This section outlines the steps required to integrate delivr.to with Microsoft 365 Defender, via the Graph API.
For this, you will need to create an
App Registration in Azure, assign it the necessary privileges, and then provide delivr.to with the credentials. Let’s set this app up first.
- Head to the
App registrationsportal in Azure AD here and click
- Give it a sensible name such as
delivr.to Defender Integration, leave the rest default and click
- Go to
API Permissionsand click
Microsoft Graphand choose
- In the search bar, enter
ThreatHunting.Read.All, check the tickbox and click
Grant admin consent for <YOUR TENANT>and then
Yeson the confirmation box
- Go to
Certificates & secrets, click
New client secret, give it a sensible description and then click
- Take a note of the
Valueas it won’t be displayed again. This is your
Overviewand take a note of the
Application (client) IDand
Directory (tenant) ID, this is your
delivr.to asks for the OAuth scope
ThreatHunting.Read.All, which is the least amount of privilege required to retrieve detailed information about an email-based anti-malware event. Only two KQL queries will ever be executed, one during integration to confirm the privilege is correctly set, and one each time the status of an email is checked.
- KQL executed during integration:
EmailEvents | where Subject contains "delivr.to"
- KQL executed during email status checking:
EmailEvents | where Subject contains "<CAMPAIGN ID>" | where RecipientEmailAddress == "<RECIPIENT ADDRESS>"
- Head to the Settings portal and navigate to the
Security Tool Integrationssection
- Select the mailbox you wish to associate with this integration from the dropdown and click
Integrate with Defender 365
- Populate the fields with the
Client ID, and
Client Secretthat you generated in the previous section
If successful, you should see this message, and your new integration will appear in the table.
You’re all set! You should now be able to send your campaigns and automatically see what has been delivered!