Office 365 and Azure Integration Guide
Secureworks® Taegis™ XDR is capable of ingesting data from Microsoft Office 365, the Security Graph, and the Azure AD Audit Logs, through Microsoft’s Azure AD Audit Log API (within the Graph API), Office 365 Management API, and Graph Security API, respectively. Configuration can be done in Secureworks® Taegis™ XDR; you must authorize Secureworks® Taegis™ XDR to work with the Microsoft service(s) that you want to integrate with. It is possible to monitor multiple Microsoft accounts for the same service. Navigate to Integrations > Cloud APIs in Secureworks® Taegis™ XDR to set it up.
Manage Azure Integrations in Secureworks® Taegis™ XDR
Available Integrations ⫘
Existing options for Secureworks® Taegis™ XDR in-app integration with Microsoft Office 365 and Azure Active Directory include the following.
- Azure integrations are supported in US and EU regions, but may not be supported by Microsoft in other regions. Contact Microsoft directly to verify their support of services in other regions.
- Azure Active Directory and Microsoft 365 integrations are available for the global Azure cloud. Other national clouds, such as Azure Government, Azure China 21Vianet, and Azure Germany are currently not supported.
Office 365 Management API ⫘
This integration has been superseded by the new Microsoft Office 365 Management API integration.
The Office 365 Management Activity API provides auditing information about various user, admin, system, and policy actions and events from Office 365 and Azure Active Directory activity logs. Secureworks® Taegis™ XDR needs authorization from Azure AD and the Office 365 Management API in order to receive your data.
You must turn on Office 365 audit logging for Secureworks® Taegis™ XDR to receive data from it. Audit logging for Office 365 is off by default. For more information, see Turn Office 365 audit log search on or off.
For more information on the Office 365 Management Activity API, see the Office 365 Management APIs Overview.
Microsoft Graph Security API ⫘
The Microsoft Graph Security API provides a federated API to ingest from multiple Microsoft security products. Secureworks® Taegis™ XDR needs authorization to access your Microsoft Graph Security API data. For more information, including the authorization levels required to query information from the Graph Security API, see the Microsoft Graph Authorization Documentation and the Microsoft Graph Security API Overview.
Security Alerts from Graph Security API Alerts Endpoint ⫘
Microsoft has implemented security analysis across many different products. Secureworks® Taegis™ XDR retrieves those Microsoft alerts in real-time and presents them in Secureworks® Taegis™ XDR as alerts.
These alerts include those from:
- Microsoft Defender for Cloud
- Azure Active Directory Identity Protection
- Microsoft Defender for Cloud Apps
- Microsoft Defender for Endpoint
- Microsoft Defender for Identity
- Office 365
- Default Alert Policies
- Cloud App Security
- Custom Alert
- Azure Information Protection
- Azure Sentinel
Microsoft Defender for Identity alerts are available via the Microsoft Defender for Cloud Apps integration. This means you will get Microsoft Defender for Identity alerts only if you have joined Unified SecOps and connected Microsoft Defender for Identity into Microsoft Defender for Cloud Apps. Learn more about how to integrate Microsoft Defender for Identity and Microsoft Defender for Cloud Apps.
Alerts are ingested using the Microsoft REST APIs on a polling basis, with new data being requested every minute. For information on data availability, see Office 365 and Azure Data Availability.
Secureworks® Taegis™ XDR relays alerts provided by the Graph Security API. This does not include the raw telemetry needed to provide enrichment, context, and propriety analytics. Alert-only integration does provide single pane of glass views, but does not include the information required for deep analysis.
The availability of these security products depends on which Microsoft subscriptions and licensing you have and what you have authorized Secureworks® Taegis™ XDR to access. For more information, see https://docs.microsoft.com/en-us/graph/api/resources/security-api-overview?view=graph-rest-1.0.
Some alerts originating from Office 365 may appear in data from both the O365 Management and MS Graph Security.
Azure Active Directory Identity Protection—Risk Detection ⫘
You can set up Secureworks® Taegis™ XDR to receive risk detection alerts from your Azure AD account(s). For more information, see Azure AD Identity Protection Risk Detection Overview
Please note that this requires an Azure AD Premium P1 or P2 license.
Multiple integrations with the same Azure Tenant ID are possible with Active Directory Identity Protection — Risk Detection integration by using a unique name for each Risk Detection integration.
Azure Active Directory — Monitoring ⫘
This integration has been superseded by the Microsoft Azure Active Directory Activity Reports integration.
You can set up Secureworks® Taegis™ XDR to receive security data from your Azure AD account(s). This single integration runs two queries that provide different sets of data: List signIns and Get directoryAudit. Each is listed in the Cloud API Integrations table as a separate entry.
Please note that this requires a Microsoft AAD P1 license. Required permissions are documented on these pages from the Microsoft Graph documentation:
Events are ingested using the Microsoft REST APIs on a polling basis, with new data being requested every minute. Once the data is ingested, it usually takes 30 minutes to appear in Secureworks® Taegis™ XDR, but could take up to an hour.
In cases where a federated Azure AD environment is in use, AD audit data may contain incomplete (null) information for some field values that prevent some detections in Secureworks® Taegis™ XDR from alerting correctly. It is recommended clients use AD Connect Health to monitor the health of their AD connections with Azure.
Azure Active Directory — Actions/Response ⫘
The Taegis™ XDR Azure AD Actions/Response option is no longer supported. If you want to take actions on your Azure AD accounts, configure Taegis™ XDR Playbooks.
Access to Microsoft data in the Microsoft APIs requires a one-time authentication from the Cloud APIs section. The incoming data is then accessed directly from the corresponding Microsoft API.
During the authorization process, Secureworks® Taegis™ XDR asks you to log in to Azure Active Directory (AAD) as an AAD user who has the ability to grant admin consent for the requisite permissions. The admin consent prompt lists the permissions that this user must be able to grant to the Secureworks® Taegis™ XDR application.
Once authorized, the Secureworks® Taegis™ XDR cloud receives data from your MS cloud-based products directly; this does not involve the Taegis™ XDR Collector.
Authorization is granted by the logged in AAD (Azure Active Directory) user. Granting admin consent requires you to sign in as global administrator, an application administrator, or a cloud application administrator. If the process of authorizing an integration appears to have failed, your logged in AAD user may be missing the permissions to grant the requisite levels of admin consent. If possible, try again with a user who is a global admin role in AAD.
Data Provided from Integrations ⫘
|MS Graph Security
|MS Azure Active Directory Identity Protection
|MS Azure Active Directory
|MS Office 365
Taegis™ XDR detectors are not guaranteed to be triggered, even if a data source's logs are normalized to a schema associated with a given detector. However, you can create Custom Alert Rules to generate alerts based on normalized data from a data source.
More Reading ⫘
- Microsoft Graph Security API whitepaper: An Introduction to the Microsoft Graph Security API.
- Azure AD Audit Log API Overview
- Office 365 Management API
Complete the Link a Partner Process.