Overview of MS Graph Security EAP
As a Sophos Managed Threat Response (MTR) Advanced customer you are invited to participate in an Early Access Program (EAP) for the Microsoft Graph Security connector. We would like your feedback on the connector and your participation will allow us to confirm the detections generated in your environment are being appropriately classified for case generation and that the Sophos infrastructure scales as expected under real-world data volumes.
- Summary Sophos is adding support for Microsoft Security Graph at no additional cost, enabling automatic detections and cases for Defender threat events from Office 365, Identity, Cloud, Cloud Apps, and Endpoint.
- Benefit Expand threat context and minimize time to investigate
- Requirements Sophos MTR Advanced license, appropriate Microsoft license
- Sophos contacts Contact the product team at mtreap2@sophos.com to request an invitation key or with questions
WHEN WILL THE EARLY ACCESS PROGRAM START
The Microsoft Graph Security EAP is expected to start May 30th and remain open until June 30th
Support in Sophos MTR Advanced is expected in late June or early July 2022.
The EAP will be limited to the first 50 qualified accounts.
WHAT DATA WILL THE MICROSOFT GRAPH SECURITY CONNECTOR COLLECT
Configuration of the Sophos connector for Microsoft Security Graph API will require authorization and access rights to receive threat events. No data will be received for your account until the connector is configured by an authorized administrator. Threat events can be collected from Microsoft Defender licensed products including: · Defender for Office 365 – security services, depending on subscription, focused on Exchange Online Protection · Defender for Identity - cloud-based solution that leverages Active Directory signals to monitor and analyze user activities and information across the network · Defender for Cloud - tool for security posture management and threat protection that hardens resources and protects workloads running in Azure, hybrid, and other cloud platforms · Defender for Cloud Apps - Cloud Access Security Broker (CASB) that provides visibility, control over data travel and analytics across Microsoft and third-party cloud services · Defender for Endpoint - endpoint sensors collect and process behavioral signals for Windows and Linux machines whether hosted in Azure, hybrid clouds (on-premises), or AWS
During the EAP the MTR team will be configuring and tuning the classification rules for the future creation of Detections and Cases. Investigation cases will not be generated as part of the EAP.
Queries will be provided on the Sophos Community forum to allow you to review the detections being received.
Details on specific Microsoft Security Graph alert types can be found in Microsoft documentation. Support is dependent your Microsoft licensed product subscriptions.
- Defender for Office 365 – security services, depending on subscription, focused on Exchange Online Protection
- Defender for Identity - cloud-based solution that leverages Active Directory signals to monitor and analyze user activities and information across the network
- Defender for Cloud - tool for security posture management and threat protection that hardens resources and protects workloads running in Azure, hybrid, and other cloud platforms
- Defender for Cloud Apps - Cloud Access Security Broker (CASB) that provides visibility, control over data travel and analytics across Microsoft and third-party cloud services
- Defender for Endpoint - endpoint sensors collect and process behavioral signals for Windows and Linux machines whether hosted in Azure, hybrid clouds (on-premises), or AWS
