Integrate Microsoft Graph v2 with Red Canary
- 24 Jul 2024
- 2 Minutes to read
- PDF
Integrate Microsoft Graph v2 with Red Canary
- Updated on 24 Jul 2024
- 2 Minutes to read
- PDF
Article summary
Did you find this summary helpful?
Thank you for your feedback
This article leads you through the process of integrating Microsoft Graph v2 with Red Canary. Follow the procedure from beginning to end.
With this integration, Microsoft customers can ingest data from the following Microsoft products:
Azure Active Directory Identity Protection v2
Microsoft 365 Defender v2
Microsoft Defender for Cloud Apps v2
Microsoft Defender for Endpoint v2
Microsoft Defender for Identity v2
Microsoft Defender for Office 365 v2
Required Microsoft licenses
Prerequisites
Required Microsoft licenses
For more information, see Pre-deployment activities and prerequisites for deploying Microsoft Sentinel.
Step 1: Red Canary–Input your Microsoft Graph v2 information
Enter your Microsoft Azure information into Red Canary to start sending your alerts.
From your Red Canary homepage, click Integrations. If you do not see the required integration, click See all integrations.
.png?sv=2022-11-02&spr=https&st=2024-09-20T12%3A26%3A37Z&se=2024-09-20T12%3A36%3A37Z&sr=c&sp=r&sig=fMqH%2FjIyC5aiAca0Q0ySLTN0GfJEVlqcYCvbgtJLcHo%3D)
Select the third party integration and click Configure.
Enter a Name for your external alert source.
Select a Display Category. The display category is solely help you to distinguish, at a glance, where a product fits into your environment. It does not affect the configuration.
Under the Ingest Format/Method dropdown, select Microsoft Graph v2 via API Poll.
Enter your Microsoft Tenant ID.
Click Save Configuration.
Click Edit Configuration.
Under the Permissions section, click the Microsoft consent link.
.png?sv=2022-11-02&spr=https&st=2024-09-20T12%3A26%3A37Z&se=2024-09-20T12%3A36%3A37Z&sr=c&sp=r&sig=fMqH%2FjIyC5aiAca0Q0ySLTN0GfJEVlqcYCvbgtJLcHo%3D)
Step 2: Microsoft Graph V2–Grant Red Canary access to Microsoft Graph v2
Confirm that the Red Canary enterprise application has been configured in your Microsoft Graph v2 account.
Login using a Global Admin account for the tenant that you want to integrate with Red Canary.
Click Accept.
Note: be sure your Azure Global Administrator clicks the Consent Link. For more information about Microsoft permissions, click here.
Step 3: Red Canary–Activate your Microsoft Graph v2 alert source
Enable your new Microsoft Graph v2 alert source in Red Canary.
From the Red Canary homepage, click Integrations.
Scroll down, and then select your third-party security source.
Click Edit Configuration.
With all of the required permission settings completed, select Confirm Microsoft Microsoft Graph v2 API Access Granted.
Click Save Configuration.
Click Edit Configuration.
Click Activate.
Note: When activating a Graph v2 alert source, any prior legacy versions of the these APIs will be automatically disabled. These will be kept in a disabled state as there is an active issue with External Alert Source deletion. When deleting an External Alert Source please note that all Alerts and data associated with that source will be removed as well. Red Canary recommends keeping legacy sources in a disabled state to retain any data of interest.
For more information on how to trigger a test for the integration after it's been configured, see Run a detection test on a newly onboarded Microsoft Defender for Endpoint device.
Was this article helpful?
