Abnormal Security Migration: Integration Points
Integration Points
This migration will succeed or fail on integration clarity. Document every system boundary explicitly.
Core Integration Surfaces
| System | Integration Focus |
|---|---|
Microsoft 365 |
Mailbox access model, Graph permissions, message remediation actions, impersonation visibility, user and domain context |
Cisco ESA |
Existing policy sets, quarantine workflow, reporting exports, syslog feeds, message tracking, dependency analysis before cutover |
Microsoft Sentinel |
Detection ingestion path, connector options, schema normalization, alert ownership, incident workflow |
Monad ETL |
Whether Abnormal telemetry needs transformation, enrichment, or routing before Sentinel ingestion |
Identity and access |
Service principals, API roles, privileged access approval, break-glass procedures |
User reporting workflows |
Report phishing mailbox, Outlook add-ins, SOC triage process, help desk routing |
Questions to Resolve
-
Which Abnormal data reaches Sentinel natively versus through an intermediate collector?
-
Which ESA reports or syslog feeds are currently used by analysts and must be preserved?
-
Which M365 permissions are required, who approves them, and how are they reviewed?
-
Does Abnormal write back remediation state into M365, and how is that audited?
-
What alerts stay in Abnormal versus being forwarded into Sentinel incidents?
Mapping Table to Build Next
Build and maintain a simple mapping table with these columns:
-
source system
-
integration method
-
authentication method
-
data produced
-
operational owner
-
migration dependency
-
cutover blocker
That table will become the actual project control plane.