Microsoft Graph (Security)

Samurai [Local] CollectorSamurai [Cloud] CollectorSamurai [Cloud Native] Collector
Picture1.svg

Supported Microsoft Security products

The Microsoft Graph Security API supports collection of alerts for multiple Microsoft Security products. An updated list can be found in the Microsoft documentation. Support for the following products has been validated by Samurai MDR:

  • Microsoft Entra ID Protection
  • Microsoft 365 Defender
  • Microsoft Defender for Cloud Apps
  • Microsoft Defender for Endpoint
  • Microsoft Defender for Identity
  • Microsoft Defender for Office 365
  • Microsoft Defender for Cloud

Prerequisites

The user must have Global administrative access to the Microsoft 365 Defender and Microsoft Azure Portal.

mceclip0.png You must have an Microsoft Entra ID P2 plan for the Privileged Identity Management features discussed below.

If you are a customer with the Incident Response (IR) Retainer, in order to ensure an optimal service delivery and a quick turnaround from activation to remediation by the NTT Incident Response team the below features are recommended to be enabled in Defender for Endpoint:

  • Live response
  • Live response for servers
  • Live response unsigned script execution

Follow the Microsoft documentation - Configure advanced features in Defender for Endpoint to enable the features.

To complete this Integration you will need to perform actions in both the Azure Portal and Samurai MDR portal:

1. Azure Portal

2. From the Samurai MDR portal

Application Registration

  1. Follow the steps outlined within section entitled Register an application in the Microsoft Graph API documentation using the following parameters.

    Field NameParameter
    Supported account typeAccounts in this organizational directory only
    Redirect URLLeave blank

    mceclip0.png After creating the App Registration, record the Application (client) ID and Directory (tenant) ID.

  2. Follow the steps outlined within section entitled Add a client secret in the Microsoft Graph API documentation.

    mceclip0.png Record the secret value as this is only shown once.

  3. Follow the steps outlined within section entitled Configure permissions for Microsoft Graph in the Microsoft Graph API documentation. Select the following permissions.
    SecurityAlert.Read.All

    mceclip0.png Remember to grant administrator consent after selecting permissions.

Enable MDR SOC access to Microsoft 365 Defender

The steps outlined below is required for NTT SOC to perform remote isolation and further analysis through the Microsoft 365 Defender portal. You may also wish to refer to the Microsoft documentation - Granting managed security service provider (MSSP) access 

Prerequisites

Ensure role-based access control (RBAC) is enabled in your Microsoft Defender Security Center.

To enable RBAC in Microsoft Defender Security Center, navigate to Settings > Permissions > Roles and Turn on roles from a user account with Global Administrator or Security Administrator rights.

This feature also requires an Entra ID P2 plan for the Privileged Identity Management feature.

Create an Entra ID Group and assign role

To create an Entra ID group for NTT, perform the following steps:

  1. Log in to Entra ID admin center

  2. Navigate to Groups > All groups > New group

  3. Select Security from the Group type list

  4. Ensure that Microsoft Entra roles can be assigned to the group is set to Yes

    mceclip0.png You cannot change this setting later, so make sure it is enabled. If you do not see this option, check that you have an Entra ID P2 license and have the preview features enabled.

After creating the group, follow the steps in Assign Microsoft Entra roles to groups to assign the Security Reader role to the newly created group.

Add NTT as Connected Organization

Perform the following steps to add NTT as a connected organization:

  1. Navigate to Identity Governance
  2. Click Connected organizations
  3. Click Add connected organization
  4. On the Basics tab*,* specify a Name and Description
  5. On the Directory + domain tab, perform the following steps:
    1. Click Add directory + domain
    2. In the Select directories + domains field, search for security.ntt
      Picture5.png

Create a Resource Catalog

In the Entra ID portal under Identity Governance perform the following steps:

  1. Navigate to the Catalogs tab
  2. Click New catalog
  3. Specify a Name and Descriptions, keep other values default
  4. Click Create

Create an Access Package

An access package enables you to do a one-time set up of resources and policies that automatically administers access for the life of the access package.

To create a new access package, perform the following steps:

  1. Navigate to Identity Governance

  2. Click Access packages

  3. Click New access package

  4. Specify a Name and Description*,* select the Catalog created in the previous step

  5. In the Resource roles tab, add the group created in previously and set Role to Member

  6. In the Requests tab, ensure the following options are set (leave other settings as default):

    1. Set Users who can request access to For users not in your directory

    2. Under Select connected organizations, select NTT

    3. Set Require approval to Yes

    4. Under First Approver, add at least one fallback approver

    5. Set Enable new requests to Yes

  7. In the Lifecycle tab, set Access Reviews to No

After creating the access package provide the My Access portal link to NTT.

Define your Sponsors

Sponsors are the people responsible for approving requests made by NTT staff. You may define internal and/or external sponsors.

Internal sponsors are select individuals from within your organization who can approve requests from NTT. External sponsors are select individuals from within NTT who can approve these on your behalf.

NTT recommends selecting external sponsors and obtaining a list of names during the MDR Onboarding. These names include managers and team leads who support the service.

Setting up sponsors is a time-consuming process as it requires approving access requests from NTT staff. Therefore, NTT recommends you define external sponsors to enable NTT to manage this process.

Initial NTT users will need to be approved by the selected Fallback approvers, after which they can be added as external sponsors.

To add external sponsors, select the Connected Organization and then Sponsors.

Complete the Microsoft Graph (Security) Integration

  1. Login to the Samurai MDR portal
  2. Click Telemetry and select Integrations from the main menu
  3. Select Create
  4. Locate and click Microsoft Graph (Security)
  5. Click Next (we leverage a Samurai Cloud Collector)
  6. Enter Tenant ID, Application ID and Client Secret as created in Application Registration
  7. Click Finish

Our Integration guide was accurate at the time of writing but vendors change things frequently! If you find errors or anything is outdated, let us know by raising a request in the Samurai MDR application and we shall get it updated.