Skip to content
Find out how we support MDR.

Integrate MS Graph security API V2

  • Recommendation


    These instructions are for MS Graph security API V2, which uses the Alerts V2 service (Alerts and incidents). see Alerts and incidents.

    MS Graph security API V2 will eventually replace MS Graph security API Legacy, which uses the legacy alerts service.

    The specific alerts returned and products available may depend on your Microsoft licensing level. For advice, contact your Microsoft representative.

    We recommend that you configure integrations for both MS Graph security API V2 and MS Graph security API Legacy, and run them together, until Microsoft confirms plans for End of Life of the legacy version.

You can integrate Microsoft Graph security to add alerts to the Sophos Data Lake. This lets you query Microsoft Graph data with Sophos Live Discover.

Requirements

You must be a Microsoft 365 administrator.

You must have access to Microsoft Defender XDR features. For licenses that give you this access, see Microsoft Defender XDR prerequisites.

Configure an integration

To integrate Microsoft Graph security with Sophos Central, do as follows:

  1. In Sophos Central, go to Threat Analysis Center > Integrations > Marketplace.
  2. Click Microsoft - Graph Security API V2.

    The Microsoft- Graph Security API V2 page opens. You can configure integrations here and see a list of any you've already configured.

  3. In Data Ingest (Security Alerts), click Add Configuration.

    If this is the first integration you've added, we'll ask for details about your internal domains and IPs. See Provide your domain and IP details.

  4. In Integration steps, do as follows:

    1. Enter the Integration name and Integration description.
    2. Click Save and continue.
  5. Read the text in Connect to Microsoft 365, then click Continue.

    You're connected to Microsoft 365 to create an application that integrates with Sophos Central.

  6. Enter or select your Microsoft account and sign in.

    Pick an account.

  7. You're prompted to give permissions to an app. These permissions let us create a Microsoft app to integrate with Sophos Central. Click Accept.

    Permissions request.

  8. If prompted, select the Microsoft account to use.

  9. You're prompted to give permissions to the newly-created Sophos XDR - Security alerts app so that it can run and pass MS Graph Data to Sophos. Click Accept.

    Permissions request.

  10. You see confirmation that the app is set up. Click Close.

    Connected successfully message.

  11. If this is your first integration using MS Graph Alerts and incidents, you might need to provision the alerts service with Microsoft Defender to avoid authorization issues.

    Go to https://security.microsoft.com/alerts. You may see the message below. Provisioning may take an hour. You can then view new alerts and the alerts service will work.

    See I can run legacy alert API (/v1.0/security/alerts) successfully and can get result. But when I run new alert API(/v1.0/security/alerts_v2), it returns null.

In Sophos Central, in Integrations > Microsoft - Graph Security API V2, you see the new integration.

About five minutes after the data shows as available in the Microsoft Defender security center, the Microsoft app synchronizes Sophos Data Lake with Microsoft Graph for the first time.

Sophos Data Lake is now receiving Microsoft Graph security alerts.