Microsoft Graph collector
- Juan Tomás Alonso Nieto (Deactivated)
Service description
Microsoft Graph provides many services such as Microsoft 365, Office 365, Outlook, and others. At this moment, the Microsoft Graph collector only deals with security alerts and scores retrieved from the Microsoft products. This empowers customers to streamline security operations and better defend against increasing cyber threats. The Microsoft Graph collector includes the two key entities described in the following sections:
Alerts
Alerts are potential security issues within a customer's tenant that Microsoft or partner security solutions have identified and flagged for action or notification. With the Microsoft Graph alerts entity, you can unify and streamline management of security issues across all integrated solutions.
Alerts Security Providers:
Azure Security Center
Azure Active Directory Identity Protection
Microsoft Cloud App Security
Microsoft Defender Advanced Threat Protection
Azure Advanced Threat Protection
Cloud App Security (Update coming soon from MS Graph)
Azure Information Protection
Azure Sentinel
Secure Scores
Microsoft Secure Score is a security analytics solution that gives you visibility into your security portfolio and how to improve it. With a single score, you can better understand what you have done to reduce your risk in Microsoft solutions. You can also compare your score with other organizations and see how your score has been trending over time.
The Microsoft Graph secure score and secureScoreControlProfile entities help you balance your organization's security and productivity needs while enabling the appropriate mix of security features. You can also project what your score would be after you adopt security features.
Data source description
Currently, the Microsoft Graph collector generates security activities for these resources. The collector processes the Microsoft Graph responses and sends them to the Devo platform, which will categorize all the information received on tables along rows and columns on your Devo domain.
Microsoft Graph resources
Listed in the table below are the application names, details, and how the Devo platform treats the data and to which tables sends it:
Application name | Details | Devo data tables |
|---|---|---|
alerts | Represents potential security issues within a customer's tenant that Microsoft or partner security solutions have identified. Use alerts to unify and streamline security issue management across all integrated solutions. |
|
secureScore | Represents a tenant's secure score per day of scoring data, at the tenant and control level. By default, 90 days of data is held. |
|
secureScoreControlProfile | Represents a tenant's secure score per control data. By default, it returns all controls for a tenant and can explicitly pull individual controls. |
|
For more info about Microsoft Graph API, visit Microsoft Graph Reference.
Setup
The Microsoft Graph data collector works over the Microsoft products, such as Microsoft Azure Directory. To active the alerts and secure score resources from the Microsoft Graph API, a subscription on Microsoft Azure Directory followed by an app registration should be created, as well as configuring the resources with the right permissions for the best performance of the collector.
Setting up permissions on the subscription
Go to the Azure portal and click Azure Activity Directory.
Click App registrations → New registration to create a new app.
On the Register an Application page, give your application a name.
On Supported Accounts Type, select the third option (Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox) )
On Redirect URI (optional), leave it blank (as default) and click Register.
After registering the app, it will be displayed in a list on the App registration page. Click your app to give it permissions and configure it. You’ll see the app on the dashboard with some important information, docs, and endpoints.
On the left menu, click Authentication → Add a platform → Mobile and desktop applications.
Mark the 3 redirect URIs and click configure.
On the left menu, click API permissions and check if you already have Microsoft Graph on the API/ Permission list. If not, click Add permission and add Microsoft Graph.
Now select Application permissions and search for Security. Check all the boxes available for the service. Then, repeat the same process with Audit and User. If you have done everything correctly, your permissions will display as shown on the green box line. Then Grant admin consent for the applications.
Troubleshooting
If you get this error “Unable to save changes. One or more of the following permission(s) are currently not supported: SecurityEvents.ReadWrite.All, SecurityEvents.Read.All, SecurityActions.Read.All, SecurityActions.ReadWrite.All. Please remove these permission(s) and retry your request. [O6b9]” you might not have set up the permission correctly. Make sure that your configuration is exactly the same as in the green box in the capture above.
Authentication
After applying the permissions, select Certificates & secrets → New client secret, enter the desired name, and copy the token.
The token will display just once. You might have to create another in case you don’t copy it.
Getting the credentials
After creating the token, go to Overview to get your Tenant ID and Client ID. This information will be used on the collector server to run the application.
Run the collector
Once the data source is configured, you can either send us the required information if you want us to host and manage the collector for you (Cloud collector), or deploy and host the collector in your own machine using a Docker image (On-premise collector).