Table of Contents | ||||
---|---|---|---|---|
|
...
Anchor | ||||
---|---|---|---|---|
|
Alerts are potential security issues within a customer's tenant that Microsoft or partner security solutions have identified and flagged for action or notification. With the Microsoft Graph alerts entity, you can unify and streamline management of security issues across all integrated solutions.
Alerts Security Providers:
...
Currently, the Microsoft Graph collector generates security activities for these resources. The collector processes the Microsoft Graph responses and sends them to the Devo platform, which will categorize all the information received on tables along rows and columns on your Devo domain.
Microsoft Graph resources
Listed in the table below are the application names, details, and how the Devo platform treats the data and to which tables sends it:
Application name | Details | Devo data tables |
---|---|---|
alerts | Represents potential security issues within a customer's tenant that Microsoft or partner security solutions have identified. Use alerts to unify and streamline security issue management across all integrated solutions. |
|
secureScore | Represents a tenant's secure score per day of scoring data, at the tenant and control level. By default, 90 days of data is held. |
|
secureScoreControlProfile | Represents a tenant's secure score per control data. By default, it returns all controls for a tenant and can explicitly pull individual controls. |
|
Info |
---|
For more info about Microsoft Graph API, visit Microsoft Graph Reference. |
...
Setting up permissions on the subscription
Rw ui steps macro | ||
---|---|---|
Go to the Azure portal and click Azure Activity Directory.
Click App registrations → New registration to create a new app. |
...
On the Register an Application page, give your application a name.
After registering the app, it will be displayed in a list on the App registration page. Click your app to give it permissions and configure it. You’ll see the app on the dashboard with some important information, docs, and endpoints.
On the left menu, click Authentication → Add a platform → |
...
Mobile and desktop applications. |
...
You must select the 3 |
...
redirects URIs:
Leave Custom redirect URIs blank and click configure.
On the left menu, click API permissions |
...
and check if you already have Microsoft Graph on the API/ Permission list. If not, click |
...
Add permission and add Microsoft Graph. |
...
Now select Application permissions and search for Security |
...
. Then check |
Permission reference per service
Application name | Permissions | Docs |
---|---|---|
alerts |
| |
secureScore |
| |
secureScoreControlProfile |
| |
directoryAudit (“audit”) |
| |
provisioningObjectSummary (“provisioning”) |
| |
signIns (“signIn”) |
| List signIns - Microsoft Graph v1.0
|
authentication |
| Microsoft Graph permissions reference - Microsoft Graph v1.0 |
Note |
---|
Troubleshooting If you get this error “Unable to save changes. One or more of the following permission(s) are currently not supported: SecurityEvents.ReadWrite.All, SecurityEvents.Read.All, SecurityActions.Read.All, SecurityActions.ReadWrite.All. Please remove these permission(s) and retry your request. [O6b9]” you might not have set up the permission correctly. Make sure that your configuration is exactly the same as in the green box in the capture above. |
...
Rw ui tabs macro | ||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
We use a piece of software called Collector Server to host and manage all our available collectors. If you want us to host this collector for you, get in touch with us and we will guide you through the configuration.
This data collector can be run in any machine that has the Docker service available because it should be executed as a docker container. The following sections explain how to prepare all the required setup for having the data collector running.
The following directory structure should be created for being used when running the Microsoft Graphcollector:
In Devo, go to Administration → Credentials → X.509 Certificates, download the Certificate, Private key and Chain CA and save them in
In the config-msgraph.yaml file, replace the
Download the Docker imageThe collector should be deployed as a Docker container. Download the Docker image of the collector as a .tgz file by clicking the link in the following table:
Use the following command to add the Docker image to the system:
The Docker image can be deployed on the following services:
DockerExecute the following command on the root directory
Docker ComposeThe following Docker Compose file can be used to execute the Docker container. It must be created in the
To run the container using docker-compose, execute the following command from the
|
...