Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Introduction
To combat the increasing number of cyberthreats, most Multiple schemas. Disparate schemas
organizations rely on a diverse portfolio of security for alerts and other entities make
solutions: endpoint protection, network firewalls, correlation of security data difficult. Core capabilities
identity and access controls, cloud security, and so on. of the Microsoft
This defense-in-depth strategy offers many security
Graph Security API
Inaccessible context. Critical information
advantages, but gaps may still exist between solutions, about users or devices often lives outside
and these gaps can hinder the organization’s ability Connect your
the organization’s security tools.
security solutions.
to effectively manage vulnerabilities and respond
to threats. By sharing security insights and enabling Build intelligent
The Microsoft Graph Security API greatly simplifies
orchestration across security solutions, organizations security apps.
integration with Microsoft and third-party security
can gain an advantage over today’s adversaries.
solutions. Using one endpoint, one software development
Unify security
kit (SDK), one schema, and one authentication mechanism, management and
Despite the benefits of connecting multiple security customers and partners can easily build integrated incident response.
tools and workflows, integration challenges such security applications, workflows, and analytics.
as the following can add cost and complexity: Automate security
workflows.
This guide provides a comprehensive overview the insights from other security providers,
of the Microsoft Graph Security API, including aggregating alerts into their own dashboards,
common scenarios, and code samples for and enriching them with contextual information
each. The primary audience for this guide is from related entities such as users and hosts.
architects, developers, and scripters/tool smiths This guide helps you:
from the following types of organizations: IT services and system integrators (SIs).
SIs help customers integrate their security Understand Microsoft
Graph and the Microsoft
Independent software vendors (ISVs). ISVs can tools and workflows, implementing security
Graph Security API.
integrate their commercial security products and operations programs and processes.
services with the Microsoft Graph Security API to Get familiar with use
gain visibility into security alerts, secure score, and Enterprises. Enterprises build custom security apps, cases and scenarios
contextual data from Microsoft Graph providers that use the Microsoft
integrate security tools and workflows, and develop
and shared threat intelligence. Optionally, ISVs Graph Security API.
tools and analytics for hunting and detection.
can also become providers to the Microsoft Graph
Connect with additional
Security API as peers to Microsoft providers. documentation,
Partners can integrate their applications with Microsoft
Graph Security API to build connected security solutions. resources, and sample
Managed security service providers (MSSPs) or applications and code
They can also surface their data through the Microsoft
to get started quickly.
managed service providers (MSPs). MSSPs and MSPs Graph Security API to become a security provider.
develop applications to support security management Contact the Microsoft Graph Security team by email at
and monitoring services. They can immediately benefit graphsecfeedback@microsoft.com if you’re interested
from the Microsoft Graph Security API, integrating in onboarding as a Microsoft Graph Security provider.
various security solutions, taking advantage of
Microsoft Graph 3
Microsoft Graph
Microsoft Graph (graph.microsoft.com) is a collection of the information you need. For example, to get the
APIs that together provide a standard unified interface list of important messages for a user, you send a GET
and schema for accessing information from Microsoft request of https://graph.microsoft.com/v1.0/ Documentation
online services (for example, Azure Active Directory me/messages?$filter=importance eq 'high'.
[Azure AD], Office 365, OneDrive, OneNote, Microsoft These APIs are easy to implement; share a common For more information
SharePoint, Microsoft Planner, Microsoft Intune, etc.) authentication framework based on OpenID Connect, about Microsoft
and third-party vendors (in applicable APIs). This single OAuth 2.0, and a Web Representational State Transfer Graph, see Use the
connection point (graph.microsoft.com) is the root for (REST) API with standard JavaScript Object Notation Microsoft Graph API.
the other namespaces assigned to the services accessible (JSON) response formats; and support a variety of
through the Microsoft Graph API. You can simply add platforms, with easy-to-use SDKs and code samples.
additional namespaces and filtering elements to get
Microsoft Graph Security API 4
Part of Microsoft Graph, the Microsoft Graph Security and identity, through Secure Score Control Profiles.
API integrates with security solutions from Microsoft Scores and profiles are available from each security Frequently asked
and partners in a federated model; it can also be used provider that offers them—valuable information that
in conjunction with other Microsoft Graph entities to can help guide vulnerability remediation actions The Microsoft Graph
gain additional context (for example, Office 365 and based on the suggested actions available in each Security API is not
Azure AD). The API has multiple entities, including: profile. By default, 90 days of data is retained. about security for
Microsoft Graph. This
API provides security
Alerts from multiple security solutions, each Example Query data across different
representing that potentially malicious activity security products running
has been detected within the organization.
GET https://graph.microsoft.com/v1.0/ in your organization.
security/secureScores?$top=1
Example Query
No extra cost
GET https://graph.microsoft.com/v1.0/
Threat intelligence indicators refer to information
security/alerts?$filter=severity eq 'high' about known threats, such as malicious IP addresses,
An Azure subscription
domains, or URLs. Organizations can send their threat
is all you need to use
intelligence to targeted Microsoft services to enable the Microsoft Graph
Secure Score provides information about an custom detections. An action can be specified for each Security API. There is no
organization’s security posture, including a numeric indicator (either block, alert, or allow) signaling to the additional cost. Access
rating based on elements like the enabled security target solution what action to take on that indicator. to data from third-party
service providers may
features in your environment and outstanding security
require corresponding
risks. This score is available at the tenant level as subscriptions with
well as at a specific control area, such as device, app, those vendors.
Microsoft Graph Security API 5
The following is a
Authentication complete example:
Security actions provide the ability to perform
tasks pertaining to specific alerts, such as The API adopts a standard schema for authentication https://graph.microsoft.
com/v1.0/security/
allowing or blocking an IP address and taking based on OpenID Connect, OAuth 2.0, and a Web REST
alerts?$filter=severity
actions through providers like Microsoft API with standard JSON response formats. Security
eq 'high'
Defender Advanced Threat Protection (ATP). data accessible through the Microsoft Graph Security
API is protected using both permissions and Azure AD
roles. Because Microsoft Graph is authenticated to
Microsoft Graph Security API 6
your or your customer’s domain through Azure AD, for the application to access the data. Choose
only people and applications with the appropriate this option for managed services scenarios or if Authentication
permissions can gain access to the security data or take your enterprise has multiple registered tenants.
actions on your or your customer’s security data by Authentication is required
using the Microsoft Graph Security API. The Microsoft only once. This behavior
To access security data by using the
enables developers to
Graph Security API can be accessed in two ways: Microsoft Graph Security API: build solutions that
authenticate once and
By an application in Application Only mode, where The application must be registered in Azure AD, make a single API call
no user is signed in or the application manages which is the responsibility of the application to access or act on
user access (for example, a security information security insights from
developer or the Azure AD tenant administrator.
multiple sources.
and event management [SIEM] system)
While registering your application, choose Next, the Azure AD tenant administrator must
one of the following for your application: consent to the permissions requested.
Single-tenant application. The application can If users are associated with the application, ISV recommendation
access data in its Azure AD tenant only. Choose the Azure AD tenant administrator will need
this option for customized solutions that are to add them to the appropriate Security If you are an ISV,
scoped to run in your organizational tenant only. Reader role (User-delegated mode). recommend that your
customers register the
Multitenant application. The same application application in their own
For more detailed information about security
can access data from multiple tenants, provided tenant. Your customer
authorization, please see Authorization and
can choose to run
that the respective tenant administrator consents the Microsoft Graph Security API. in single-tenant or
multitenant mode.
Microsoft Graph Security API 7
Apps Scenarios
Figure 1
Connect to the API Pull data into Power BI reports. Power BI can connect
natively to the Microsoft Graph Security API as a data
source and pull in security-related information. For
The Microsoft Graph Security API does not have a
more information about how to connect to the API
user interface, but you can access the API through
within Power BI, visit the Tech Community; visit the Graph Explorer
sample applications and Graph Explorer. In addition,
Microsoft Graph Security API in Power BI Desktop for
you can connect to the API in the following ways:
prerequisites and required permission configuration. Graph Explorer does not
support application-level
Write code. Build a solution based on the authorization. User-
Microsoft Graph Security API by relying on the Connect using Jupyter Notebooks through Azure delegated permissions
Notebooks. You can use Jupyter Notebooks to access must be granted before
SDKs Microsoft has made available to developers
Microsoft Graph Security API entities. For notebook users can work with the
on GitHub. These SDKs are available in ASP.NET,
samples of how you can do this, visit Microsoft Microsoft Graph Security
Xamarin, Java, JavaScript, Angular, PHP, and more.
Graph Security API Jupyter Notebook Samples. API. If a user is calling the
Samples and other resources can also be found API from Graph Explorer:
in the Microsoft Graph Resources library.
Integrate with security solutions. Use connectors for The Azure AD tenant
SIEM, SOAR, and other security solutions like Splunk administrator must
Connect using scripts. You can find PowerShell
and IBM QRadar to consume alerts through the explicitly grant consent
cmdlets on GitHub for use in connecting to the
Microsoft Graph Security API. For more information for the requested
Microsoft Graph Security API. Examples of how to use permissions to the
about using these connectors, see Integrate by
those cmdlets can be found in the Tech Community. Graph Explorer
using Microsoft Graph Security API connectors.
application.
Use code-free automation tools. Use Microsoft
Use Microsoft Graph Security–integrated The user must be a
Graph Security API connectors for Azure Logic member of the Security
applications. Use solutions that already
Apps, Microsoft Flow, and PowerApps to build Reader Limited Admin
integrate with the Microsoft Graph Security API.
code-free workflows that use data from the role in Azure AD (either
If you aren’t sure which solutions are currently Security Reader or
Microsoft Graph Security API. Examples of
integrated with the API, see the Microsoft Security Administrator).
these workflow in action can be found in the
Graph Security API partnerships page.
Tech Community. For more information, see
https://aka.ms/graphsecurityconnectors.
7 scenarios that use the Microsoft Graph Security API 9
An analyst receives a list of recent alerts from their security Graph Security API and assigns them for investigation
providers through an app integrated with the Microsoft by updating an alert. The incident management system
7 scenarios that use the Microsoft Graph Security API 10
associated with these alerts is also integrated with the in the security provider’s solution are automatically
API, so security incidents corresponding to these alerts reflected in the ticketing system: The analyst doesn’t
are already in the system. Because both systems are have to sign in and update the tickets with alert
integrated with the API, the assignments that were made assignments to keep it in sync with the security provider.
PATCH https://graph.microsoft.com/v1.0/security/alerts/{alert_id}
Content-type: application/json
Code-free options
{
"assignedTo": "LoriPenor",
You can simplify security
"vendorInformation": {
automation and reporting
"provider": "String",
with connectors for Azure
"vendor": "String" Logic Apps, Microsoft
} Flow, PowerApps,
} and Power BI, quickly
building playbooks to
orchestrate security tasks
across solutions—no
3. Automate security response workflows code required. For more
information, visit the
An alert about a malicious IP address triggers an same IP address. The runbook sends an automated Microsoft Tech Community.
automated workflow or runbook in the organization’s email with options and the alert details to the analyst.
security automation platform. The workflow, which The analyst can then review the alerts associated
calls the Microsoft Graph Security API by using one with the IP address and decide whether to block it.
of the many available connectors, correlates the IP Selecting Yes invokes the Microsoft Graph Security
address in the alert with other alerts that share the action in the runbook to block the specific IP address.
7 scenarios that use the Microsoft Graph Security API 11
An analyst receives an alert from a security provider been compromised by malware running on their device.
about a user. They query all security providers through To assess the potential scope, the analyst queries for a list
the Microsoft Graph Security API for a complete view of of devices registered to the user and a list of the security
all alerts related to this user. Based on the alerts returned, groups of which the user is a member. The analyst can
the analyst concludes that the user’s credentials have temporarily block access until the user’s device can be
7 scenarios that use the Microsoft Graph Security API 12
scrubbed and the password reset. The analyst can also query for any alerts related to the same malware to look
for other potentially compromised devices and users.
GET users/janedoe@contoso.com/registeredDevices?$select=displayName
Example query—Get the risk score for the machine being reviewed
The IT director reads about a new type of malware to the IT department can address the vulnerability. The threat
which the company could be vulnerable. The team is indicator is sent to integrated Microsoft solutions using
actively patching the vulnerabilities that this malware the Microsoft Graph Security API. The Microsoft solution
exploits, but the director wants to add the malware’s file can then alert the organization if the file is detected.
hash as an indicator, just in case it finds its way in before
POST beta/security/tiIndicators/
Content-type: application/json Documentation
{
"action": "alert",
To learn more about
"confidence": 0, the entities available
"description": "MD5 hash on watch while system vulnerabilities being addressed", through the API, see
"expirationDateTime": "2019-03-01T21:43:37.5031462+00:00", Use the Microsoft
"externalId": "CUSTOM-MD5-Indicator", Graph Security API.
"fileHashType": "MD5",
"fileHashValue": "fe8a8226a4cfd0deffe209069a7e64d908b74de8",
"severity": 0,
"targetProduct": "Azure Sentinel",
"threatType": "WatchList",
"tlpLevel": "green"}
7 scenarios that use the Microsoft Graph Security API 14
An IT organization has an initiative to improve its By querying the Microsoft Graph Security API secure score
security posture. The IT director wants to know entity, the IT director can quickly retrieve the most recent
the Microsoft Secure Score of the environment so summarized Microsoft Secure Score by provider, and then
that they can make a plan to improve those scores query the individual secure score control profiles that have
(and therefore the company’s security posture) in a high impact to start planning changes to improve the
the coming quarter. In addition to the summary overall score. Likewise, the IT directory may want to view
by provider, the director wants a breakdown from the individual control profile for high-value devices, like a
each individual area that has a high impact. device that belongs to the chief information officer (CIO).
GET /security/secureScores?$top=1
Example query—Get all secure score control profiles that have a high user impact
A CIO needs information about security-related events in The IT director opens Power BI and connects to the
the organization to share with the leadership team in their Microsoft Graph Security API by using the connector to
weekly meeting. The CIO asks the IT director to provide start creating reports (Figure 2 on page 15). The first
this information in the form of easily consumable graphs graph, Alerts by Security Products, shows the alerts that
that can be placed in a Microsoft PowerPoint slide deck. each security product received this week. The second
graph, Alerts by Users, shows the users most affected
7 scenarios that use the Microsoft Graph Security API 15
Figure 2
Create reports in
Power BI by connecting
it to the Microsoft
Graph Security API.
© 2019 Microsoft Corporation. All rights reserved. This document
is for informational purposes only. Microsoft makes no warranties,
express or implied, with respect to the information presented here.