与 Microsoft Graph 安全性 API 合作 - 技术合作伙伴机会Partnering with the Microsoft Graph Security API – technology partner opportunities

本文介绍了由 Microsoft Graph 安全性 API 启用的合作伙伴机会,旨在帮助产品经理和业务开发角色了解投资路径,并提供对合作伙伴价值主张的见解。This article describes partnering opportunities enabled by the Microsoft Graph Security API and is designed to help product managers and business development roles understand the investment paths and provide insight into partnering value propositions.


大多数组织处理大量安全数据,并且企业中具有数十个安全解决方案,使得集成各种产品和服务的任务变得困难和复杂。Most organizations deal with high volumes of security data and have dozens of security solutions in their enterprise, making the task of integrating various products and services daunting and complex. 在快速移动的破坏性攻击中检测和修正威胁时,这些问题阻碍组织快速移动的能力。These challenges hinder the ability for organizations to move quickly when detecting and remediating threats in a world of fast-moving, disruptive attacks.

技术合作伙伴可以使用 Microsoft Graph 安全性 API 与 Microsoft 平台集成,以解决这些客户难题。Technology partners can integrate with the Microsoft platform using the Microsoft Graph Security API to address these customer challenges.

Microsoft Graph 安全性 API 简介Introduction to the Microsoft Graph Security API

Microsoft Graph 安全性 API 是一种统一的 API,提供标准界面和统一架构来集成来自多个源的安全警报和威胁智能、丰富警报和数据的上下文信息,并自动化安全操作。The Microsoft Graph Security API is a unified API that provides a standard interface and uniform schema to integrate security alerts and threat intelligence from multiple sources, enrich alerts and data with contextual information, and automate security operations.

安全 API 是 Microsoft Graph 的一部分,它是一个用于集成来自 Microsoft 和合作伙伴产品和服务的数据和情报的统一 REST API。The security API is part of the Microsoft Graph, which is a unified REST API for integrating data and intelligence from Microsoft and partner products and services. 使用 Microsoft Graph,客户和合作伙伴可以快速构建仅验证一次的解决方案,并使用单个 API 调用访问来自多个安全解决方案的安全见解或为此采取行动。Using Microsoft Graph, customers and partners can rapidly build solutions that authenticate once and use a single API call to access or act on security insights from multiple security solutions. 在浏览 Microsoft 365、Azure Active Directory、Intune (Microsoft Graph 实体等其他 Microsoft Graph 实体时,) 发现其他价值,以将业务上下文与安全见解关联起来。Additional value is uncovered when you explore the other Microsoft Graph entities (Microsoft 365, Azure Active Directory, Intune, and more) to tie business context with your security insights.

Microsoft 以两种关键方式实现技术合作伙伴集成。Microsoft enables technology partner integration in two key ways.

  1. 作为 Microsoft Graph 信息的使用者,可以使用 Microsoft Graph 中包含的信息丰富解决方案,并使用 Microsoft Graph API 代表客户执行任务。As a consumer of information from Microsoft Graph, you can enrich your solutions with information contained in Microsoft Graph as well as use the Microsoft Graph API to perform tasks on behalf of a customer.
  2. 还可以与 Microsoft 提供程序一起向 Microsoft Graph 提供警报和操作。You can also contribute your alerts and actions to Microsoft Graph alongside Microsoft providers.
如何集成?How do you integrate? 可用数据Data available 支持的功能Capabilities supported
将应用程序与 Microsoft Graph 安全性 API 集成。Integrate your application with the Microsoft Graph Security API.
  • 来自 Microsoft Graph 安全提供程序的警报Alerts from Microsoft Graph Security Providers
  • Microsoft 的安全分数Secure Scores from Microsoft
  • 查询警报/安全分数Query alerts/Secure Score
  • 调用 Microsoft Graph 安全性操作Call a Microsoft Graph Security Action
  • 更新 Microsoft Graph 安全性警报Update a Microsoft Graph Security alert
  • 将客户威胁指示器上载到 MicrosoftUpload Customer threat indicators to Microsoft
  • 使其他人可以通过 Microsoft Graph 安全性 API 与产品集成。Enable others to integrate with your products through the Microsoft Graph Security API.
  • 来自安全产品的警报Alerts from your security products
  • 安全产品的安全操作Security Actions for your security product
  • 让我们深入探讨一些常见方案,其中 Microsoft Graph 安全性 API 集成可以放大安全集成投资以及我们可以一起实现的好处。Let’s delve a little deeper and explore some common scenarios where Microsoft Graph Security API integration magnifies security integration investments and the benefits to customers that we can achieve together.

    通过与 Microsoft Graph 安全性 API 集成,你可以获得以下三个关键优势:The following are three key benefits you can derive by integrating with the Microsoft Graph Security API:

    1. 客户从安全性有效性和运营方面的改进中获益。Your customers benefit from improvements in security effectiveness and operations.
    2. 你的客户从你的和其他集成合作伙伴产品提供的丰富信息中获益。Your customers benefit from the rich information supplied by yours and other integrated partner products.
    3. 通过与 Microsoft Graph 安全性 API 集成,简化了技术合作伙伴的工程投资,并放大了客户价值。The engineering investment for technology partners is simplified and the customer value is magnified via integration with the Microsoft Graph Security API.

    使用 Microsoft Graph 安全性 API 增强威胁防护Enhance threat protection with the Microsoft Graph Security API

    允许更轻松地集成安全警报,以通知威胁检测和响应。Enabling easier integration of security alerts to inform threat detection and response.

    • 将来自 Microsoft Graph 安全提供程序的警报/检测与你的检测关联,以改进你的调查结果和支持自动化。Correlate alerts/detections from Microsoft Graph Security providers with your detections to improve your investigation outcomes and support automations.
    • 通过 Microsoft Graph 访问检测和上下文,以改进威胁响应 – 会审、调查、修正。Access detections and context via the Microsoft Graph to improve threat response – triage, investigation, remediation.
    • 访问客户威胁情报 (哈希、IP、URL、域等) 恶意活动进行阻止/警报。Access customer threat intelligence (hash, IP, URL, domain, etc.) to block/alert on malicious activity.

    简化 IT 和安全管理Streamline IT and security management

    提供更高的可见性并简化事件生命周期的管理。Providing greater visibility and streamlining management of the incident lifecycle.

    • 聚合来自多个提供商的警报以创建事件。Aggregate alerts from multiple providers to create incidents.
    • 访问其他上下文,以通知警报优先顺序和响应。Access additional context to inform alert prioritization and response.
    • 在管理警报的系统之间保持警报状态同步。Keep alert status synchronized across systems managing alerts.
    • 深入了解安全状态,并推荐如何使用安全分数改进安全状态。Gain visibility into the security posture and recommendation on how to improve it with Secure Scores.

    共享威胁智能以启用自定义检测Share threat intelligence to enable custom detections

    利用威胁情报在 Microsoft 解决方案中支持自定义检测。Leverage your threat intelligence to power custom detections in Microsoft solutions.

    • 自动将威胁指示器发送到 Microsoft 安全解决方案,以启用警报、阻止或允许操作。Automatically send your threat indicators to Microsoft security solutions to enable Alert, Block, or Allow actions.
    • 启用快速操作以抵御新威胁,如安全工具和工作流中的阻止文件、URL、域、IP 地址。Enable swift action to defend against new threats, such as block file, URL, domain, IP address from within your security tools and workflows.
    • 客户提供的 TI 仅用于提供客户,而不是任何其他 Microsoft 客户。Customer supplied TI is used only for the supplying customer and not for any other Microsoft customer.

    技术集成概述Technical integrations overview

    Microsoft Graph 安全性 API 合作伙伴机会通过两个主要集成路径提供,可以单独使用,也可以一起使用。The Microsoft Graph Security API partnering opportunities are made available via two primary integration paths, which can be used independently or together. 我们将概述这些高级要求,并提供一些见解,了解如何考虑在此处投资这些途径,但本文档稍后将介绍详细的技术解释。We will outline the high-level requirements and provide some insight into how to think about investing in these paths here, but detailed technical explanations are left to the documents referenced later in this document.

    支持的实体:Supported entities:

    • 警报 是"具有安全影响的结果",而不是原始日志数据或其他未记录的信息。Alerts are “conclusions with a security impact” rather than raw log data or other uncorrelated information. 了解详细信息Learn more.
    • 威胁指示器(也称为入侵指示器或 IoC)表示有关已知威胁的数据,例如恶意文件、URL、域和 IP 地址。Threat Indicators, also referred to as indicators of compromise or IoCs, represent data about known threats, such as malicious files, URLs, domains, and IP addresses. 客户可以通过内部威胁情报收集生成指示器,或者从威胁情报社区、许可源和其他来源获取指示器。Customers may generate indicators through internal threat intelligence gathering or acquire indicators from threat intelligence communities, licensed feeds, and other sources. 了解详细信息Learn more.
    • 安全操作 使技术合作伙伴可以通过 Graph 公开功能。Security Actions enable technology partners to expose functional capabilities via the Graph. 例如,如果安全解决方案支持阻止 IP 地址的功能,可以将"阻止 IP"公开为 Graph 中的一项功能。For example, if your security solution supports the ability to block IP addresses you can expose “Block IP” as a capability in the Graph. 其他 Graph 安全性 API 产品可以通过 Graph 调用你的操作。Other Graph Security API products can call your action via the Graph. 了解详细信息Learn more.
    • 安全分数...Secure Score 了解详细信息Learn more.

    将应用程序与 Microsoft Graph 安全性 API 集成Integrate your application with the Microsoft Graph Security API

    所有集成应用程序 都必须在 Microsoft Graph 中注册。All integrated applications must be registered with Microsoft Graph. 支持单个客户使用的两种应用程序以及许多客户 (租户) 的应用程序。Both applications used by a single customer as well as those used by many customers (multi-tenant) are supported. 在任一情况下,客户都必须同意你的应用程序。In either case, the customer must grant consent for your application. 调用 Microsoft Graph 时,来自应用程序的每个请求都将包含应用程序标识符和代表您呼叫的客户。When calling the Microsoft Graph, each request from your application will contain your application identifier and the customer you are calling on behalf of. 支持以下类型的请求:The following types of requests are supported:

    • 获取警报 – 根据需要通过筛选获取警报信息。Get Alerts – Get alert information with filtering as needed. 例如:显示特定用户、主机等的所有高优先级警报或"所有高优先级警报"。For example: Show me all the high priority alerts, or “all the high priority alerts” for a specific user, host, etc.
    • 更新警报状态 – 启用警报生命周期管理。Update Alert Status – Enabling management of an alert lifecycle. 例如:将警报状态从"正在进行"设置为"已解决",或向警报添加注释。For example: setting an alerts status to “resolved” from “in progress” or adding comments to an alert.
    • 获取安全分数 – Microsoft 安全分数是 Microsoft 产品安全配置的"信用评分"类型值。Get Secure Score – Microsoft Secure Score is a “credit rating” type value for security configurations of Microsoft Products.
    • 订阅 - 允许通知通知或查询的更改。Subscribe - Allowing notification of changes to alerts or queries.
    • 源自定义威胁指示器 - 自动将威胁指示器发送到 Microsoft 安全解决方案,以启用警报、阻止或允许操作。Feed custom threat indicators - Automatically send your threat indicators to Microsoft security solutions to enable Alert, Block, or Allow actions. 直接使用 Microsoft Graph 安全性 API 或利用与领先威胁情报平台的集成。Use the Microsoft Graph Security API directly or leverage integrations with leading threat intelligence platforms.
    • 调用 Microsoft Graph 安全性操作 – 立即采取措施,使用 Microsoft Graph 安全性 securityActions 实体抵御威胁。Invoke a Microsoft Graph Security Action – Take immediate action to defend against threats using the Microsoft Graph Security securityActions entity.

    允许其他人通过 Microsoft Graph 安全性 API 与产品集成Enable others to integrate with your products through the Microsoft Graph Security API

    Microsoft Graph 安全提供程序通过 Microsoft Graph 向其他人提供其安全警报。Microsoft Graph Security providers make their security alerts available to others through the Microsoft Graph. 生成安全警报的 Microsoft 产品均具有向 Microsoft Graph 公开其各自警报的提供程序。Microsoft products that generate security alerts all have providers that expose their respective alerts to the Microsoft Graph. 此外,Microsoft Graph 安全性 API 还允许外部提供商(作为 Microsoft 技术合作伙伴)在 Microsoft Graph 中共享来自应用程序的相关安全警报,以便客户使用。In addition, Microsoft Graph Security API allows for external providers, enabling you, as a Microsoft technology partner, to share relevant security alerts from your applications in the Microsoft Graph for customers to use. 除了警报之外,Microsoft Graph 安全性操作还支持技术合作伙伴通过 Microsoft Graph 公开功能。In addition to alerts, Microsoft Graph Security securityActions enable technology partners to expose functional capabilities via the Microsoft Graph. 例如,如果你的安全解决方案支持阻止 IP 地址的功能,你可以将"阻止 IP"公开为 Microsoft Graph 中的一项功能。For example, if your security solution supports the ability to block IP addresses you can expose “Block IP” as a capability in the Microsoft Graph. 其他 Microsoft Graph 安全性产品可以通过 Microsoft Graph 调用你的操作。Other Microsoft Graph Security products can call your action via the Microsoft Graph.

    Microsoft Graph 安全提供程序实质上是一个云终结点,它响应来自 Microsoft Graph 安全性 API 的请求,并返回相关的安全警报或为相互客户执行操作。A Microsoft Graph Security Provider is essentially a cloud endpoint that responds to requests from the Microsoft Graph Security API and returns the relevant security alerts or executes actions for mutual customers. 客户身份验证和服务到服务身份验证可确保访问客户警报和操作的安全。Customer and service-to-service authentication ensure access to customer alerts and actions is secured.

    提供程序方案各不相同。Provider scenarios are widely varied. 计划载入过程从确定相关方案开始。A curated onboarding process begins with identifying relevant scenarios. 一旦就方案达成一致,文档、示例代码和开发环境即可用于支持 Microsoft Graph 安全提供程序的开发。Once scenarios are agreed upon, documentation, sample code and development environments are available to support development of your Microsoft Graph Security Provider.

    开始行动Get started

    载入指南和技术文档Onboarding guides and technical documentation

    示例代码Sample code

    帮助和支持Help and support

    进入市场Getting to market