As enterprises add more security layers to protect their environments, one underpinning technology helps IT to connect the dots if a security incident occurs.
Administrators have experienced management growing pains when the organization enlists more cloud services, but the Microsoft Graph is the company’s recent initiative to provide a consistent way to gather information from multiple cloud platforms. Microsoft Graph is an API that streamlines administrative access to objects and resources in Azure, Office 365/Microsoft 365 and other cloud-based services from Microsoft. As part of this effort, the Microsoft Graph Security API offers a single programmatic interface to connect security products from Microsoft and its partners. By combining Microsoft Graph Security with PowerShell, admins can automate alerts to take action if a security incident occurs.
Cyber attacks continue to intensify and hit enterprises around the world. In many cases, organizational or infrastructure damage has already occurred before any identification of a data or security breach is completed. The Microsoft Graph Security extends existing security applications and products to correlate security alerts from multiple sources to help the organization uncover threats and unlock contextual data to provide insights and prevent further damage.
Microsoft also offers the Intelligent Security Graph, which gathers general security intelligence from Microsoft, global security operations centers and Microsoft security partners. This integration links security platforms and services that use machine learning and behavioral monitoring for additional assistance with protection, detection and response to security threats. The Microsoft Graph Security connects organizations directly to the Intelligent Security Graph.
The Microsoft Graph Security does not apply security policies but gives organizations easier access to security-related data from multiple sources. It helps organizations and partners to integrate or build applications to perform various security functions, including:
The Microsoft Graph Security has multiple core entities to query: alerts, information protection, threat indicators, security actions and Secure Score.
Each supported entity provides an endpoint within Microsoft Graph Security. The easiest way to test the Microsoft Graph Security is to use the Graph Explorer available at this link. Admins can use this online tool for different security-related jobs, such as testing Microsoft Graph endpoints, which include Graph Security.
To use the Graph Explorer, sign in as a global administrator or with an account with rights to retrieve security information. Accept the permissions request by either granting consent for just the logged-in account or for the entire organization. Next, set the version of the graph and the specific URL of the data to retrieve. For this example, set the HTTP method to GET, select beta for the Microsoft Graph version and enter https://graph.microsoft.com/beta/security/alerts for the URL.
Once completed, click Run query to retrieve the results. If a 401 error occurs, click the Modify permissions tab and check the missing permissions.
Grant consent, then reissue the same query. If there are alerts within the tenant, the query will return results in JavaScript Object Notation (JSON) format. The advantages of JSON are it loads fast, is easy to query and is simple to import to other applications.
The Graph Explorer offers several prebuilt queries, including several in the Security category, that show the capabilities of the Microsoft Graph Security API. Use of filters and values in queries sends customized calls to the Microsoft Graph Security to extract specific information, such as showing only new alerts or just the high-severity alerts.
The Graph Explorer is helpful to test the available endpoints, but it is not the best way to view the information. There are multiple connectors to use with Microsoft Graph Security, including Power Automate (formerly Microsoft Flow) and Power BI, but PowerShell is another excellent option to query Graph Security data. To get started, use the following configuration steps to perform app registration in Azure Active Directory:
To start using PowerShell with the Microsoft Graph Security, import the PowerShell module and start the connection.
When prompted, use the account login and the application ID from the app registration.
Next, now query specific information such as alerts and the Secure Score details. To query all or specific alerts, try the following commands:
PowerShell’s integration capabilities let admins export alerts locally and inspect them within other platforms as needed. Different approaches provide integration with Azure Logic Apps, Power Automate, Power BI and programming languages, such as Python, C#, NodeJS and .NET.
Microsoft’s Graph Security also supports common integration types, including Security Incident and Management, Security Response and Orchestration, and Incident Tracking and Service Management.
Part of: Microsoft cloud service management guide for Windows admins
The security product, formerly Azure Advanced Threat Protection, taps into the cloud to uncover suspicious activity across the on-premises network.
The admin center lags behind PowerShell when it comes to Microsoft Teams policy management due to the automation tool’s superior logging and visibility features.
The API assists organizations that want to connect their security systems with a programmatic way to produce quicker results when performing investigations.
When things go right, Azure Spot VMs are a good investment to save money. However, users need a greater understanding of how …
As businesses digitally transform across increasingly distributed environments, know the benefits, challenges, similarities and …
Azure Blueprints helps companies with strict compliance needs in Azure environments, while Terraform is a versatile tool that …
Intel’s Core Ultra CPUs now contain embedded AI neural processing, which adds options for device manufacturers to divide demand …
UEM software is vital for helping IT manage every type of endpoint an organization uses. Explore some of the top vendors and how …
These 12 tools approach patching from different perspectives. Understanding their various approaches can help you find the right …
For IT to choose between desktop as a service vs. VDI, they’ll need to decide what’s more important — security and control or …
Broadcom officially intends to divest itself of VMware EUC, leaving questions about where the end user computing division and …
AWS bowed a new entry into the thin client space, which appeals to a limited audience of Amazon WorkSpaces-based orgs. What we …
All Rights Reserved, Copyright 2000 – 2023, TechTarget
Privacy Policy
Cookie Preferences
Do Not Sell or Share My Personal Information
Leave a Reply