Integrate Microsoft Graph with Red Canary
- 13 Jun 2025
- 4 Minutes to read
- PDF
Integrate Microsoft Graph with Red Canary
- Updated on 13 Jun 2025
- 4 Minutes to read
- PDF
Article summary
Did you find this summary helpful?
Thank you for your feedback!
The Microsoft Graph integration enables Red Canary to ingest security alert data from multiple Microsoft security services. The integration leverages the the Microsoft Graph Security API endpoint to collect and process aggregated alert data from the following services:
Microsoft 365 Defender
Microsoft Cloud App Security
Microsoft Defender for Endpoint
Microsoft Defender for Identity
Microsoft Defender for Office 365
Microsoft Entra ID Identity Protection
Once you activate the integration, you can view alerts and manage how data is ingested, all from one place. Follow the steps below to get started.
Prerequisites
Before you start the Microsoft Graph integration, please make sure the following requirements are met:
You have one of the following subscription packages:
MDR Complete (Cloud)
MDR Complete (Endpoint)
MDR Complete (Identity)
MDR Enterprise (Cloud)
MDR Enterprise (Endpoint)
MDR Enterprise (Identity)
You’re a Global Admin Graph user
To successfully ingest data from Microsoft services, Red Canary requires certain license types and permissions. For more information, see the following pages:
1 Red Canary | Add the Integration
Note: In the steps below, “v2” is a Red Canary reference, distinguishing our newer integration from a legacy one. It is not a reference to any Microsoft product versioning.
From your Red Canary homepage, go to the Integrations page, then click Add Integration.
On the Add integration dialog, search for Microsoft Graph, then click Configure.
On the Add Integration page, enter a name for the integration.
2 Red Canary | Choose How Red Canary Will Receive Data
In the Choose how Red Canary will receive this data section, select Microsoft Graph V2 via API Poll from the Ingest Format / Method dropdown.
Click Next.
3 Red Canary | Configure Red Canary to Retrieve Data
In the Configure Red Canary to retrieve data from this integration section:
In the Acknowledge integrations section, uncheck any Microsoft sources from which you don’t want to ingest data.
In the Microsoft Tenant ID field, enter your tenant ID.
In the Permissions section, click this consent link, which opens a permissions requested screen.
Using a Global Admin account, log in to the tenant you're integrating with Red Canary and click Accept. Learn more about Microsoft Graph API permissions.
Return to Red Canary and check the Confirm Microsoft Graph v2 API Access Granted box.
Click Next.
4 Red Canary | Customize How Data is Handled
[OPTIONAL] In the Customize how data from this integration is handled section, enable Process Correlation if appropriate.
What is Process Correlation?
If a third-party alert platform lets you create your own rules to trigger alerts, Red Canary can correlate with the rule metadata when it displays the alerts in the timeline. To conserve API bandwidth and compute cycles, process correlation for user-defined alerts is disabled by default.
[OPTIONAL] In the Actions in the Source Platform section, disable or enable alert actions to control how Red Canary engages with alerts.
These settings manages how Red Canary engages with alerts. The table below describes the outcome of each setting when enabled.
Setting | Default State | Outcome |
As Red Canary validates the alert | Enabled | If checked, Red Canary adds comments to the alert in Microsoft Graph v2 notifying users of the current investigation status as the alert is investigated and resolved. |
When Red Canary validates the alert as non-threatening | Enabled | If checked, Red Canary resolves the alert in Microsoft Graph as |
When Red Canary validates the alert as suspicious | Disabled | If checked, Red Canary resolves the alert in Microsoft Graph as |
When Red Canary publishes a threat involving the alert | Enabled | If checked, Red Canary resolves the alert in Microsoft Graph as |
5 Red Canary | Activate the Integration
After you’ve completed the configuration, click Save to activate the integration.
The integration is now live!
You should see Microsoft security alerts start appearing in Red Canary within one hour.
Once the integration is activated, you can view the individual alert data sources you selected during setup. While you configured one "parent" integration, it centrally processes alerts from all the sources and then automatically associates each one back to its original Microsoft service. This attribution process is why each service (Defender for Endpoint, Defender for Office 365, etc.) appears as a distinct "child" alert source. From the Integrations page, you can view "child" source alert and telemetry data, but all configuration is managed at the "parent" integration level.
For more information on how to trigger a test for the integration after it's been configured, see Run a detection test on a newly onboarded Microsoft Defender for Endpoint device.
6 Red Canary | Modify the Integration
At the bottom of the Integrations page, click on a data source.
On the Integration configuration page, you can view or modify alerts, enable or disable Microsoft sources, or delete the integration.
Note: If you want to remove the integration, we recommend deactivating rather than deleting it, to retain its historical data.
If you want to remove a specific data source, such as Defender for Endpoint, go to the integration configuration, uncheck the source, and click Save. This will deactivate further data ingestion, but preserve historical data.
Was this article helpful?