Overview
Use the Microsoft Graph security API to connect Microsoft security products, services, and partners to streamline security operations and improve threat protection, detection, and response capabilities.
The Microsoft Graph security API is an intermediary service (or broker) that provides a single programmatic interface to connect multiple Microsoft Graph security providers (also called security providers or providers). Requests to the Microsoft Graph security API are federated to all applicable security providers. The results are aggregated and returned to the requesting application in a common schema.
This integration gathers security events from the following products:
- Microsoft Entra ID Protection
- Microsoft 365 Defender
- Microsoft Defender for Cloud Apps
- Microsoft Defender for Endpoint
- Microsoft Defender for Identity
- Microsoft Defender for Office 365
- Microsoft Purview Data Loss Prevention
- Micorosoft Sentinel
Setup
To integrate Microsoft Graph with Datadog, Datadog connects to Microsoft using OAuth. The authenticated user must have the follower permission scopes to integrate:
offline_accessAPIConnectors.Read.AllSecurityAlert.Read.All
Installation
- Navigate to the Integrations Page and search for the “Microsoft Graph” Integration.
- Click the tile.
- To add an account to install the integration, click the Add Microsoft Account button.
- After reading the instructions in the modal, click the Authorize button, which redirects you to the Microsoft Login Page.
- On the screen requesting access, click Authorize. This allows Datadog to view security events.
- You’re redirected back to Datadog’s Microsoft Graph tile with a new account. Datadog recommends changing the ‘Account Name’ to something easier to remember.
Configuration
Validation
Data Collected
Logs
Microsoft Graph collects all avaialable Microsoft Graph Security Events.
Troubleshooting
Need help? Contact Datadog support.
