Currently, CYDERES can pull specific detections, indicators, or alerts when the correct permissions are enabled in the Azure App API. If the data is ingested into Chronicle, the data type displayed will be MICROSOFT_GRAPH_ALERT.
Detections or Indicators only available within the Azure App API:
- Azure Risk Detections
- Microsoft Threat Indicators
Alerts only available within the Azure App API:
- Azure AD Identity Protection
- Azure Advanced Threat Protection
- Azure Sentinel
- Azure Security Center
- Microsoft Defender ATP
Security Actions only available within the Azure App API:
- Microsoft Security Actions
Integration Specific Configuration
Follow the Microsoft Guide before completing the configuration steps below.
Configure Audit Logging
- Navigate to
- On the sidebar, select Search and Audit log search.
- Turn on Audit Logging if not enabled already. Logs will take about 24 hours to publish initially.
Note: This functionality is starting to be enabled by default on tenants. If these options do not exist, assume audit logging is turned on already and continue on.
Microsoft Defender Advanced Threat Protection Alerts
Additional user roles are required to ingest Defender ATP Alerts from Microsoft Graph Security API. Only the users in both Microsoft Defender Advanced Threat Protection and Microsoft Graph Security API roles can have access to the Microsoft Defender Advanced Threat Protection data.
Azure Advanced Threat Protection Alerts
Azure Advanced Threat Protection (Azure ATP) Alerts are available via the Microsoft Cloud App Security integration. This means Azure ATP Alerts are ingested only if the user joined Unified SecOps and connected Azure ATP into Microsoft Cloud App Security. Learn more about how to integrate Azure ATP and Microsoft Cloud App Security. Follow Microsoft CASB integration guide to complete this set up.
Azure Risk Detection
Azure AD Premium P1 or P2 license is required to set up Azure Risk Detection's integration.
Azure App API Permissions for Microsoft Graph
In the CYDERES Azure App, click Add a permission. Click APIs my organization uses and search for 'Microsoft Graph' and then select it. Click the Application permissions and click the check box next to the following permissions depending on which technologies are chosen to integrate.
|SecurityEvents.Read.All||Azure Advanced Threat Protection Alerts|
|Azure Security Center Alerts|
|Microsoft Cloud App Security Alerts|
|Azure AD Identity Protection Alerts|
|Azure Sentinel Alerts|
|Microsoft Defender Advanced Threat Protection Alerts|
|SecurityActions.Read.All||Microsoft Security Actions|
|IdentityRiskEvent.Read.All||Azure Risk Detection|