跳至內容
部分或全部頁面已經過機器翻譯。
了解我們如何支援MDR。

頁面永久連結

參考此頁面時,請務必使用以下永久連結。在以後的說明版本中,它將保持不變。

https://docs.sophos.com/central/customer/help/zh-tw/index.html?contextId=ms-graph-v2-overview

MS Graph 安全性 API V2

API 生產效率

您可以將 Palo Alto PAN-API 與 Sophos Central 整合,以便其將警示傳送到 Sophos 進行分析。

此頁面提供整合的概覽。

Microsoft Graph 安全性

Microsoft Graph安全性是一種整合式閘道,透過API版本2 (也稱為警示和事件API)整合來自各種Microsoft產品和服務的安全性見解。這會取代Microsoft提供的舊版警示(舊版)端點。

我們建議您爲 整合 MS Graph 安全性 API V2MS Graph 安全性 API (舊版)配置Sophos集成,並一起運行,直到Microsoft確認舊版本的生命週期結束計劃。

根據客戶的基本Microsoft授權(例如E5),我們將通過圖形API從以下安全遙測源獲取數據:

  • Microsoft Entra ID 同意
  • Microsoft 365 Defender
  • Microsoft Defender for Cloud Apps
  • Microsoft Defender for Endpoint
  • Microsoft Defender for Identity
  • Microsoft Defender for Office 365
  • Microsoft Purview Data Loss Prevention

Sophos文檔

我們擷取的內容

我們看到的示例警報:

  • 檢測到隱藏文件執行
  • 嘗試在Windows App Service上執行Linux命令
  • 可疑的密碼訪問
  • 網站在威脅情報源中被標記為惡意
  • 檢測到useradd命令的可疑使用
  • 檢測到可能的攻擊工具
  • 檢測到可能的憑據訪問工具

完整擷取的警示

我們從microsoft.graph.security命名空間中獲取MS Graph安全性的警報。有關完整說明文件,請參閱 警報資源類型

篩選

除了確認API傳回的格式符合預期之外,不會套用任何篩選器。

威脅對應範例

警報映射來自警報中返回的標題欄位。

{"alertType": "Access from an unusual location to a storage blob container", "threatId": "T1530", "threatName": "Data from Cloud Storage Object"}
{"alertType": "Detected Petya ransomware indicators", "threatId": "T1486", "threatName": "Data Encrypted for Impact"}
{"alertType": "Suspicious WordPress theme invocation detected", "threatId": "T1102", "threatName": "Web Service"}
{"alertType": "Suspicious PHP execution detected", "threatId": "T1203", "threatName": "Exploitation for Client Execution"}
{"alertType": "Unusually large response payload transmitted between a single IP address and an API endpoint", "threatId": "T1105", "threatName": "Ingress Tool Transfer"}
{"alertType": "Unusually large response payload transmitted between a single IP address and an API endpoint", "threatId": "T1105", "threatName": "Ingress Tool Transfer"}
{"alertType": "Executable found running from a suspicious location", "threatId": "T1203", "threatName": "Exploitation for Client Execution"}
{"alertType": "Access from a TOR exit node to a Key Vault", "threatId": "T1090.003", "threatName": "Multi-hop Proxy"}
{"alertType": "Suspicious spike in API traffic from a single IP address to an API endpoint", "threatId": "TA0001", "threatName": "Initial Access"}
{"alertType": "Access from a suspicious IP to a storage file share", "threatId": "T1526", "threatName": "Cloud Service Discovery"}
{"alertType": "Unusual number of files extracted from a storage file share", "threatId": "TA0010", "threatName": "Exfiltration"}
{"alertType": "Unusual application accessed a storage file share", "threatId": "TA0001", "threatName": "Initial Access"}
{"alertType": "Unusual amount of data extracted from a storage blob container", "threatId": "TA0010", "threatName": "Exfiltration"}
{"alertType": "Access from an unusual location", "threatId": "TA0005", "threatName": "Defense Evasion"}

供應商文件