Microsoft Graph Security Alerts Integration Guide🔗
The following instructions are for configuring an integration of Microsoft Graph Security API Alert logs to facilitate ingestion into Secureworks® Taegis™ XDR. For more information, see the Microsoft Graph Security API Overview.
Security Alerts from Graph Security API Alerts Endpoint🔗
Microsoft has implemented security analysis across many different products. XDR retrieves those Microsoft alerts in real-time and presents them in XDR as alerts.
These alerts include those from:
- Microsoft Defender for Cloud
- Azure Active Directory Identity Protection
- Microsoft Defender for Cloud Apps
- Microsoft Defender for Endpoint
- Microsoft Defender for Identity
- Office 365
- Default Alert Policies
- Cloud App Security
- Custom Alert
- Azure Information Protection
- Azure Sentinel
Note
Microsoft Defender for Identity alerts are available via the Microsoft Defender for Cloud Apps integration. This means you will get Microsoft Defender for Identity alerts only if you have joined Unified SecOps and connected Microsoft Defender for Identity into Microsoft Defender for Cloud Apps. Learn more about how to integrate Microsoft Defender for Identity and Microsoft Defender for Cloud Apps.
Alerts are ingested using the Microsoft REST APIs on a polling basis, with new data being requested every minute. For information on data availability, see Office 365 and Azure Data Availability.
Note
XDR relays alerts provided by the Graph Security API. This does not include the raw telemetry needed to provide enrichment, context, and propriety analytics. Alert-only integration does provide single pane of glass views, but does not include the information required for deep analysis. Where possible, it is preferred to add integrations where supporting telemetry for alerts is available. See the section on excluding providers for details on what integrations XDR offers that include both alerts and telemetry.
The availability of these security products depends on which Microsoft subscriptions and licensing you have and what you have authorized XDR to access. For more information, see https://docs.microsoft.com/en-us/graph/api/resources/security-api-overview?view=graph-rest-1.0.
Note
Some alerts originating from Office 365 may appear in data from both the O365 Management and MS Graph Security.
Data Provided from Integration🔗
| Normalized Data | Out-of-the-Box Detections | Vendor-Specific Detections | |
|---|---|---|---|
| MS Graph Security | CloudAudit, Thirdparty |
Microsoft Graph Security API Integration Instructions🔗
-
From the Taegis Menu, select Integrations → Cloud APIs.
-
Select Add an Integration from the top of the page.
Add an Integration -
From the Optimized tab, choose Office 365/Azure.
-
In the Graph Security box, select Authorize.
Graph Security Integration -
You will be redirected to Microsoft’s identity provider to consent access. Log in using a user able to grant admin consent tenant-wide for the Entra tenant to be integrated, and approve the listed permissions to authorize XDR access.
-
When the consent process is successful, you will be redirected back to XDR.
Complete Graph Security Integration - Enter a name for the integration. The default value is the Microsoft tenant ID, but can be changed to any applicable name.
- (Optional) Choose any Microsoft Graph Security Providers for which you wish to exclude log collection. When log collection is excluded, the API queries performed by XDR will explicitly not request data for the checked providers. As such, Graph Security alerts for those providers will not be available in XDR. Providers should be excluded where alerts are being ingested into XDR via other means.
Important
Excluding Defender-based providers ("Microsoft Defender ATP" and "Microsoft 365 Defender") will prevent duplicate alerts in XDR when a Microsoft Defender for Endpoint integration exists in your tenant. Excluding Entra Identity-based detections ("IPC") will prevent duplicate alerts in XDR when a Microsoft Entra Risk Detection integration exists in your tenant.
Microsoft Provider XDR Detector Name ASC Azure Security Center MCAS Microsoft Cloud App Security IPC Azure Active Directory Identity Protection Microsoft Sentinel Microsoft Sentinel Microsoft Defender ATP Microsoft Defender ATP Azure Advanced Threat Protection Azure Advanced Threat Protection Microsoft 365 Defender Microsoft 365 Defender Office 365 Security and Compliance Microsoft Office 365 Security and Compliance -
Select Done to complete the integration with XDR.
Advanced Search Using the Query Language🔗
Example Query Language Searches🔗
To search for Azure Security Center (ASC) alerts:
FROM alert WHERE sensor_types = 'MICROSOFT_GRAPH_ALERTS' AND detector_name = 'Azure Security Center'
To search for Microsoft Cloud App Security (MCAS) alerts:
FROM alert WHERE sensor_types = 'MICROSOFT_GRAPH_ALERTS' AND detector_name = 'Microsoft Cloud App Security'
To search for Azure Active Directory Identity Protection (IPC) alerts:
FROM alert WHERE sensor_types = 'MICROSOFT_GRAPH_ALERTS' AND detector_name = 'Azure Active Directory Identity Protection'
To search for Microsoft Sentinel (Microsoft Sentinel) alerts:
FROM alert WHERE sensor_types = 'MICROSOFT_GRAPH_ALERTS' AND detector_name = 'Microsoft Sentinel'
To search for Microsoft Defender ATP (Microsoft Defender ATP) alerts:
FROM alert WHERE sensor_types = 'MICROSOFT_GRAPH_ALERTS' AND detector_name = 'Microsoft Defender ATP'
To search for Azure Advanced Threat Protection (Azure Advanced Threat Protection) alerts:
FROM alert WHERE sensor_types = 'MICROSOFT_GRAPH_ALERTS' AND detector_name = 'Azure Advanced Threat Protection'
To search for Microsoft 365 Defender (Microsoft 365 Defender) alerts:
FROM alert WHERE sensor_types = 'MICROSOFT_GRAPH_ALERTS' AND detector_name = 'Microsoft 365 Defender'
To search for Microsoft Office 365 Security and Compliance (Microsoft Office 365 Security and Compliance) alerts:
FROM alert WHERE sensor_types = 'MICROSOFT_GRAPH_ALERTS' AND detector_name = 'Microsoft Office 365 Security and Compliance'