Re: SecureX and Microsoft Graph API integration

hoffa2000 · ‎04-07-2021

Greetings

I'm trying to understand how this is supposed to work, the information given by Cisco seems limited at best. I have SecureX set up and running with our FTDs as the only integration so far and I'd like to add the ability to enrich with data from Microsoft Defender for Endpoint taken from Microsoft Graph API. For some reason SecureX requires me to host a Docker relay for this to work. Why doesn't SecureX give me the option to contact Microsoft API directly? Seems unfinished to me.

Anyway, getting the Docker relay running is no problem if you know Docker but the next step, to set up the integration in the SecureX GUI drives me mad. How to I create a JWT that's accepted by the integration? All my attempts using public tools on the web gives me a string that SecureX says is missing either the correct format or some "custom_jwks_host" and there is nothing on the Github page about this.

Has anyone actually got this working?

Regards

Fredrik

ppreenja · ‎05-04-2021

Hi Fredrik,

Please post your query on the below link so that you can get direct answer to your query:

https://gitter.im/CiscoSecurity/Threat-Response

Cheers,

Pratham

Mike.Migliori · ‎07-22-2021

A little late to the party, but if you have not already noticed, Cisco has recreated the integrations with (Cisco Hosted) type of integrations. This means you do not need to set up the serverless relays in AWS. They now have a "(Cisco Hosted) Microsoft Graph Security API" available to use to integrate. I was successful today in connecting them, can't wait to see how it enriches our investigations.

hoffa2000 · ‎09-27-2021

Hi Mike

I'm even later with my response, but I've been trying to understand how this is supposed to work. First up, I have the Cisco hosted MS Graph API setup and running. At least it's displayed as healthy but I don't seem to get any enrichment from the integration.

For example: I have malware blocked by Microsoft Endpoint Protection (Formerly Defender ATP) and when I run the blocker file hash through SecureX I only get threat information from Talos and AMP but no indication that it has been detected by and endpoint.

Likewise, if I try to run an URL or a file hash caught by Defender for Office365 (The email protection suite) neither those are enriched by the integration.

I admit I haven't dug through the entire SecureX manual but I naively thought this would be as straight forward as it was getting data from Firepower. Both these examples are presented as alerts in the Microsoft dashboards for the Defender suite and, as I see it, should be highly relevant for a SOAR.

Regards

Fredrik

Mike.Migliori · ‎09-27-2021

Not sure of Microsoft graph api, I integrated, but never saw enrichments that included Microsoft.

hoffa2000 · ‎10-28-2021

Hi all

I've been using SecureX in a semi-production fashion and I think it's time to bump this post, if not to ease my frustration but also for Cisco. I mean SOAR tools is where it's at these days and Cisco promising event integration between their "universe" and Microsoft's is the Holy Grail for me. What's really bother me is the fact that Microsoft is seeing questions against their Defender API as shown by the graph below which is from my Defender Portal. Since not even the most obvious indications from Microsoft are shown by SecureX, what exactly is Cisco doing with "my" API?

Regards

Fredrik