🌙
 

Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

Office 365 and Azure Integration Guide

integrations cloud microsoft office 365 azure


Secureworks® Taegis™ XDR is capable of ingesting data from Microsoft Office 365, the Security Graph, and the Azure AD Audit Logs, through Microsoft’s Azure AD Audit Log API (within the Graph API), Office 365 Management API, and Graph Security API, respectively. Configuration can be done in XDR; you must authorize XDR to work with the Microsoft service(s) that you want to integrate with. It is possible to monitor multiple Microsoft accounts for the same service. Navigate to Integrations > Cloud APIs in XDR to set it up.

Manage Azure Integrations

Manage Azure Integrations in XDR

Available Integrations

Existing options for XDR in-app integration with Microsoft Office 365 and Azure Active Directory include the following.

Notes

  • Azure integrations are supported in US and EU regions, but may not be supported by Microsoft in other regions. Contact Microsoft directly to verify their support of services in other regions.
  • Azure Active Directory and Microsoft 365 integrations are available for the global Azure cloud. Other national clouds, such as Azure Government, Azure China 21Vianet, and Azure Germany are currently not supported.

Office 365 Management API

Note

This integration has been superseded by the new Microsoft Office 365 Management API integration.

The Office 365 Management Activity API provides auditing information about various user, admin, system, and policy actions and events from Office 365 and Azure Active Directory activity logs. XDR needs authorization from Azure AD and the Office 365 Management API in order to receive your data.

Important

You must turn on Office 365 audit logging for XDR to receive data from it. Audit logging for Office 365 is off by default. For more information, see Turn Office 365 audit log search on or off.

For more information on the Office 365 Management Activity API, see the Office 365 Management APIs Overview.

Microsoft Graph Security API

The Microsoft Graph Security API provides a federated API to ingest from multiple Microsoft security products. XDR needs authorization to access your Microsoft Graph Security API data. For more information, including the authorization levels required to query information from the Graph Security API, see the Microsoft Graph Authorization Documentation and the Microsoft Graph Security API Overview.

Security Alerts from Graph Security API Alerts Endpoint

Microsoft has implemented security analysis across many different products. XDR retrieves those Microsoft alerts in real-time and presents them in XDR as alerts.

These alerts include those from:

Note

Microsoft Defender for Identity alerts are available via the Microsoft Defender for Cloud Apps integration. This means you will get Microsoft Defender for Identity alerts only if you have joined Unified SecOps and connected Microsoft Defender for Identity into Microsoft Defender for Cloud Apps. Learn more about how to integrate Microsoft Defender for Identity and Microsoft Defender for Cloud Apps.

Alerts are ingested using the Microsoft REST APIs on a polling basis, with new data being requested every minute. For information on data availability, see Office 365 and Azure Data Availability.

Note

XDR relays alerts provided by the Graph Security API. This does not include the raw telemetry needed to provide enrichment, context, and propriety analytics. Alert-only integration does provide single pane of glass views, but does not include the information required for deep analysis.

The availability of these security products depends on which Microsoft subscriptions and licensing you have and what you have authorized XDR to access. For more information, see https://docs.microsoft.com/en-us/graph/api/resources/security-api-overview?view=graph-rest-1.0.

Note

Some alerts originating from Office 365 may appear in data from both the O365 Management and MS Graph Security.

Azure Active Directory Identity Protection—Risk Detection

You can set up XDR to receive risk detection alerts from your Azure AD account(s). For more information, see Azure AD Identity Protection Risk Detection Overview

Please note that this requires an Azure AD Premium P1 or P2 license.

Note

Multiple integrations with the same Azure Tenant ID are possible with Active Directory Identity Protection — Risk Detection integration by using a unique name for each Risk Detection integration. Risk Detection

Risk Detection

Azure Active Directory — Monitoring

Note

This integration has been superseded by the Microsoft Azure Active Directory Activity Reports integration.

You can set up XDR to receive security data from your Azure AD account(s). This single integration runs two queries that provide different sets of data: List signIns and Get directoryAudit. Each is listed in the Cloud API Integrations table as a separate entry.

Please note that this requires a Microsoft AAD P1 license. Required permissions are documented on these pages from the Microsoft Graph documentation:

Events are ingested using the Microsoft REST APIs on a polling basis, with new data being requested every minute. Once the data is ingested, it usually takes 30 minutes to appear in XDR, but could take up to an hour.

Note

In cases where a federated Azure AD environment is in use, AD audit data may contain incomplete (null) information for some field values that prevent some detections in XDR from alerting correctly. It is recommended clients use AD Connect Health to monitor the health of their AD connections with Azure.

Azure Active Directory — Actions/Response

The XDR Azure AD Actions/Response option is no longer supported. If you want to take actions on your Azure AD accounts, configure XDR Playbooks.

Authorization

Access to Microsoft data in the Microsoft APIs requires a one-time authentication from the Cloud APIs section. The incoming data is then accessed directly from the corresponding Microsoft API.

During the authorization process, XDR asks you to log in to Azure Active Directory (AAD) as an AAD user who has the ability to grant admin consent for the requisite permissions. The admin consent prompt lists the permissions that this user must be able to grant to the XDR application.

Note

Once authorized, the XDR cloud receives data from your MS cloud-based products directly; this does not involve the Taegis™ XDR Collector.

Note

Authorization is granted by the logged in AAD (Azure Active Directory) user. Granting admin consent requires you to sign in as global administrator, an application administrator, or a cloud application administrator. If the process of authorizing an integration appears to have failed, your logged in AAD user may be missing the permissions to grant the requisite levels of admin consent. If possible, try again with a user who is a global admin role in AAD.

Data Provided from Integrations

  Antivirus Auth CloudAudit DHCP DNS Email Encrypt HTTP Management Netflow NIDS Thirdparty
MS Graph Security     V                 V
MS Azure Active Directory Identity Protection     V                 V
MS Azure Active Directory   Y Y                  
MS Office 365   D, V V                 V

Y = Normalized | D = Out-of-the-Box Detections | V = Vendor-Specific Detections

Note

XDR detectors are not guaranteed to be triggered, even if a data source's logs are normalized to a schema associated with a given detector. However, you can create Custom Alert Rules to generate alerts based on normalized data from a data source.

More Reading

Follow-On

Complete the Link a Partner Process.

 

On this page: