As organizations deploy additional security controls to combat today’s evolving threats, integration challenges often limit the return of investment. The new security API in the Microsoft Graph makes it easier for enterprise developers and ISVs to unlock insights from these solutions by unifying and standardizing alerts for easier integration and correlation, bringing together contextual data to inform investigations, and enabling automation for greater SecOps efficiency. We will walk through real world examples of applications that leverage the security API to help customers realize the full value of their security investments.
6. Unified gateway to security insights and actions across Microsoft products, services, and partners
Unify and standardize
alert management
Automate SecOps for
greater efficiency
Unlock security context
to drive investigation
!
7. Alerts
Security Profiles
Host | User | File | App | IP
Actions Configurations
Insights and relationships
OAuth 2.0 and OpenID Connect 1.0
Azure AD Identity
Protection IntuneWindows
Defender ATP
Office 365 ATP Cloud Application
Security
Azure ATP Azure Security
Center
Azure Information
Protection
Ecosystem
Partners
Other Microsoft Graph Services
Office 365 | Intune | Active Directory | More…
Users Groups Mail Files Calendar
8. Customers control access to their security data
App Access
Customer grants permission for
the application to access their data
via the Security API in AAD
Requests are brokered by the
Security API, no data is stored
Access can be revoked by the
customer at any time
Resources
https://developer.microsoft.com/en-us/graph/docs/concepts/permissions_reference#security-permissions
https://techcommunity.microsoft.com/t5/Using-Microsoft-Graph-Security/Authorization-and-Microsoft-Graph-Security-API/m-p/184376#M2
User Access
User permissions can be managed in
either of the following ways:
Delegated access
Customer assigns users to AAD role(s):
Security Reader or Security
Administrator
App only
Application implements role-based
access for users
+
9. Security
dashboards
Surface aggregated alerts in
security operations
dashboards along with rich
contextual information
about related entities
!
!
!
!
Security
operations tools
Stream alerts in near real-
time to a ticketing or IT
management system, keep
alert status and assignments
in sync, automate common
tasks
Threat protection
solutions
Correlate alerts and
contextual information for
improved detections, take
action on threats - block an
IP on firewall, run AV scan…
Other applications
Add security functionality
to non-security
applications – HR,
financial, healthcare apps…
Integration Partners
Anomali integrates with the Security API to
correlate alerts from Microsoft Graph with threat
intelligence, providing earlier detection and
response to cyber threats.
Alerts from the Microsoft Graph will combine with
Palo Alto Networks threat data to speed detection
and prevention of cyberattacks for our shared
customers.
PwC uses alerts and context from Microsoft Graph
in its Secure Terrain solution to deliver improved
visibility and protection.
12. C# SDK: graphClient.Security.UserSecurityProfiles.Request().Filter(”userPrincipalName eq ‘janedoe@contoso.com’”)
REST: GET …/hostSecurityProfiles?$filter=fqdn eq ‘johnedoe-surfpro.contoso.com’&$select=riskScore
REST: GET …/fileSecurityProfiles?$filter=sha256 eq ‘091835b16192e526ee1b8a04d0fcef534b44cad306672066f2ad6973a4b18b19’
REST: GET …/hostSecurityProfiles?$select=platform,osVersion
Unlock security context: /security/securityProfiles
securityProfiles
securityProfiles Host | User | File | App | IP
13. REST: POST graph.microsoft.com/beta/security/actions?$ref
{ “id”: ”7f590b04-0cb3-478f-88ca-974a8bb5a46f”, // (required) id of SecurityProfile entity to act upon
“provider”: ”MCAS”, // (required) security provider to take the action
“name”: ”restrictAccess”, // provider specific action metadata
“cloudService”: ”OneDrive” // provider specific action metadata
}
Automate security operations: /security/actions
actions
actions
14. REST: POST graph.microsoft.com/beta/security/configuration?$ref
{
“provider”: ”intune”, // (required) security provider set the configuration
“name”: ”microsoft.graph.iosGeneralDeviceConfiguration”, // (required) configuration setting to modify
“displayName”: ”iOS Lock Policy”, // provider specific configuration metadata
“description”: ”My iOS Policy”, // provider specific configuration metadata
“lockScreenBlockNotificationView”: true // provider specific configuration metadata
}
configuration
configuration
Automate security configurations:
/security/configuration
15.
16. 16
Public Preview (available now)
Beta of Security API in Microsoft Graph
Client C# SDK available for integration
Code samples for C# and Python
Support for Alerts from Azure Security Center and
Azure Active Directory Identity Protection with Intune
and Azure Information Protection coming soon
Unified SIEM integration through Azure Monitor
(QRadar, Splunk, SumoLogic)
Developer forums on Microsoft Tech Community &
Stack Overflow
General Availability (H2 2018)
Onboarding additional Microsoft and ecosystem
products
Unlock new security context through Security
Inventory
Adding automation through Actions and
Configuration
Provider SDK and documentation for broad
ecosystem integration
Additional client SDKs and sample code through
Microsoft Graph
17. Channel 9 videos
Lab
Live demos in the Microsoft Graph boothExpo
WRK2506
How to Build Security Applications using the Microsoft Graph API
Tuesday, 3:00 PM-4:15 PM
TCC: Tahoma 2
18. Documentation
Read the documentation
https://aka.ms/graphsecuritydocs
Learn how to stream alerts to your SIEM
https://aka.ms/graphsecuritySIEM
GitHub
Get started with C# samples
https://aka.ms/graphsecurityaspnet
Get started with Python samples
https://aka.ms/graphsecuritypython
Download the C# SDK
https://aka.ms/graphsecuritysdk
Communities
Join the Tech Community
https://aka.ms/graphsecuritycommunity
Follow the discussion on Stack Overflow
https://stackoverflow.com/questions/tagged/
microsoft-graph-security
https://aka.ms/graphsecurityapi