Skip to content
Find out how we support MDR.

MS Graph security API V2 integration

You can integrate Microsoft Graph security API with Sophos Central so that it sends alerts to Sophos for analysis.

This page gives you an overview of the integration.

Microsoft Graph security

Microsoft Graph security is a unified gateway that consolidates security insights from various Microsoft products and services via version 2 of the API, also called the Alerts and incidents API. This replaces the previous Alerts (legacy) endpoint provided by Microsoft.

We recommend that you configure Sophos integrations for both Integrate MS Graph security API V2 and MS Graph security API (Legacy), and run them together, until Microsoft confirms plans for End of Life of the legacy version.

Depending on the customer's underlying Microsoft license (for example, E5), we'll ingest data via the Graph API from the following security telemetry sources:

  • Microsoft Entra ID Protection
  • Microsoft 365 Defender
  • Microsoft Defender for Cloud Apps
  • Microsoft Defender for Endpoint
  • Microsoft Defender for Identity
  • Microsoft Defender for Office 365
  • Microsoft Purview Data Loss Prevention

Sophos documents

What we ingest

Sample alerts we see:

  • Hidden file execution detected
  • An attempt to run Linux commands on a Windows App Service
  • Suspicious password access
  • Website is tagged as malicious in threat intelligence feed
  • Detected suspicious use of the useradd command
  • Possible attack tool detected
  • Possible credential access tool detected

Alerts ingested in full

We ingest alerts from MS Graph security in the namespace. For full documentation, see alert resource type.


No filters are applied except to confirm that the format returned from the API is as expected.

Sample threat mappings

Alert mapping is from the title field returned in the alert.

{"alertType": "Access from an unusual location to a storage blob container", "threatId": "T1530", "threatName": "Data from Cloud Storage Object"}
{"alertType": "Detected Petya ransomware indicators", "threatId": "T1486", "threatName": "Data Encrypted for Impact"}
{"alertType": "Suspicious WordPress theme invocation detected", "threatId": "T1102", "threatName": "Web Service"}
{"alertType": "Suspicious PHP execution detected", "threatId": "T1203", "threatName": "Exploitation for Client Execution"}
{"alertType": "Unusually large response payload transmitted between a single IP address and an API endpoint", "threatId": "T1105", "threatName": "Ingress Tool Transfer"}
{"alertType": "Unusually large response payload transmitted between a single IP address and an API endpoint", "threatId": "T1105", "threatName": "Ingress Tool Transfer"}
{"alertType": "Executable found running from a suspicious location", "threatId": "T1203", "threatName": "Exploitation for Client Execution"}
{"alertType": "Access from a TOR exit node to a Key Vault", "threatId": "T1090.003", "threatName": "Multi-hop Proxy"}
{"alertType": "Suspicious spike in API traffic from a single IP address to an API endpoint", "threatId": "TA0001", "threatName": "Initial Access"}
{"alertType": "Access from a suspicious IP to a storage file share", "threatId": "T1526", "threatName": "Cloud Service Discovery"}
{"alertType": "Unusual number of files extracted from a storage file share", "threatId": "TA0010", "threatName": "Exfiltration"}
{"alertType": "Unusual application accessed a storage file share", "threatId": "TA0001", "threatName": "Initial Access"}
{"alertType": "Unusual amount of data extracted from a storage blob container", "threatId": "TA0010", "threatName": "Exfiltration"}
{"alertType": "Access from an unusual location", "threatId": "TA0005", "threatName": "Defense Evasion"}

Vendor documentation