Integrate Microsoft Graph v2 with Red Canary
    • 24 Jul 2024
    • 2 Minutes to read
    • PDF

    Integrate Microsoft Graph v2 with Red Canary

    • PDF

    Article summary

    This article leads you through the process of integrating Microsoft Graph v2 with Red Canary. Follow the procedure from beginning to end.

    With this integration, Microsoft customers can ingest data from the following Microsoft products:

    • Azure Active Directory Identity Protection v2

    • Microsoft 365 Defender v2

    • Microsoft Defender for Cloud Apps v2

    • Microsoft Defender for Endpoint v2

    • Microsoft Defender for Identity v2

    • Microsoft Defender for Office 365 v2

    Required Microsoft licenses

    Prerequisites

    Required Microsoft licenses

    For more information, see Pre-deployment activities and prerequisites for deploying Microsoft Sentinel.

    Step 1: Red Canary–Input your Microsoft Graph v2 information

    Enter your Microsoft Azure information into Red Canary to start sending your alerts.

    1. From your Red Canary homepage, click Integrations. If you do not see the required integration, click See all integrations.

    2. Select the third party integration and click Configure.

    3. Enter a Name for your external alert source.  

    4. Select a Display Category. The display category is solely help you to distinguish, at a glance, where a product fits into your environment. It does not affect the configuration.

    5. Under the Ingest Format/Method dropdown, select Microsoft Graph v2 via API Poll.

    6. Enter your Microsoft Tenant ID.

    7. Click Save Configuration.

    8. Click Edit Configuration.

    9. Under the Permissions section, click the Microsoft consent link.

      2.png

    Step 2: Microsoft Graph V2–Grant Red Canary access to Microsoft Graph v2

    Confirm that the Red Canary enterprise application has been configured in your Microsoft Graph v2 account.

    1. Login using a Global Admin account for the tenant that you want to integrate with Red Canary.

    2. Click Accept.

      3.png

    Note: be sure your Azure Global Administrator clicks the Consent Link. For more information about Microsoft permissions, click here.

    Step 3: Red Canary–Activate your Microsoft Graph v2 alert source

    Enable your new Microsoft Graph v2 alert source in Red Canary.

    1. From the Red Canary homepage, click Integrations.

    2. Scroll down, and then select your third-party security source.

    3. Click Edit Configuration.

    4. With all of the required permission settings completed, select Confirm Microsoft Microsoft Graph v2 API Access Granted.

      4.png

    5. Click Save Configuration.

    6. Click Edit Configuration.

    7. Click Activate.

    Note: When activating a Graph v2 alert source, any prior legacy versions of the these APIs will be automatically disabled. These will be kept in a disabled state as there is an active issue with External Alert Source deletion. When deleting an External Alert Source please note that all Alerts and data associated with that source will be removed as well. Red Canary recommends keeping legacy sources in a disabled state to retain any data of interest. 

    For more information on how to trigger a test for the integration after it's been configured, see Run a detection test on a newly onboarded Microsoft Defender for Endpoint device.

     


    Was this article helpful?