Microsoft Graph Security API Integration

Note: This integration requires Cisco XDR Advantage or Cisco XDR Premier licensing tier.

Part of Microsoft Graph, the Microsoft Graph Security API integrates with security solutions from Microsoft and partners in a federated model. It can also be used in conjunction with other Microsoft Graph entities to gain additional context (for example, Office 365 and Azure AD). The API has multiple entities, including:

  • Alerts from multiple security solutions, each representing that potentially malicious activity has been detected within the organization.

  • Secure Score provides information about an organization’s security posture, including a numeric rating based on elements like the enabled security features in your environment and outstanding security risks. This score is available at the tenant level as well as at a specific control area, such as device, app, and identity, through Secure Score Control Profiles. Scores and profiles are available from each security provider that offers them—valuable information that can help guide vulnerability remediation actions based on the suggested actions available in each profile. By default, 90 days of data is retained.

  • Threat intelligence indicators refer to information about known threats, such as malicious IP addresses, domains, or URLs. Organizations can send their threat intelligence to targeted Microsoft services to enable custom detections.

Note: The Microsoft Graph Security Relay uses Open Data Protocol (OData) filters (specifically the any lambda operator) while querying data from Microsoft Graph Security API. The Microsoft Graph Security API is a federation service that merges data from various Microsoft alert providers. As some providers do not support OData query filters (for example, Office 365 Security and Compliance and Microsoft Defender Advanced Threat Protection), alerts from those providers will not be included in the Microsoft Graph Security Relay output.

  1. In the Cisco XDR navigation menu, choose Administration > Integrations.

  2. On the Integrations page, click the Third-Party tab and navigate to the Microsoft Graph Security API integration.

  3. Click the plus sign (+) in the lower-right corner of the card. The Microsoft Graph Security API integration page is displayed.

  4. Expand the Integration Guide area and follow the instructions on how to add the Microsoft Graph Security API integration in Cisco XDR.

You can perform the following tasks after you integrate Microsoft Graph Security API with Cisco XDR:

  • Investigations - Start a new investigation into any combination of IP addresses, domains, hostnames, file names, file paths, URLs, SHA-256, and the results will include any records of them found in your Microsoft Graph Security API. To verify that this integration is working, and to see what kind of data is returned, investigate one of more observables about which you know Microsoft Graph Security API has recent information. For details, see Investigate.