Skip to content

Microsoft Graph

Currently, CYDERES can pull specific detections, indicators, or alerts when the correct permissions are enabled in the Azure App API. If the data is ingested into Chronicle, the data type displayed will be MICROSOFT_GRAPH_ALERT.

Detections or Indicators only available within the Azure App API:

  • Azure Risk Detections
  • Microsoft Threat Indicators

Alerts only available within the Azure App API:

  • Azure AD Identity Protection
  • Azure Advanced Threat Protection
  • Azure Sentinel
  • Azure Security Center
  • Microsoft Defender ATP

Security Actions only available within the Azure App API:

  • Microsoft Security Actions

Integration Specific Configuration

Follow the Microsoft Guide before completing the configuration steps below.

Azure AD

Configure Audit Logging

  1. Navigate to protection.office.com.
  2. On the sidebar, select Search and Audit log search.
  3. Turn on Audit Logging if not enabled already. Logs will take about 24 hours to publish initially.

Note: This functionality is starting to be enabled by default on tenants. If these options do not exist, assume audit logging is turned on already and continue on.

Microsoft Defender Advanced Threat Protection Alerts

Additional user roles are required to ingest Defender ATP Alerts from Microsoft Graph Security API. Only the users in both Microsoft Defender Advanced Threat Protection and Microsoft Graph Security API roles can have access to the Microsoft Defender Advanced Threat Protection data.

Azure Advanced Threat Protection Alerts

Azure Advanced Threat Protection (Azure ATP) Alerts are available via the Microsoft Cloud App Security integration. This means Azure ATP Alerts are ingested only if the user joined Unified SecOps and connected Azure ATP into Microsoft Cloud App Security. Learn more about how to integrate Azure ATP and Microsoft Cloud App Security. Follow Microsoft CASB integration guide to complete this set up.

Azure Risk Detection

Azure AD Premium P1 or P2 license is required to set up Azure Risk Detection's integration.

Azure App API Permissions for Microsoft Graph

In the CYDERES Azure App, click Add a permission. Click APIs my organization uses and search for 'Microsoft Graph' and then select it. Click the Application permissions and click the check box next to the following permissions depending on which technologies are chosen to integrate.

Permission Technology
AuditLog.Read.All Azure AD
Directory.Read.All
SecurityEvents.Read.All Azure Advanced Threat Protection Alerts
Azure Security Center Alerts
Microsoft Cloud App Security Alerts
Azure AD Identity Protection Alerts
Azure Sentinel Alerts
Microsoft Defender Advanced Threat Protection Alerts
SecurityActions.Read.All Microsoft Security Actions
IdentityRiskEvent.Read.All Azure Risk Detection
ThreatIndicators.Read.All Threat Indicators

microsoft-graph-api-permissions