cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1075
Views
2
Helpful
2
Replies

How does one add non-standard integrations to SecureX?

charlesapap
Level 1
Level 1

Our organisation is rolling out a Proof of Concept for SecureX. As part of this, we want to integrate Microsoft Defender, Azure Sentinel and our ticket management system HaloITSM. All of the above utilise REST APIs.

However, I cannot see an option within SecureX for these as out-of-the-box integrations. Is it possible at all to add anything non-standard as an integration and if so how?

Thanks in advance for any assistance, I could not find any documentation about this. 

1 Accepted Solution

Accepted Solutions

There is a Microsoft Graph Security API integration, here's the description:

Part of Microsoft Graph, the Microsoft Graph Security API integrates with security solutions from Microsoft and partners in a federated model; it can also be used in conjunction with other Microsoft Graph entities to gain additional context (for example, Office 365 and Azure AD). The API has multiple entities, including:
* Alerts from multiple security solutions, each representing that potentially malicious activity has been detected within the organization.
* Secure Score provides information about an organization's security posture, including a numeric rating based on elements like the enabled security features in your environment and outstanding security risks. This score is available at the tenant level as well as at a specific control area, such as device, app, and identity, through Secure Score Control Profiles. Scores and profiles are available from each security provider that offers them-valuable information that can help guide vulnerability remediation actions based on the suggested actions available in each profile. By default, 90 days of data is retained.
* Threat intelligence indicators refer to information about known threats, such as malicious IP addresses, domains, or URLs. Organizations can send their threat intelligence to targeted Microsoft services to enable custom detections.
Note: The Microsoft Graph Security Relay uses Open Data Protocol (OData) filters (specifically the any lambda operator) while querying data from Microsoft Graph Security API. The Microsoft Graph Security API is a federation service that merges data from various Microsoft alert providers. As some providers do not support OData query filters (for example, Office 365 Security and Compliance and Microsoft Defender Advanced Threat Protection), alerts from those providers will not be included in the Microsoft Graph Security Relay output.

View solution in original post

2 Replies 2

There is a Microsoft Graph Security API integration, here's the description:

Part of Microsoft Graph, the Microsoft Graph Security API integrates with security solutions from Microsoft and partners in a federated model; it can also be used in conjunction with other Microsoft Graph entities to gain additional context (for example, Office 365 and Azure AD). The API has multiple entities, including:
* Alerts from multiple security solutions, each representing that potentially malicious activity has been detected within the organization.
* Secure Score provides information about an organization's security posture, including a numeric rating based on elements like the enabled security features in your environment and outstanding security risks. This score is available at the tenant level as well as at a specific control area, such as device, app, and identity, through Secure Score Control Profiles. Scores and profiles are available from each security provider that offers them-valuable information that can help guide vulnerability remediation actions based on the suggested actions available in each profile. By default, 90 days of data is retained.
* Threat intelligence indicators refer to information about known threats, such as malicious IP addresses, domains, or URLs. Organizations can send their threat intelligence to targeted Microsoft services to enable custom detections.
Note: The Microsoft Graph Security Relay uses Open Data Protocol (OData) filters (specifically the any lambda operator) while querying data from Microsoft Graph Security API. The Microsoft Graph Security API is a federation service that merges data from various Microsoft alert providers. As some providers do not support OData query filters (for example, Office 365 Security and Compliance and Microsoft Defender Advanced Threat Protection), alerts from those providers will not be included in the Microsoft Graph Security Relay output.

ben.greenbaum
Cisco Employee
Cisco Employee

How to implement a custom SecureX integration is dependent on what you want the integration to achieve. 

- If you want Defender and Sentinel to forward incidents into SecureX for handling, you will need those technologies to make calls to the SecureX API, or middleware that does so.
- If you want to be able to query those tools for enrichment details (sightings etc) of items you are investigating in SecureX, you will need a SecureX relay that queries them.
- If you want to take response actions using those technologies, you can also use the relay if you made one for the above reason, or you can create Orchestration workflows to enact those responses.
- If you want Incidents in SecureX to be forwarded to Halo, you can create a workflow to do so (or modify the existing ServiceNow workflows that do similar)

These videos will give you more information:
https://www.youtube.com/watch?v=--k3PiT-d6g&list=PLmuBTVjNfV0dlZ_DYgNiZ7SBlWVB0ae33&index=2
https://www.ciscolive.com/on-demand/on-demand-library.html?search=securex#/session/1675722365732001tevZ