Integrate Microsoft Graph v2 with Red Canary

Updated on 07 Nov 2024
3 Minutes to read

Article summary

Did you find this summary helpful?

Thank you for your feedback

This article leads you through the process of integrating Microsoft Graph v2 with Red Canary. Follow the procedure from beginning to end.

With this integration, Microsoft customers can ingest data from the following Microsoft products:

Azure Active Directory Identity Protection v2
Microsoft 365 Defender v2
Microsoft Defender for Cloud Apps v2
Microsoft Defender for Endpoint v2
Microsoft Defender for Identity v2
Microsoft Defender for Office 365 v2

Prerequisites

Required Microsoft licenses

	Defender for…				Extra ID Protection
Supported Licenses	Endpoint P2	Identity	Office 365	Cloud Apps	Extra ID Protection
Microsoft 365 E5/A5	✔️	✔️	✔️	✔️	✔️
Microsoft 365 E3/A3	✔️	✔️	✔️	✔️	✔️
Microsoft 365 E3/A3 + E5/A5 Security add-on				✔️
Microsoft 365 E3/A3 + E5/A5 Compliance add-on
Office 365 E1
Office 365 E3
Office 365 E5
Enterprise Mobility and Security E3
Enterprise Mobility and Security E5		✔️		✔️
Windows 11 E3
Windows 11 E5	✔️

For more information, see Pre-deployment activities and prerequisites for deploying Microsoft Sentinel.

Integration Steps

Step 1: [Red Canary] Input your Microsoft Graph v2 information

Enter your Microsoft Azure information into Red Canary to start sending your alerts.

From your Red Canary homepage, go to the Integrations page then click Add Integration.
On the Add integration dialog, search for the Microsoft Graph v2 integration then click Configure.
On the Add Integration page:
- Enter a Name for the integration
- Select Microsoft Graph V2 via API Poll in the Ingest Format / Method dropdown
- Uncheck any sources from which you don’t want to ingest data
- Enter your Microsoft Tenant ID
Click Save.
Locate your newly-added integration in the list at the bottom of the Integrations page, then click on the name to view the configuration.
Click Edit Configuration.
Under the Permissions section on the Edit Integration page, click the Microsoft consent link.

Step 2: [Microsoft] Grant Red Canary access to Microsoft Graph v2

Confirm that the Red Canary enterprise application has been configured in your Microsoft Graph v2 account.

Log in to Microsoft using a Global Admin account for the tenant that you want to integrate with Red Canary.
Click Accept on the Permissions requested screen.

Note: Be sure your Azure Global Administrator clicks the Consent Link. For more information about Microsoft permissions, click here.

Step 3: [Red Canary] Activate the Microsoft Graph v2 integration

Enable your new Microsoft Graph v2 alert source in Red Canary.

Return to the Edit Integration page in Red Canary.
Under the Permissions section, check the Confirm Microsoft Microsoft Graph v2 API Access Granted box.
Click Activate to activate the integration.
Click Save.

Note: When activating a Graph v2 alert source, any prior legacy versions of the these APIs will be automatically disabled. These will be kept in a disabled state as there is an active issue with External Alert Source deletion. When deleting an External Alert Source please note that all Alerts and data associated with that source will be removed as well. Red Canary recommends keeping legacy sources in a disabled state to retain any data of interest.

For more information on how to trigger a test for the integration after it's been configured, see Run a detection test on a newly onboarded Microsoft Defender for Endpoint device.

Step 4: [Red Canary] Configure Alert State Sync Actions

Once the integration is active, you can configure the state sync actions to determine whether Red Canary should add comments and/or automatically close the alerts in the source platform.

Open the Edit Integration page in Red Canary.

Under the Actions in the Source Platform section, set the commenting and close options as described in the table below.
Configure Microsoft Graph v2 Integration

Add comments to alerts in Microsoft Graph v2…
As Red Canary validates the alert	If checked, Red Canary adds comments to the alert in Microsoft Graph v2 as the alert is investigated and resolved. (Default=checked)
Close alerts in Microsoft Graph v2…
When Red Canary validates the alert as non-threatening	If checked, Red Canary resolves the alert in Microsoft Graph v2 as `Informational` if the state is `Not a Threat`. (Default=checked)
When Red Canary validates the alert as suspicious	If checked, Red Canary resolves the alert in Microsoft Graph v2 as `True Positive` if the state is `Suspicious`, `Highly Suspicious`, or `Threat` but no threat has been published. (Default=unchecked)
When Red Canary publishes a threat involving the alert	If checked, Red Canary resolves the alert in Microsoft Graph v2 as `True Positive` if the state is `Threat` and a threat has been published. (Default=checked)

Click Save when done.

Was this article helpful?

What's Next

Entra ID P1 License - Grant Red Canary Read-Only Access to Microsoft Defender

Table of contents

Prerequisites
Integration Steps
Step 1: [Red Canary] Input your Microsoft Graph v2 information
Step 2: [Microsoft] Grant Red Canary access to Microsoft Graph v2
Step 3: [Red Canary] Activate the Microsoft Graph v2 integration
Step 4: [Red Canary] Configure Alert State Sync Actions