Microsoft Security
The Microsoft Security Event Source collects data from the Microsoft Security product suite using the Microsoft Graph API. This event source creates events from all Microsoft Security products, including Defender for Endpoint, Defender for Cloud, Defender for Identity, Defender for Cloud Apps, Defender O365, and Defender for Vulnerability Management.
New feature: Bidirectional alert sync for Microsoft Security
We’re introducing bidirectional alert sync for the Microsoft Security event source.
Here’s what you need to know:
- Closing an alert in Rapid7 SIEM (InsightIDR) automatically closes the corresponding alert in Microsoft Security.
- Closing an alert in Microsoft Security automatically closes the corresponding alert in Rapid7 SIEM (InsightIDR).
- This feature is not currently available for the Microsoft Security GCC or Microsoft Security GCC High event sources.
- This capability currently applies only to closing alerts.
- To enable bidirectional alert sync:
- Apply the following Microsoft Graph API permissions in Azure when configuring Microsoft Security. An admin must grant consent before the integration can authenticate:
SecurityAlert.ReadWrite.AllThreatHunting.Read.AllSecurityIncident.Read.AllSecurityEvents.Read.All
- Click the Enable bidirectional alert sync check box when configuring the event source in SIEM (InsightIDR).
- Apply the following Microsoft Graph API permissions in Azure when configuring Microsoft Security. An admin must grant consent before the integration can authenticate:
- If an active Microsoft Security event source is already collecting data from multiple Microsoft products, it does not need to be removed. Each source may generate slightly different alerts, and duplicates are automatically managed by SIEM (InsightIDR) to ensure complete coverage without redundancy.
The event types that SIEM (InsightIDR) can parse from this event source are:
- Low-, medium-, and high-severity alerts (from the v2 Alerts API)
To set up Microsoft Security:
- Read the requirements and complete any prerequisite steps.
- Configure Microsoft Security to send data to SIEM (InsightIDR).
- Configure SIEM (InsightIDR) to collect data from the event source.
- Test the configuration.
You can also:
- Review sample logs.
- Learn more about bidirectional alert sync.
Entra ID customers: Complete your Microsoft coverage
This event source provides alert data from the Microsoft Defender suite. For full Microsoft ecosystem coverage, also configure Microsoft Azure, Microsoft Entra ID, and Microsoft Entra ID Protection.
Requirements
Before you start the configuration, you’ll need:
- Global Administrator or Application Administrator permissions in your Azure portal.
Configure Microsoft Security to send data to SIEM (InsightIDR)
Visit the third-party vendor's documentation
For the most accurate information on configuring this event source, we recommend that you visit Microsoft Azure’s documentation on registering an application , creating a client secret , and applying permissions .
Before you can send events to SIEM (InsightIDR) from Microsoft Security products, you’ll first need to set up a Microsoft Azure application to access the Microsoft Graph API. The application needs a client secret attached to it in addition to the application permissions applied to the Microsoft Graph API :
SecurityEvents.Read.AllSecurityIncident.Read.AllThreatHunting.Read.AllSecurityAlert.ReadWrite.All
After you add the required application permissions, you must grant admin consent before the permissions take effect. Without admin consent, SIEM (InsightIDR) cannot access the requested data.
Update azure application permissions
If you have an existing Microsoft Security event source configured, you must add the ThreatHunting.Read.All permission to your Azure application to ensure full data collection.
For step-by-step instructions, see Microsoft’s documentation on applying permissions .
During setup, make sure to copy the following values to a secure location as they are used in the next section:
- Client ID: The Application (client) ID found in the App Registration overview.
- Tenant ID: The Directory (tenant) ID found in the App Registration overview.
- Client Secret: The secret created in the App registration.
- When the secret expires, you are required to reconfigure the event source.
- You are only able to view and copy this value immediately after creating the client secret. If you log out or leave this page, you will not be able to copy the client secret value and will need to create another one.
- The Client Secret is a sensitive password. Please do not send it over unencrypted email. Use a secure password manager or another encrypted method to share these credentials.
Choose the right credential strategy for Azure integrations
Using one credential per event source improves security, traceability, and adherence to least privilege principles. While using one credential for multiple event sources reduces overhead, it increases risk and can complicate auditing. For most environments, we recommend creating a separate credential for each integration or application.
Configure SIEM (InsightIDR) to collect data from the event source
After you complete the prerequisite steps and configure the event source to send data, you must add the event source in SIEM (InsightIDR).
Single tenant support
The Microsoft Security Event Source currently only supports a single tenant, so if you have additional tenants within Microsoft Azure, you will need separate Event Sources for each tenant.
Task 1: Select Microsoft Security
This task differs depending on which version of Microsoft Security you need to set up (Microsoft Security, Microsoft Security GCC, or Microsoft Security GCC High).
Microsoft Security
To select the Microsoft Security event source:
- From the Command Platform main menu, go to Data Connectors > Data Collectors.
- Go to the Event Sources tab, then click Add Event Source.
- Do one of the following:
- Search for Microsoft Security in the event sources search bar.
- In the Product Type filter, select Third Party Alerts.
- Select the Microsoft Security event source tile.
Microsoft Security GCC
To select the Microsoft Security GCC event source:
- From the Command Platform main menu, go to Data Connectors > Data Collectors.
- Go to the Event Sources tab, then click Add Event Source.
- Do one of the following:
- Search for Microsoft Security GCC in the event sources search bar.
- In the Product Type filter, select Third Party Alerts.
- Select the Microsoft Security GCC event source tile.
Microsoft Security GCC High
To select the Microsoft Security GGC High event source:
- From the Command Platform main menu, go to Data Connectors > Data Collectors.
- Go to the Event Sources tab, then click Add Event Source.
- Do one of the following:
- Search for Microsoft Security GCC High in the event sources search bar.
- In the Product Type filter, select Third Party Alerts.
- Select the Microsoft Security GCC High event source tile.
Task 2: Set up your collection method
You can send data from Microsoft Security products to SIEM (InsightIDR) through the cloud.
To add a Microsoft Security Event Source:
- Name the event source. This will become the name of the log that contains the event data in Log Search.
- If you’re transitioning from a legacy event source to a cloud-synced version of the same event source, you can reuse the original event source name to maintain continuity in Log Search. This allows newly ingested events to appear in the same log location as before.
- Select an existing connection or click Add a New Connection.
- If you decided to add a new connection:
- In the Create a Cloud Connection screen, enter a name for the new connection.
- In the Tenant ID field, enter the Directory (tenant) ID that you obtained in the previous section to send data to SIEM (InsightIDR).
- In the Client ID field, enter the Application (client) ID that you obtained in the previous section to send data to SIEM (InsightIDR).
- In the Client Secret field, select an existing credential or add a new one.
- If you decided to add a new credential:
- Click the field to display a drop-down menu.
- Click Add Credential.
- Name your credential.
- Describe your credential.
- Enter the Secret Key that you obtained in the previous section to send data to SIEM (InsightIDR).
- Select which other Rapid7 solutions are able to use the credential.
- If you decided to add a new credential:
- Click Save Connection.
- If you decided to add a new connection:
- Optionally, enter a collection filter.
- Optionally, select the option to send unparsed data.
- Select Enable bidirectional alert sync.
- Rapid7 recommends enabling this setting so SIEM (InsightIDR) can close your alerts in Microsoft Security when they are closed in SIEM (InsightIDR), and conversely close your alerts in SIEM (insightIDR) when they are closed in Microsoft Security.
- This feature is not currently available for the Microsoft Security GCC or Microsoft Security GCC High event sources.
- Click Save.
Test the configuration
Finally, you’ll need to test the configuration to ensure it is properly sending event data to SIEM (InsightIDR) from Microsoft. The event types that SIEM (InsightIDR) can parse from this event source are:
- Low-, medium-, and high-severity alerts (from the v2 Alerts API)
To test that event data is flowing into SIEM (InsightIDR):
- From the Data Collection Management page, click the Event Sources tab.
- Find the event source you created and click View raw log. If the Raw Logs modal displays raw log entries, logs are successfully flowing to the Collector.
- Open Log Search.
If event data is coming into SIEM (InsightIDR), you’ll also want to ensure that log entries are appearing in Log Search.
To verify log entries are appearing in Log Search:
- In SIEM (InsightIDR), navigate to Log Search.
- In the Log Search filter panel, search for the event source you named in Configure SIEM (InsightIDR) to collect data from the event source. Microsoft Security logs should flow into the Third Party Alert log set.
- Select the log sets and the logs within them.
- Set the time range to Last 10 minutes and click Run.
The Results table displays all events that flowed into SIEM (InsightIDR) in the last 10 minutes. Pay attention to the keys and values that are displayed, which are helpful when you want to build a query and search your logs .
Sample Logs
In Log Search, the log that is generated uses the name of your event source by default. The log appears under the Third Party Alert log set. Here is a typical raw log entry that is created by the event source:
{'id': '<id>',
'providerAlertId': '<providerAlertId>',
'incidentId': '<incidentId>',
'status': 'new',
'severity': 'high',
'classification': None,
'determination': None,
'serviceSource': 'microsoftDefenderForEndpoint',
'detectionSource': 'antivirus',
'productName': 'Microsoft Defender for Endpoint',
'detectorId': '<detectorId>',
'tenantId': '<tenantId>',
'title': "'EICAR_Test_File' malware was prevented",
'description': 'Malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected machines. Some of these undesirable applications can replicate and spread from one machine to another. Others are able to receive commands from remote attackers and perform activities associated with cyber attacks.\n\nThis detection might indicate that the malware was stopped from delivering its payload. However, it is prudent to check the machine for signs of infection.',
'recommendedActions': 'Collect artifacts and determine scope\n•\tReview the machine timeline for suspicious activities that may have occurred before and after the time of the alert, and record additional related artifacts (files, IPs/URLs) \n•\tLook for the presence of relevant artifacts on other systems. Identify commonalities and differences between potentially compromised systems.\n•\tSubmit relevant files for deep analysis and review resulting detailed behavioral information.\n•\tSubmit undetected files to the MMPC malware portal\n\nInitiate containment & mitigation \n•\tContact the user to verify intent and initiate local remediation actions as needed.\n•\tUpdate AV signatures and run a full scan. The scan might reveal and remove previously-undetected malware components.\n•\tEnsure that the machine has the latest security updates. In particular, ensure that you have installed the latest software, web browser, and Operating System versions.\n•\tIf credential theft is suspected, reset all relevant users passwords.\n•\tBlock communication with relevant URLs or IPs at the organization’s perimeter.',
'category': 'Malware',
'assignedTo': 'john@test.com',
'alertWebUrl': 'https://security.microsoft.com/alerts/<providerAlertId>?tid=<tenantId>',
'incidentWebUrl': 'https://security.microsoft.com/incidents/<incidentId>?tid=<tenantId>',
'actorDisplayName': None,
'threatDisplayName': 'Virus:DOS/EICAR_Test_File',
'threatFamilyName': 'EICAR_Test_File',
'mitreTechniques': [],
'createdDateTime': '2024-03-18T19:10:49.0966667Z',
'lastUpdateDateTime': '2024-08-12T15:16:21.64Z',
'resolvedDateTime': '2024-08-12T15:16:21.4761349Z',
'firstActivityDateTime': '2024-03-18T19:09:48.947691Z',
'lastActivityDateTime': '2024-03-18T19:09:48.947691Z',
'systemTags': [],
'alertPolicyId': None,
'additionalData': None,
'comments': [{'comment': None,
'createdByDisplayName': 'john@test.com',
'createdDateTime': '2024-08-12T15:16:21.4761349Z'}],
'evidence': [{'@odata.type': '#microsoft.graph.security.deviceEvidence',
'createdDateTime': '2024-03-18T19:10:49.37Z',
'verdict': 'unknown',
'remediationStatus': 'none',
'remediationStatusDetails': None,
'roles': [],
'detailedRoles': ['PrimaryDevice'],
'tags': [],
'firstSeenDateTime': '2024-03-18T19:00:26.0724432Z',
'mdeDeviceId': '<mdeDeviceId>',
'azureAdDeviceId': None,
'deviceDnsName': 'mde',
'osPlatform': 'Windows10',
'osBuild': 19045,
'version': '22H2',
'healthStatus': 'inactive',
'riskScore': 'none',
'rbacGroupId': 0,
'rbacGroupName': None,
'onboardingStatus': 'onboarded',
'defenderAvStatus': 'unknown',
'lastIpAddress': '<ipAddress>',
'lastExternalIpAddress': '<ipAddress>',
'ipInterfaces': ['<ipAddress>',
'<ipv6Address>',
'<ipAddress>',
'::1'],
'vmMetadata': None,
'loggedOnUsers': [{'accountName': 'user', 'domainName': 'MDE'}]},
{'@odata.type': '#microsoft.graph.security.fileEvidence',
'createdDateTime': '2024-03-18T19:10:49.37Z',
'verdict': 'suspicious',
'remediationStatus': 'none',
'remediationStatusDetails': 'Entity was pre-remediated by Windows Defender',
'roles': [],
'detailedRoles': [],
'tags': [],
'detectionStatus': 'prevented',
'mdeDeviceId': '<mdeDeviceId>',
'fileDetails': {'sha1': '<sha>',
'sha256': '<sha256>',
'fileName': 'New Text Document.txt',
'filePath': 'C:\\Users\\user\\Desktop',
'fileSize': 68,
'filePublisher': None,
'signer': None,
'issuer': None}}]}Bidirectional Alert Sync
Bidirectional alert sync keeps alert status consistent across Rapid7 SIEM (InsightIDR) and Microsoft Security without manual effort. When you close an alert in either system, the status change is automatically reflected in the other, reducing context-switching and helping streamline your incident response workflow.
Bidirectional alert sync is not retroactive
Bidirectional alert sync applies only to new alerts created after the feature is enabled.
Microsoft Security GCC and GCC High
This feature is not currently available for the Microsoft Security GCC or Microsoft Security GCC High event sources.
To enable bidirectional alert sync:
- Ensure these application permissions are applied to the Microsoft Graph API in Microsoft Azure when configuring Microsoft Security:
SecurityAlert.ReadWrite.AllThreatHunting.Read.AllSecurityIncident.Read.AllSecurityEvents.Read.All
- Select Enable bidirectional alert sync when configuring the event source in SIEM (InsightIDR).
Creating or editing an event source
If you are setting up a new event source, this check box appears in Task 2 of the event source configuration. If you are updating an existing event source, edit the event source and select the check box, then save.
Sync behavior
This table describes how alert status changes sync between SIEM (InsightIDR) and Microsoft Security, depending on whether an alert is part of an investigation.
Manage bidirectional sync in SIEM (InsightIDR) Alerts
For the most reliable experience, manage and close alerts and investigations from within the Alerts experience in SIEM (InsightIDR). SIEM is the system of record and changes made here sync back to Microsoft Security consistently. Not all actions taken in Microsoft Security sync back to SIEM.
| Alert is included in an investigation | Scenario | Action in SIEM (InsightIDR) | Action in Microsoft Security |
|---|---|---|---|
| No | Alert is closed | Closes in Micosoft Security | Closes in SIEM (InsightIDR) |
| No | Alert is reopened | Reopens in Microsoft Security | Does not sync to SIEM (InsightIDR) |
| Yes | Investigation is closed in SIEM | Included alerts close in Microsoft Security | N/A |
| Yes | Alert is closed in Microsoft Security | N/A | Does not close the alert or investigation in SIEM (InsightIDR) |
Investigations and bidirectional sync
Whether an alert is part of an investigation affects how bidirectional sync behaves. Understanding this relationship is important for customers who triage alerts from Microsoft Security alongside SIEM (InsightIDR) investigations.
In SIEM (InsightIDR), alerts that are part of an open investigation cannot be closed individually, they can only be closed by closing the investigation itself. This applies regardless of what happens in Microsoft Security.
How investigations affect sync:
- If an alert in SIEM (InsightIDR) is part of an open investigation, closing that alert in Microsoft Security will not close it in SIEM (InsightIDR), and will not close the investigation.
- To close an investigation-linked alert in both systems, close the investigation in SIEM (InsightIDR). This will close the investigation and sync the alert closure to Microsoft Security.
Always close investigations from within SIEM (InsightIDR)
Open investigations in SIEM (InsightIDR) cannot be closed from Microsoft Security or by any other external action.
Detection Rule Actions and Sync Readiness
Whether an incoming Microsoft Security alert is added to an investigation or created as a standalone alert in SIEM (InsightIDR) is controlled by the rule action setting on the corresponding third-party detection rule.
The default rule action for third-party detection rules in SIEM (InsightIDR) depends on your subscription:
- Customers with MDR SOC triage entitlements - Detection rules are automatically set to Create alert. Bidirectional sync works as expected for these customers without any additional configuration.
- Customers without MDR SOC triage entitlements (including both managed and unmanaged customers) - Detection rules default to Create investigation. Alerts from Microsoft Security that trigger these rules will be added to investigations in SIEM (InsightIDR), which means they cannot be closed through bidirectional sync until the investigation is closed.
If you want incoming Microsoft Security alerts to be created as standalone alerts in SIEM (InsightIDR), rather than added to investigations, you can change the rule action on the relevant third-party detection rules.
You can change the rule action:
- Through the UI - You can update up to 60 rules at a time. Go to Detection Rules in SIEM (InsightIDR), filter for the relevant rules, and update the rule action to Create alert.
- Through the API - You can update all rules at once using the SIEM (InsightIDR) REST API. See the SIEM (InsightIDR) REST API documentation for details.
Review any detection rule changes carefully
Changing rule actions affects how all future alerts from those rules are handled in SIEM (InsightIDR), not just those from Microsoft Security. Review your detection rule configuration carefully before making bulk changes, particularly if you have automated workflows or other integrations that depend on investigation creation.