Block: Block access to the associated file on the endpoint.
       3. Block and Remediate: Block access to the associated file on the endpoint and remove the file.
       4. Warn: Generate a warning when attempting to access the associated file.
     • Create Alerts when imported indicators are detected: This will trigger the generation of an alert when an action other than Alert is selected.
     • Alert Severity for Malicious Hashes: When an alert is generated in Microsoft Defender Threat Share, select the alert severity level for file hashes. Available options are Informational, Low, Medium, or High, and the actions based on severity are specific to your Microsoft Defender Threat Share configuration.
   • Malicious URLs from URL Protection – This will source URLs from malicious URL Protection scan results.
     • Action on Malicious URLs – This is the action that will be applied if Microsoft Defender Threat Share encounters a webpage matching this URL. Available options are:
       1. Audit – Log the event in Microsoft Defender Threat Share only
       2. Block – Block access to the associated URL on the endpoint
       3. Warn – Generate a warning when attempting to access the associated URL.
     • Create Alerts when imported indicators are detected: This will trigger the generation of an alert when an action other than Alert is selected.
     • Alert Severity for Malicious Hashes – When an alert is generated in Microsoft Defender Threat Share, select the alert severity level for file hashes. Available options are Informational, Low, Medium, or High, and the actions based on severity are specific to your Microsoft Defender Threat Share configuration.
   • Malicious Domains from Impersonation Protection: This will source domains from Impersonation Protection results where a domain similarity match occurred.
     • Action on Malicious Domains: This is the action that will be applied if Microsoft Defender Threat Share encounters an attempt to access a matching domain. Available options are:
       1. Audit: Log the event in Microsoft Defender Threat Share only
       2. Block: Block access to the associated domain on the endpoint
       3. Warn: Generate a warning when attempting to access the associated domain.
     • Create Alerts when imported indicators are detected: This will trigger the generation of an alert when an action other than Alert is selected.
     • Alert Severity for Malicious Domains: When an alert is generated in Microsoft Defender Threat Share, select the alert severity level for domains. Available options are Informational, Low, Medium, or High, and the actions based on severity are specific to your Microsoft  Defender Threat Share configuration.
   • Set Expiration: When sharing indicators, an indicator expiration can be set to avoid reaching a maximum indicator count in Microsoft Defender Threat Share. The date will be calculated based on the number of days selected relative to the date that the indicator is shared. Available options are 30 days, 90 days, 6 months, 9 months, or 1 year.
4. Under the Send to Mimecast section, select the indicators to share and actions to perform:
   • Import Malicious Indicators from Endpoint Indicators list:
     • File hashes from Endpoint indicators list to BYOTI: This will source malicious SHA256 file hashes from Microsoft Defender Threat Share's indicator list and add those entries to Bring Your Own Threat Intel in Mimecast with a block action.
       • Remediate Messages when imported indicators are detected: When importing an indicator, a search will be performed to see if this indicator was already observed in email, and if so, a remediation event will be created to remove associated messages.
     • URLs from Endpoint Indicators list to Managed URLs: This will source malicious URLs from Microsoft Defender Threat Share’s indicator list and add those entries as a blocked entry to Managed URLs in Mimecast with a block action.
       • Remediate Messages when imported indicators are detected – When importing an indicator, a search will be performed to see if this indicator was already observed in email, and if so, a remediation event will be created to remove associated messages.
     • Domains from Endpoint Indicators list to Blocked Senders: This will source malicious domains from Microsoft Defender Threat Share’s indicator list and add those entries to an integration-specific Blocked Sender Profile Group with associated Blocked Senders Policy. The group and policy will be created by the integration.
       • Domains from Endpoint Indicators list to Managed URLs: When importing a domain, a Managed URL block entry can be created for the domain as well.
       • Remediate Messages when imported indicators are detected: When importing an indicator, a search will be performed to see if this indicator was already observed in email, and if so, a remediation event will be created to remove associated messages.
   • Import Malicious Indicators from Alerts:
     • File hashes from Alerts to BYOTI: This will source malicious SHA256 hashes from Microsoft Defender Threat Share alerts and add those entries to Bring Your Own Threat Intel in Mimecast with a block action.
     • URLs from Alerts to Managed URLs: This will source malicious URLs from Microsoft Defender Threat Share alerts and add those entries to URL Management in Mimecast with a block action.
5. Under the Notification Configuration section, configure the recipients who will receive an alert should the integration enter an error state.
   • Note: these addresses can be Distribution Lists or Distribution Groups and will receive an alert when the integration requires manual intervention to return to a connected state. An example scenario would be the manual deletion of the app registration in Azure, where we no longer have access to interact with Microsoft.
6. After the configuration options have been set, scroll to the top of the screen, and select Authorize & Save which will direct you to Microsoft to authorize Mimecast’s access to your Microsoft Defender Threat Share configuration. This must be authorized by a Global Administrator on the Microsoft side.
   • When directed to Microsoft, select Accept, which will grant Mimecast the following permissions:
     • Read file profiles.
     • Read URL profiles.
     • Read all alerts.
     • Read and write all IOCs.
     • Sign in and read user profiles.
   • Once authorization has been granted, you will be redirected back to the integration setup in Mimecast with a confirmation message appearing at the top of the screen. It may take a few minutes for the status to change to Connected for the configuration.