Versions Compared

Old Version 2

changes.mady.by.user Anthony Shevlin

Saved on

compared with

New Version 3

changes.mady.by.user Anthony Shevlin

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents
maxLevel2
typeflat

...

Anchor
alerts
alerts
Alerts

Alerts are potential security issues within a customer's tenant that Microsoft or partner security solutions have identified and flagged for action or notification. With the Microsoft Graph alerts entity, you can unify and streamline management of security issues across all integrated solutions.

Alerts Security Providers:

...

Currently, the Microsoft Graph collector generates security activities for these resources. The collector processes the Microsoft Graph responses and sends them to the Devo platform, which will categorize all the information received on tables along rows and columns on your Devo domain.

Microsoft Graph resources

Listed in the table below are the application names, details, and how the Devo platform treats the data and to which tables sends it:

Application name

Details

Devo data tables

alerts

Represents potential security issues within a customer's tenant that Microsoft or partner security solutions have identified. Use alerts to unify and streamline security issue management across all integrated solutions.

cloud.msgraph.security.alerts

secureScore

Represents a tenant's secure score per day of scoring data, at the tenant and control level. By default, 90 days of data is held.

cloud.msgraph.security.scores

secureScoreControlProfile

Represents a tenant's secure score per control data. By default, it returns all controls for a tenant and can explicitly pull individual controls.

cloud.msgraph.security.scorecontrol

...

Rw ui tabs macro
Rw tab
titleCloud collector

We use a piece of software called Collector Server to host and manage all our available collectors. If you want us to host this collector for you, get in touch with us and we will guide you through the configuration.

Rw tab
titleOn-premise collector

This data collector can be run in any machine that has the Docker service available because it should be executed as a docker container. The following sections explain how to prepare all the required setup for having the data collector running.

Anchor
structure
structure
Structure

The following directory structure should be created for being used when running the Microsoft Graphcollector:

Code Block
<any_directory>
└── devo-collectors/
    └── msgraph/
        ├── certs/
        │   ├── chain.crt
        │   ├── <your_domain>.key
        │   └── <your_domain>.crt
        └── config/ 
            └── config-msgraph.yaml

Anchor
devocredentials
devocredentials
Devo credentials

In Devo, go to Administration → Credentials → X.509 Certificates, download the Certificate, Private key and Chain CA and save them in <any directory>/devo-collectors/msgraph/certs. Learn more about security credentials in Devo here.

Anchor
awscredentials
awscredentials
Editing the config-msgraph.yaml file

In the config-msgraph.yaml file, replace the <short_unique_identifier>, <tenant_id_value>, <client_id_value>, and <client_secret_value> values and enter the ones that you got in the previous steps. See inline comments to better understand the file.

Code Block
globals:
  debug: False
  id: not_used
  name: microsoft_graph
  persistence:
#    type: redis                                               # Redis persistence (uncomment lines to activate it and set the proper values, also comment the filesystem)
#    config:
#      host: 192.168.56.10
#      port: 6379
#      password:
#      db: 0
#      socket_timeout: 5
    type: filesystem                                           # File system persistence ON
    config:
      directory_name: state                                    # Directory where the persistence will be saved in case of using filesystem
outputs:
  devo_1:                                                      # Cloud Devo config EU (for US use us.elb.relay.logtrust.net)
    type: devo_platform
    config:        
      address: eu.elb.relay.logtrust.net
      port: 443
      type: SSL
      chain: chain.crt
      cert: <certificate>.crt
      key: <certificate>.key
inputs:
  microsoft_graph:
    id: <short_unique_identifier>                              # The value of this field will be used internally for having independent persistence areas
    enabled: true
    requests_per_second: 5                                     # Setup how many request API por second
    autoconfig:
      enable: true                                             # Autoconfig always True for this collector
      refresh_interval_in_seconds: 60                          # Setting up the time for executing autoconfig interval. 60sec is recommended.
    credentials:
      tenant_id: <tenant_id_value>                             # Azure Directory Tenant ID
      client_id: <client_id_value>                             # Application client ID
      client_secret: <client_secret_value>                     # Application client secret
    services:                                                  # Services available for this collector are Alerts, Secure Score and Secure score control profile
      alerts:                                           
        request_period_in_seconds: 60                          # Setting up time interval between API requests. 60sec is recommended.                
#        start_time: "9999-12-31T23:59:59.999Z"                 # Collector Initial time. if this is blank or the data format is not valid, "time now" will be auto filled. 
      secure_scores:
        request_period_in_seconds: 86400                       # 86400 seconds => 1day in seconds, this is the recommended value, but it can be changed
#        start_time: "9999-12-31T23:59:59Z"
      secure_score_control_profile:
        request_period_in_seconds: 86400                       # 86400 seconds => 1day in seconds, this is the recommended value, but it can be changed
Info

If you need to use a custom tag for generated messages, it can be done using the property tag inside any of the available services: alerts, secure_scores, and/or secure_score_control_profile. For example: tag: my.app.msgraph_security.{service_name}

Note

The start_time fields are optional. Follow these formats if you need to use them:

Alerts “start_time” format: 0000-00-00T00:00:000Z

Secure Scores “start_time” format: 0000-00-00T00:00:00Z

Download the Docker image

The collector should be deployed as a Docker container. Download the Docker image of the collector as a .tgz file by clicking the link in the following table:

Collector Docker image

SHA-256 hash

collector-msgraph-docker-image-1.1.3.tgz

777710bc6194664194796699ea6daade31f20ead5b461894082651e617154dce

Use the following command to add the Docker image to the system:

Code Block
gunzip -c collector-msgraph-docker-image-<version>.tgz | docker load
Info

Once the Docker image is imported, it will show the real name of the Docker image (including version info). Replace "<version>" with a proper value.

The Docker image can be deployed on the following services:

  • Docker

  • Docker Compose

Docker

Execute the following command on the root directory <any_directory>/devo-collectors/msgraph/

Code Block
docker run \
--name collector-msgraph \
--volume $PWD/certs:/devo-collector/certs \
--volume $PWD/config:/devo-collector/config \
--volume $PWD/state:/devo-collector/state \
--env CONFIG_FILE=config-msgraph.yaml \
--rm -it docker.devo.internal/collector/msgraph:<version>
Note

Replace <version> with a proper value.

Docker Compose

The following Docker Compose file can be used to execute the Docker container. It must be created in the <any_directory>/devo-collectors/msgraph/ directory.

Code Block
version: '3'
services:
  collector-msgraph:
    build:
      context: .
      dockerfile: Dockerfile
    image: docker.devo.internal/collector/msgraph:${IMAGE_VERSION:-latest}
    container_name: collector-msgraph
    volumes:
      - ./certs:/devo-collector/certs
      - ./config:/devo-collector/config
    environment:
      - CONFIG_FILE=${CONFIG_FILE:-config-msgraph.yaml}

To run the container using docker-compose, execute the following command from the <any_directory>/devo-collectors/msgraph/ directory:

Code Block
IMAGE_VERSION=<version> docker-compose up -d
Note

Replace <version> with a proper value.

...