Use the Microsoft Graph Security API

  • 3 minutes to read
  • Contributors
    • Preeti Krishna
    • Edward Koval
    • Jeremy Thake (Microsoft)
    • Office GSX
    • Linda Caputo

The Microsoft Graph Security API provides a unified interface and schema to integrate with security solutions from Microsoft and ecosystem partners. This empowers customers to streamline security operations and better defend against increasing cyber threats. The Microsoft Graph Security API federates queries to all onboarded security providers and aggregates responses. Use the Microsoft Graph Security API to build applications that:

  • Consolidate and correlate security alerts from multiple sources
  • Unlock contextual data to inform investigations
  • Automate security tasks, business processes, workflows, and reporting
  • Send threat indicators to Microsoft products for customized detections
  • Invoke actions to in response to new threats
  • Provide visibility into security data to enable proactive risk management

The Microsoft Graph Security API includes the following key entities.

Alerts

Alerts are potential security issues within a customer's tenant that Microsoft or partner security solutions have identified and flagged for action or notification. With the Microsoft Graph Security alerts entity, you can unify and streamline management of security issues across all integrated solutions. This also enables applications to correlate alerts and context to improve threat protection and response. With the alert update capability, you can sync the status of specific alerts across different security products and services that are integrated with the Microsoft Graph Security API by updating your alerts entity.

Alerts from the following providers are available via the Microsoft Graph Security API. Support for GET alerts, PATCH alerts (updates are available via the Microsoft Graph Security API but might not be exposed in the provider’s management experience), and Subscribe (via webhooks) is indicated in the following table.

Security provider

GET alert

PATCH alert

Subscribe to alert
Azure Security Center

Azure Active Directory Identity Protection

Microsoft Cloud App Security

Windows Defender Advanced Threat Protection

File issue

Azure Advanced Threat Protection

File issue

File issue

Office 365

File issue

File issue

Azure Information Protection (preview)

Azure Sentinel (preview)

File issue

File issue

Palo Alto Networks

File issue

File issue

Note: New providers are continuously onboarding to the Microsoft Graph Security ecosystem. To request new providers or for extended support from existing providers, file an issue in the Microsoft Graph Security GitHub repo.

Common use cases

The following are some of the most popular requests for working with the Microsoft Graph Security API:

Use cases REST resources Try it in Graph Explorer
List alerts List alerts https://graph.microsoft.com/v1.0/security/alerts
Update alerts Update alert https://graph.microsoft.com/v1.0/security/alerts/{alert-id}

You can use Microsoft Graph webhooks to subscribe to and receive notifications about updates to Microsoft Graph Security entities.

Resources

Code and contribute to these Microsoft Graph Security API samples:

Engage with the community:

Next steps

The Microsoft Graph Security API can open up new ways for you to engage with different security solutions from Microsoft and partners. Follow these steps to get started:

Need more ideas? See how some of our partners are using Microsoft Graph.

See also

Code and contribute to these Microsoft Graph Security API samples:

Explore other options to connect with the Microsoft Graph Security API:

Engage with the community: