Microsoft Graph Security API Integration

Note: This integration requires Cisco XDR Advantage or Cisco XDR Premier licensing tier.

The Microsoft Graph Security API provides a unified interface and schema to integrate with security solutions from Microsoft and ecosystem partners. This empowers customers to streamline security operations and better defend against increasing cyber threats.

Microsoft Graph Security API integration leverages Advanced Hunting functionality via the Graph API to query a specified set of alert evidences by observables including IP, file name, file path, process name, process args, URLs, SHA-1 and SHA-256. This integration enriches Cisco XDR investigations by incorporating aggregated alerts from Microsoft Defender products, including Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Defender for Cloud Apps, Microsoft Defender for Identity, and Microsoft Sentinel (when connected to the Defender portal).

  1. In the Cisco XDR navigation menu, choose Administration > Integrations.

  2. On the Integrations page, click the Third-Party tab and navigate to the Microsoft Graph Security API integration.

  3. Click the plus sign (+) in the lower-right corner of the card. The Microsoft Graph Security API integration page is displayed.

  4. Expand the Integration Guide area and follow the instructions on how to add the Microsoft Graph Security API integration in Cisco XDR.

You can perform the following tasks after you integrate Microsoft Graph Security API with Cisco XDR:

  • Investigations - Start a new investigation into any combination of IP addresses, process names, file names, file paths, process arguments, URLs, SHA-1, and SHA-256, and the results will include any records of them found in your Microsoft Graph Security API. To verify that this integration is working, and to see what kind of data is returned, investigate one or more observables about which you know Microsoft Graph Security API has recent information. For details, see Investigate.