Skip to content

Microsoft Graph

Currently, Cyderes can pull specific detections, indicators, or alerts when the correct permissions are enabled in the Azure App API.

Azure App Prerequisite

For this integration, an Azure App must be created. More information can be found about how to do that in the documentation here.

Detections or Indicators only available within the Azure App API:

  • Azure Risk Detections
  • Microsoft Threat Indicators

Alerts only available within the Azure App API:

  • Azure AD Identity Protection
  • Azure Advanced Threat Protection
  • Azure Sentinel
  • Azure Security Center
  • Microsoft Defender ATP

Security Actions only available within the Azure App API:

  • Microsoft Security Actions

Chronicle Data Types

  • MICROSOFT_GRAPH_ALERT

Configuration

Configure Audit Logging

  1. Navigate to protection.office.com
  2. On the sidebar, select Search and Audit log search
  3. Turn on Audit Logging if not enabled already. Logs will take about 24 hours to publish initially.

Note: This functionality is starting to be enabled by default on tenants. If these options do not exist, assume audit logging is turned on already and continue on.

Microsoft Defender Advanced Threat Protection Alerts

Additional user roles are required to ingest Defender ATP Alerts from Microsoft Graph Security API. Only the users in both Microsoft Defender Advanced Threat Protection and Microsoft Graph Security API roles can have access to the Microsoft Defender Advanced Threat Protection data.

Azure Advanced Threat Protection Alerts

Azure Advanced Threat Protection (Azure ATP) Alerts are available via the Microsoft Cloud App Security integration. This means Azure ATP Alerts are ingested only if the user joined Unified SecOps and connected Azure ATP into Microsoft Defender for Cloud Apps. Learn more about how to integrate Azure ATP and Microsoft Defender for Cloud Apps. Follow the Microsoft Defender for Cloud Apps integration guide to complete this set up.

Azure Risk Detection

Azure AD Premium P1 or P2 license is required to set up Azure Risk Detection's integration.

Azure App API Permissions for Microsoft Graph

In the Cyderes Azure App Registration, select API permissions from the sidebar. Then click the Add a permission button. Click APIs my organization uses and search for 'Microsoft Graph' and then select it. Click the Application permissions and click the check box next to the following permissions. Once the permissions have been added, ensure that admin consent has been granted for each by clicking Grant admin consent for ACCOUNT.

Permission Technology
SecurityEvents.Read.All Azure Advanced Threat Protection Alerts
Azure Security Center Alerts
Microsoft Defender for Cloud Apps Alerts
Azure AD Identity Protection Alerts
Azure Sentinel Alerts
Microsoft Defender Advanced Threat Protection Alerts
SecurityActions.Read.All Microsoft Security Actions
IdentityRiskEvent.Read.All Azure Risk Detection
ThreatIndicators.Read.All Threat Indicators

Gather Information

Provide the following information to Cyderes to complete implementation:

  • Identity (Azure Active Directory App)
    • Application (client) ID
    • Directory (tenant) ID
    • Secret ID
    • Secret Value
  • Technologies to enable