Improve threat protection by integrating security operations with Microsoft Graph Security & Azure Logic Apps

With Azure Logic Apps and the Microsoft Graph Security connector, you can improve how your app detects, protects, and responds to threats by creating automated workflows for integrating Microsoft security products, services, and partners. For example, you can create Azure Security Center playbooks that monitor and manage Microsoft Graph Security entities, such as alerts. Here are some scenarios supported by the Microsoft Graph Security connector:

  • Get alerts based on queries or by alert ID. For example, you can get a list that includes high severity alerts.
  • Update alerts. For example, you can update alert assignments, add comments to alerts, or tag alerts.
  • Monitor when alerts are created or changed by creating alert subscriptions (webhooks).
  • Manage your alert subscriptions. For example, you can get active subscriptions, extend the expiration time for a subscription, or delete subscriptions.

Your logic app's workflow can use actions that get responses from the Microsoft Graph Security connector and make that output available to other actions in your workflow. You can also have other actions in your workflow use the output from the Microsoft Graph Security connector actions. For example, if you get high severity alerts through the Microsoft Graph Security connector, you can send those alerts in an email message by using the Outlook connector.

To learn more about Microsoft Graph Security, see the Microsoft Graph Security API overview. If you're new to logic apps, review What is Azure Logic Apps?. If you're looking for Microsoft Flow or PowerApps, see What is Flow? or What is PowerApps?

Prerequisites

  • An Azure subscription. If you don't have an Azure subscription, sign up for a free Azure account.

  • To use the Microsoft Graph Security connector, you must have explicitly given Azure Active Directory (AD) tenant administrator consent, which is part of the Microsoft Graph Security Authentication requirements. This consent requires the Microsoft Graph Security connector's application ID and name, which you can also find in the Azure portal:

    Property Value
    Application Name MicrosoftGraphSecurityConnector
    Application ID c4829704-0edc-4c3d-a347-7c4a67586f3c

    To grant consent for the connector, your Azure AD tenant administrator can follow either these steps:

  • Basic knowledge about how to create logic apps

  • The logic app where you want to access your Microsoft Graph Security entities, such as alerts. Currently, this connector has no triggers. So, to use a Microsoft Graph Security action, start your logic app with a trigger, for example, the Recurrence trigger.

Connect to Microsoft Graph Security

Before your logic app can access any service, you must create a connection between your logic app and that service. If you didn't previously create this connection, you're prompted for connection information when you add a trigger or action for that service to your logic app. The Logic Apps Designer provides an easy way for you to create this connection directly from your logic app.

  1. Sign in to the Azure portal, and open your logic app in Logic App Designer, if not open already.

  2. For blank logic apps, add the trigger and any other actions you want before you add a Microsoft Graph Security action.

    -or-

    For existing logic apps, under the last step where you want to add a Microsoft Graph Security action, choose New step.

    -or-

    To add an action between steps, move your pointer over the arrow between steps. Choose the plus sign (+) that appears, and select Add an action.

  3. In the search box, enter "microsoft graph security" as your filter. From the actions list, select the action you want.

  4. Sign in with your Microsoft Graph Security credentials.

  5. Provide the necessary details for your selected action and continue building your logic app's workflow.

Add actions

Here are more specific details about using the various actions available with the Microsoft Graph Security connector.

Manage alerts

To filter, sort, or get the most recent results, provide only the ODATA query parameters supported by Microsoft Graph. Don't specify the complete base URL or the HTTP action, for example, https://graph.microsoft.com/v1.0/security/alerts, or the GET or PATCH operation. Here's a specific example that shows the parameters for a Get alerts action when you want a list with high severity alerts:

Filter alerts value as Severity eq 'high'

For more information about the queries you can use with this connector, see the Microsoft Graph Security alerts reference documentation. To build enhanced experiences with this connector, learn more about the schema properties alerts that the connector supports.

Action Description
Get alerts Get alerts filtered based on one or more alert properties, for example:

Provider eq 'Azure Security Center' or 'Palo Alto Networks'

Get alert by ID Get a specific alert based on the alert ID.
Update alert Update a specific alert based on the alert ID.

To make sure you pass the required and editable properties in your request, see the editable properties for alerts. For example, to assign an alert to a security analyst so they can investigate, you can update the alert's Assigned to property.

Manage alert subscriptions

Microsoft Graph supports subscriptions, or webhooks. To get, update, or delete subscriptions, provide the ODATA query parameters supported by Microsoft Graph to the Microsoft Graph entity construct and include security/alerts followed by the ODATA query. Don't include the base URL, for example, https://graph.microsoft.com/v1.0. Instead, use the format in this example:

security/alerts?$filter=status eq 'New'

Action Description
Create subscriptions Create a subscription that notifies you about any changes. You can filter this subscription for the specific alert types you want. For example, you can create a subscription that notifies you about high severity alerts.
Get active subscriptions Get unexpired subscriptions.
Update subscription Update a subscription by providing the subscription ID. For example, to extend your subscription, you can update the subscription's expirationDateTime property.
Delete subscription Delete a subscription by providing the subscription ID.

Connector reference

For technical details about triggers, actions, and limits, which are described by the connector's OpenAPI (formerly Swagger) description, review the connector's reference page.

Get support

For questions, visit the Azure Logic Apps forum. To submit or vote on feature ideas, visit the Logic Apps user feedback site.

Next steps

Learn about other Logic Apps connectors