Unlocking security insights with Microsoft Graph API
- 3. Agenda
- 5. Disconnected alerts Different schemas and APIs Isolated security insights Inaccessible contextual info Operational complexity
- 6. Unified gateway to security insights and actions across Microsoft products, services, and partners Unify and standardize alert management Automate SecOps for greater efficiency Unlock security context to drive investigation !
- 7. Alerts Security Profiles Host | User | File | App | IP Actions Configurations Insights and relationships OAuth 2.0 and OpenID Connect 1.0 Azure AD Identity Protection IntuneWindows Defender ATP Office 365 ATP Cloud Application Security Azure ATP Azure Security Center Azure Information Protection Ecosystem Partners Other Microsoft Graph Services Office 365 | Intune | Active Directory | More… Users Groups Mail Files Calendar
- 8. Customers control access to their security data App Access Customer grants permission for the application to access their data via the Security API in AAD Requests are brokered by the Security API, no data is stored Access can be revoked by the customer at any time Resources https://developer.microsoft.com/en-us/graph/docs/concepts/permissions_reference#security-permissions https://techcommunity.microsoft.com/t5/Using-Microsoft-Graph-Security/Authorization-and-Microsoft-Graph-Security-API/m-p/184376#M2 User Access User permissions can be managed in either of the following ways: Delegated access Customer assigns users to AAD role(s): Security Reader or Security Administrator App only Application implements role-based access for users +
- 9. Security dashboards Surface aggregated alerts in security operations dashboards along with rich contextual information about related entities ! ! ! ! Security operations tools Stream alerts in near real- time to a ticketing or IT management system, keep alert status and assignments in sync, automate common tasks Threat protection solutions Correlate alerts and contextual information for improved detections, take action on threats - block an IP on firewall, run AV scan… Other applications Add security functionality to non-security applications – HR, financial, healthcare apps… Integration Partners Anomali integrates with the Security API to correlate alerts from Microsoft Graph with threat intelligence, providing earlier detection and response to cyber threats. Alerts from the Microsoft Graph will combine with Palo Alto Networks threat data to speed detection and prevention of cyberattacks for our shared customers. PwC uses alerts and context from Microsoft Graph in its Secure Terrain solution to deliver improved visibility and protection.
- 11. C# SDK: graphClient.Security.Alerts.Request().Asynch(); REST: GET graph.microsoft.com/beta/security/alerts C# SDK: graphService.UpdateAlert(alert, updateAlertModel); REST: PATCH graph.Microsoft.com/beta/security/alerts/7f590b04-0cb3-478f-88ca-974a8bb5a46f { “status”:”InProgress”, “assignedTo”:”[email protected]” } Unified alert management: /security/alerts alerts alerts
- 12. C# SDK: graphClient.Security.UserSecurityProfiles.Request().Filter(”userPrincipalName eq ‘[email protected]’”) REST: GET …/hostSecurityProfiles?$filter=fqdn eq ‘johnedoe-surfpro.contoso.com’&$select=riskScore REST: GET …/fileSecurityProfiles?$filter=sha256 eq ‘091835b16192e526ee1b8a04d0fcef534b44cad306672066f2ad6973a4b18b19’ REST: GET …/hostSecurityProfiles?$select=platform,osVersion Unlock security context: /security/securityProfiles securityProfiles securityProfiles Host | User | File | App | IP
- 13. REST: POST graph.microsoft.com/beta/security/actions?$ref { “id”: ”7f590b04-0cb3-478f-88ca-974a8bb5a46f”, // (required) id of SecurityProfile entity to act upon “provider”: ”MCAS”, // (required) security provider to take the action “name”: ”restrictAccess”, // provider specific action metadata “cloudService”: ”OneDrive” // provider specific action metadata } Automate security operations: /security/actions actions actions
- 14. REST: POST graph.microsoft.com/beta/security/configuration?$ref { “provider”: ”intune”, // (required) security provider set the configuration “name”: ”microsoft.graph.iosGeneralDeviceConfiguration”, // (required) configuration setting to modify “displayName”: ”iOS Lock Policy”, // provider specific configuration metadata “description”: ”My iOS Policy”, // provider specific configuration metadata “lockScreenBlockNotificationView”: true // provider specific configuration metadata } configuration configuration Automate security configurations: /security/configuration
- 16. 16 Public Preview (available now) Beta of Security API in Microsoft Graph Client C# SDK available for integration Code samples for C# and Python Support for Alerts from Azure Security Center and Azure Active Directory Identity Protection with Intune and Azure Information Protection coming soon Unified SIEM integration through Azure Monitor (QRadar, Splunk, SumoLogic) Developer forums on Microsoft Tech Community & Stack Overflow General Availability (H2 2018) Onboarding additional Microsoft and ecosystem products Unlock new security context through Security Inventory Adding automation through Actions and Configuration Provider SDK and documentation for broad ecosystem integration Additional client SDKs and sample code through Microsoft Graph
- 17. Channel 9 videos Lab Live demos in the Microsoft Graph boothExpo WRK2506 How to Build Security Applications using the Microsoft Graph API Tuesday, 3:00 PM-4:15 PM TCC: Tahoma 2
- 18. Documentation Read the documentation https://aka.ms/graphsecuritydocs Learn how to stream alerts to your SIEM https://aka.ms/graphsecuritySIEM GitHub Get started with C# samples https://aka.ms/graphsecurityaspnet Get started with Python samples https://aka.ms/graphsecuritypython Download the C# SDK https://aka.ms/graphsecuritysdk Communities Join the Tech Community https://aka.ms/graphsecuritycommunity Follow the discussion on Stack Overflow https://stackoverflow.com/questions/tagged/ microsoft-graph-security https://aka.ms/graphsecurityapi