About the Device
The Microsoft Graph Security API provides a unified interface and schema to integrate with security solutions from Microsoft and ecosystem partners. This empowers customers to streamline security operations and better defend against increasing cyber threats.
Device Information
Entity | Particulars |
---|---|
Vendor Name | Microsoft |
Product Name | Graph |
Type of Device | Cloud |
Collection Method
Log Type | Ingestion label | Preferred Logging Protocol | Log Collection Method | Data Source |
---|---|---|---|---|
Microsoft Graph API Alerts | MICROSOFT_GRAPH_ALERT | JSON | C2C | https://cloud.google.com/chronicle/docs/reference/feed-management-api#microsoft-graph-alert |
Device configuration
Sign in to Azure portal
Navigate to Microsoft Entra ID
Click App registrations
4.Click New registration. Create an application as shown below
5.Copy Client ID and Tenant ID, these will be required for integration.
6.Click API permissions
7.Click Add a permission and then select Microsoft Graph
8.Click Application permissions
If using hostname in integration parameters:
graph.microsoft.com/v1.0/security/alerts
: Expand SecurityActions and SecurityEvents, select Read.All permissions under both and click on Add permissions.If using hostname in integration parameters:
graph.microsoft.com/beta/security/alerts_v2
, please grant SecurityAlert.Read.All permission.
Click Grant Admin consent for Default Directory
Click on Certificates & secrets
Click on New Client secret, Create a new key as shown below
Copy the Secret Value displayed, this will be required for integration.
Secret Value will be displayed only once, so make sure to copy it first before leaving this page.
Integration Parameters
Parameters required from customer for Integration.
Property | Default Value | Description |
---|---|---|
OAUTH CLIENT ID | N/A | Specify the client ID of the Entra ID application to use for the integration. |
OAUTH CLIENT SECRET | N/A | Specify the client secret value (not the secret ID!) of the Entra ID app |
TENANT ID | N/A | Specify the Entra ID (tenant ID). |
API FULL PATH | API full path For alerts_v2 please use: | |
API AUTHENTICATION ENDPOINT | The Microsoft Active Directory authentication endpoint. | |
ASSET NAMESPACE | N/A | To assign an asset namespace to all events that are ingested from a particular feed, set the |