跳至內容
了解我們如何支援MDR。

頁面永久連結

參考此頁面時,請務必使用以下永久連結。在以後的說明版本中,它將保持不變。

https://docs.sophos.com/central/customer/help/zh-tw/index.html?contextId=ms-graph-v2-overview

MS Graph 安全性 API V2

API 生產效率

您可以將 Microsoft Graph Security 與 Sophos Central 整合,讓其將警示傳送至 Sophos 進行分析。

本頁面提供此整合功能的概覽。

Microsoft Graph 安全性

Microsoft Graph 安全性是一個統一的入口,透過 API 第 2 版(亦稱為警示與事件 API)整合來自各類 Microsoft 產品與服務的安全性洞察。此為取代微軟先前提供的「警示(舊版)」端點。

根據客戶持有的基礎 Microsoft 授權(例如 E5),我們將透過 Graph API 從以下安全遙測來源匯入資料:

  • Microsoft Entra ID Protection
  • Microsoft 365 Defender
  • Microsoft Defender for Cloud Apps
  • Microsoft Defender for Endpoint
  • Microsoft Defender for Identity
  • Microsoft Defender for Office 365
  • Microsoft Purview Data Loss Prevention
  • Microsoft Purview 內部風險管理

Sophos 文件資訊

資料擷取內容

我們看到的警示範例:

  • 偵測到隱藏檔案執行
  • 嘗試在 Windows App Service 上執行 Linux 指令
  • 可疑密碼存取
  • 網站在威脅情報源中被標記為惡意網站
  • 偵測到 useradd 指令的可疑使用行為
  • 偵測到可能的攻擊工具
  • 偵測到可能的憑證存取工具

完整擷取警示

我們從 microsoft.graph.security 命名空間中接收來自 Microsoft Graph 安全性的警示。完整文件請參閱警報資源類型

資料篩選

除確認API返回的格式符合預期外,未套用任何過濾器。

威脅對應範例

警報映射取自警報中返回的標題欄位。

{"alertType": "Access from an unusual location to a storage blob container", "threatId": "T1530", "threatName": "Data from Cloud Storage Object"}
{"alertType": "Detected Petya ransomware indicators", "threatId": "T1486", "threatName": "Data Encrypted for Impact"}
{"alertType": "Suspicious WordPress theme invocation detected", "threatId": "T1102", "threatName": "Web Service"}
{"alertType": "Suspicious PHP execution detected", "threatId": "T1203", "threatName": "Exploitation for Client Execution"}
{"alertType": "Unusually large response payload transmitted between a single IP address and an API endpoint", "threatId": "T1105", "threatName": "Ingress Tool Transfer"}
{"alertType": "Unusually large response payload transmitted between a single IP address and an API endpoint", "threatId": "T1105", "threatName": "Ingress Tool Transfer"}
{"alertType": "Executable found running from a suspicious location", "threatId": "T1203", "threatName": "Exploitation for Client Execution"}
{"alertType": "Access from a TOR exit node to a Key Vault", "threatId": "T1090.003", "threatName": "Multi-hop Proxy"}
{"alertType": "Suspicious spike in API traffic from a single IP address to an API endpoint", "threatId": "TA0001", "threatName": "Initial Access"}
{"alertType": "Access from a suspicious IP to a storage file share", "threatId": "T1526", "threatName": "Cloud Service Discovery"}
{"alertType": "Unusual number of files extracted from a storage file share", "threatId": "TA0010", "threatName": "Exfiltration"}
{"alertType": "Unusual application accessed a storage file share", "threatId": "TA0001", "threatName": "Initial Access"}
{"alertType": "Unusual amount of data extracted from a storage blob container", "threatId": "TA0010", "threatName": "Exfiltration"}
{"alertType": "Access from an unusual location", "threatId": "TA0005", "threatName": "Defense Evasion"}

原廠文件