跳至內容
了解我們如何支援MDR。

頁面永久連結

參考此頁面時,請務必使用以下永久連結。在以後的說明版本中,它將保持不變。

https://docs.sophos.com/central/customer/help/zh-tw/index.html?contextId=ms-graph-v2-overview

MS Graph 安全性 API V2 整合

您可以將 Microsoft Graph Security 與 Sophos Central 整合,讓其將警示傳送至 Sophos 進行分析。

本頁面提供此整合功能的概覽。

Microsoft Graph 安全性

Microsoft Graph Security 是一個統一入口,透過 API 版本 Version 2 (亦稱 Alerts and Incidents API) 整合來自各種 Microsoft 產品與服務的安全資訊。這取代了 Microsoft 先前提供的警示 (Alert) 端點。

據客戶所使用的 Microsoft 授權類型 (例如 E5),我們會擷取從下列安全遙測來源升級為 Graph API 安全警示的完整警示。

  • Microsoft Entra ID Protection
  • Microsoft 365 Defender
  • Microsoft Defender for Cloud Apps
  • Microsoft Defender for Endpoint
  • Microsoft Defender for Identity
  • Microsoft Defender for Office 365
  • Microsoft Purview Data Loss Prevention
  • Microsoft Purview Insider Risk Management

注意

我們不擷取 Entra ID 中的高風險使用者、高風險服務主體或服務主體風險事件的資料。這需要擷取 Entra ID 事件日誌,而 Sophos XDR 與 MDR 目前尚不支援此功能。如需 Entra ID 事件日誌擷取相關資訊,請參閱 ITDR 整合指南

Sophos 說明文件

我們擷取的內容

範例警示包括:

  • 偵測到隱藏檔案執行
  • 嘗試在 Windows App Service 上執行 Linux 指令
  • 可疑密碼存取
  • 網站在威脅情報來源中被標示為惡意
  • 偵測到使用 useradd 指令的可疑行為
  • 偵測到可能的攻擊工具
  • 偵測到可能的憑證存取工具

完整擷取警示

我們從 MS Graph Security 的 microsoft.graph.security 命名空間擷取警示。有關完整文件說明,請參閱 警示資源類型

資料篩選

除了確認 API 返回格式符合預期外,不套用其他篩選條件。

威脅對應範例

警示對應來自警示返回的 title 欄位。

{"alertType": "Access from an unusual location to a storage blob container", "threatId": "T1530", "threatName": "Data from Cloud Storage Object"}
{"alertType": "Detected Petya ransomware indicators", "threatId": "T1486", "threatName": "Data Encrypted for Impact"}
{"alertType": "Suspicious WordPress theme invocation detected", "threatId": "T1102", "threatName": "Web Service"}
{"alertType": "Suspicious PHP execution detected", "threatId": "T1203", "threatName": "Exploitation for Client Execution"}
{"alertType": "Unusually large response payload transmitted between a single IP address and an API endpoint", "threatId": "T1105", "threatName": "Ingress Tool Transfer"}
{"alertType": "Unusually large response payload transmitted between a single IP address and an API endpoint", "threatId": "T1105", "threatName": "Ingress Tool Transfer"}
{"alertType": "Executable found running from a suspicious location", "threatId": "T1203", "threatName": "Exploitation for Client Execution"}
{"alertType": "Access from a TOR exit node to a Key Vault", "threatId": "T1090.003", "threatName": "Multi-hop Proxy"}
{"alertType": "Suspicious spike in API traffic from a single IP address to an API endpoint", "threatId": "TA0001", "threatName": "Initial Access"}
{"alertType": "Access from a suspicious IP to a storage file share", "threatId": "T1526", "threatName": "Cloud Service Discovery"}
{"alertType": "Unusual number of files extracted from a storage file share", "threatId": "TA0010", "threatName": "Exfiltration"}
{"alertType": "Unusual application accessed a storage file share", "threatId": "TA0001", "threatName": "Initial Access"}
{"alertType": "Unusual amount of data extracted from a storage blob container", "threatId": "TA0010", "threatName": "Exfiltration"}
{"alertType": "Access from an unusual location", "threatId": "TA0005", "threatName": "Defense Evasion"}

供應商文件