跳至內容
了解我們如何支援MDR。

頁面永久連結

參考此頁面時,請務必使用以下永久連結。在以後的說明版本中,它將保持不變。

https://docs.sophos.com/central/customer/help/zh-tw/index.html?contextId=ms-graph-v2-overview

整合 Microsoft Graph 安全性 API V2

您可以將 Microsoft Graph Security 與 Sophos Central 整合,讓其將警示傳送至 Sophos 進行分析。

本頁面提供此整合功能的概覽。

Microsoft Graph 安全性

Microsoft Graph Security 是一個統一入口,透過 API 版本 Version 2 (亦稱 Alerts and Incidents API) 整合來自各種 Microsoft 產品與服務的安全資訊。這取代了 Microsoft 先前提供的警示 (Alert) 端點。

據客戶所使用的 Microsoft 授權類型 (例如 E5),我們會擷取從下列安全遙測來源升級為 Graph API 安全警示的完整警示。

  • Microsoft Entra ID Protection
  • Microsoft 365 Defender
  • Microsoft Defender for Cloud Apps
  • Microsoft Defender for Endpoint
  • Microsoft Defender for Identity
  • Microsoft Defender for Office 365
  • Microsoft Purview Data Loss Prevention
  • Microsoft Purview Insider Risk Management

Note

我們不擷取 Entra ID 中的高風險使用者、高風險服務主體或服務主體風險事件的資料。這需要擷取 Entra ID 事件日誌,而 Sophos XDR 與 MDR 目前尚不支援此功能。有關 Entra ID事件記錄攝取的信息,請參閱 ITDR整合指南

Sophos 說明文件

我們擷取的內容

範例警示包括:

  • 偵測到隱藏檔案執行
  • 嘗試在 Windows App Service 上執行 Linux 指令
  • 可疑密碼存取
  • 網站在威脅情報來源中被標示為惡意
  • 偵測到使用 useradd 指令的可疑行為
  • 偵測到可能的攻擊工具
  • 偵測到可能的憑證存取工具

完整擷取警示

我們從 MS Graph Security 的 microsoft.graph.security 命名空間擷取警示。有關完整文件說明,請參閱 警示資源類型

資料篩選

除了確認 API 返回格式符合預期外,不套用其他篩選條件。

威脅對應範例

警示對應來自警示返回的 title 欄位。

{"alertType":"Access from an unusual location to a storage blob container", "threatId":"T1530", "threatName":"Data from Cloud Storage Object"}
{"alertType":"Detected Petya ransomware indicators", "threatId":"T1486", "threatName":"Data Encrypted for Impact"}
{"alertType":"Suspicious WordPress theme invocation detected", "threatId":"T1102", "threatName":"Web Service"}
{"alertType":"Suspicious PHP execution detected", "threatId":"T1203", "threatName":"Exploitation for Client Execution"}
{"alertType":"Unusually large response payload transmitted between a single IP address and an API endpoint", "threatId":"T1105", "threatName":"Ingress Tool Transfer"}
{"alertType":"Unusually large response payload transmitted between a single IP address and an API endpoint", "threatId":"T1105", "threatName":"Ingress Tool Transfer"}
{"alertType":"Executable found running from a suspicious location", "threatId":"T1203", "threatName":"Exploitation for Client Execution"}
{"alertType":"Access from a TOR exit node to a Key Vault", "threatId":"T1090.003", "threatName":"Multi-hop Proxy"}
{"alertType":"Suspicious spike in API traffic from a single IP address to an API endpoint", "threatId":"TA0001", "threatName":"Initial Access"}
{"alertType":"Access from a suspicious IP to a storage file share", "threatId":"T1526", "threatName":"Cloud Service Discovery"}
{"alertType":"Unusual number of files extracted from a storage file share", "threatId":"TA0010", "threatName":"Exfiltration"}
{"alertType":"Unusual application accessed a storage file share", "threatId":"TA0001", "threatName":"Initial Access"}
{"alertType":"Unusual amount of data extracted from a storage blob container", "threatId":"TA0010", "threatName":"Exfiltration"}
{"alertType":"Access from an unusual location", "threatId":"TA0005", "threatName":"Defense Evasion"}

原廠文件