I have the Microsoft Graph alert source setup but I am not seeing alerts from a specific source.
You will want to check the "Acknowledged alert sources" list within the "Microsoft Graph" to confirm that all of the various alert sources have been selected.
To update this, go to the Alert Sources page under Integrations in Red Canary and select the Microsoft Graph alert source. Click the blue "Edit Configuration" button on the top right of the page to show the below window.
NOTE: You can remove the checkmark for a specific alert source to stop receiving these alerts in Red Canary. Select the "Save Configuration" button that the bottom of the screen to save this change.
You will also want to make sure you have your Azure Global Administrator approve the "Consent Link" in the Microsoft Graph alert source configuration. Be sure to click on the "Consent Link" and approve the permissions request.
NOTE: Alert ingestion is NOT retroactive. Once the Microsoft Graph alert source is configured, only NEW alerts will be sent to Red Canary. Red Canary will not retroactively pull down old alerts that were present prior to the Microsoft Graph configuration. Please check your alert sources to confirm whether or not there are any new/current alerts that have arrived after you configure your Microsoft Graph alert source.
NOTE: Prerequisites may apply for certain Microsoft specific alert sources.
- For Defender for Identity or Azure Active Directory Identity Protection, see Integrating Defender for Identity and Azure AD Identity Protection Alerts.
- For Microsoft Cloud App Security (MCAS), see Microsoft Cloud App Security overview.
- For Office 365 Security and Compliance Center, see Security & Compliance Center.