Microsoft Graph Security

API

You can integrate Microsoft Graph Security to add alerts to the Sophos Data Lake. This lets you query Microsoft Graph data with Sophos Live Discover.

You must be a Microsoft 365 administrator.

Configure an integration

To integrate Microsoft Graph with Sophos Central, do as follows:

1. In Sophos Central, go to Threat Analysis Center > Integrations > Marketplace.

2. Click Microsoft - Graph Security API.

   The Microsoft- Graph Security API page opens. You can configure integrations here and see a list of any you've already configured.

3. In Data Ingest (Security Alerts), click Add Configuration.

   If this is the first integration you've added, we'll ask for details about your internal domains and IPs. See My domains and IPs.

4. In Integration steps, do as follows:

   1. Enter the Integration name and Integration description.

5. Click Save and continue.

6. Read the text in Connect to Microsoft 365 then click Continue.

   You're connected to Microsoft 365 to create an application which integrates with Sophos Central.

7. Enter or select your Microsoft account and sign in.

   

8. You're prompted to give permissions to an app. These permissions let us create a Microsoft app to integrate with Sophos Central. Click Accept.

   

9. If prompted, select the Microsoft account to use.

10. You're prompted to give permissions to the newly-created Sophos XDR - Security alerts app so that it can run and pass MS Graph Data to Sophos. Click Accept.

    

11. You see confirmation that the app is set up. Click Close.

    

In Sophos Central, in Integrations > Microsoft - Graph Security API you see the new integration.

After about five minutes, the Microsoft app synchronizes Sophos Data Lake with Microsoft Graph for the first time.

Sophos Data Lake is now receiving Microsoft Graph Security alerts.