Skip to main content
Red Canary help

Integrate Microsoft Graph v2 with Red Canary

  • Updated .

This article leads you through the process of integrating Microsoft Graph v2 with Red Canary. Follow the procedure from beginning to end. 

With this integration, Microsoft customers can ingest data from the following Microsoft products:
  • Azure Active Directory Identity Protection v2
  • Microsoft 365 Defender v2
  • Microsoft Defender for Cloud Apps v2
  • Microsoft Defender for Endpoint v2
  • Microsoft Defender for Identity v2
  • Microsoft Defender for Office 365 v2

Required Microsoft licenses

mceclip3.png

Red Canary Microsoft Sentinel integration requirements

Required Microsoft licenses

For more information, see Pre-deployment activities and prerequisites for deploying Microsoft Sentinel.

Step 1: Red Canary–Input your Microsoft Graph v2 information

Enter your Microsoft Azure information into Red Canary to start sending your alerts.

  1. From your Red Canary homepage, click Integrations.

  2. From the Integrations section, locate and then click the security product you want to integrate with Red Canary. 

    Note: If you do not see your security product listed, click See all integrations

  3. In the search bar, type and then select your third-party security source.

  4. Continue onto the next step by configuring your third-party security source in Red Canary.
    Note: Your third-party security source may require that you contact Red Canary to configure.

  5. Click Edit Configuration.
  6. Enter a Name for your external alert source.  
  7. Select a Display Category. The display category is solely help you to distinguish, at a glance, where a product fits into your environment. It does not affect the configuration.
  8. Under the Ingest Format/Method dropdown, select Microsoft Graph v2 via API Poll.
  9. Enter your Microsoft Tenant ID.
  10. Click Save Configuration.
  11. Click Edit Configuration.
  12. Under the Permissions section, click the Microsoft consent link.
    2.png

Step 2: Microsoft Graph V2–Grant Red Canary access to Microsoft Graph v2

Confirm that the Red Canary enterprise application has been configured in your Microsoft Graph v2 account.

  1. Login using a Global Admin account for the tenant that you want to integrate with Red Canary.
  2. Click Accept. (Note: be sure your Azure Global Administrator clicks the Consent Link)
    3.png

Note: For more information about Microsoft permissions, click here.

Step 3: Red Canary–Activate your Microsoft Graph v2 alert source

Enable your new Microsoft Graph v2 alert source in Red Canary.

  1. From the Red Canary homepage, click Integrations.
  2. Scroll down, and then select your third-party security source.
  3. Click Edit Configuration.
  4. With all of the required permission settings completed, select Confirm Microsoft Microsoft Graph v2 API Access Granted.
    4.png
  5. Click Save Configuration.
  6. Click Edit Configuration.
  7. Click Activate.

Note: When activating a Graph v2 alert source, any prior legacy versions of the these APIs will be automatically disabled. These will be kept in a disabled state as there is an active issue with External Alert Source deletion. When deleting an External Alert Source please note that all Alerts and data associated with that source will be removed as well. Red Canary recommends keeping legacy sources in a disabled state to retain any data of interest. 

Comments

0 comments

Please sign in to leave a comment.