Thursday, 29 August 2019

Introduction to Microsoft Graph Security APIs


I don't remember being so excited about something in the past three months since Liverpool won the Champions League Final apart from the announcement of the Microsoft Graph Security APIs, I'm still trying to figure out what is the potential of the APIs but I think having this APIs would open up possibilities to ISVs and independent developer and partners to start simplifying the way the admins/users deal with security alerts and more importantly streamline the alert process across different providers, whether it comes from Microsoft 365 security centre or cloud app security (Azure) or even via a Microsoft vendor/Partners.

I decided to take the APIs for a spin and play around with what they currently offer both in GA (v1.0) and beta, I'm not going to go full-blown approach, so I'll just use the Microsoft Graph explorer to play around with these endpoints, steps are pretty simple
  • Navigate to Graph explorer https://developer.microsoft.com/en-us/graph/graph-explorer and login
  • Make sure you edit permissions and add at least SecurityEvents.Read.All , this will prompt you to re-login and consent to the newly added scopes of "Graph Explorer" Azure AD multi-tenant app.
  • The browser will redirect you back to the graph explorer
  • In the URL textbox type the endpoint under /v1.0/security/alerts , you will get a list of aggregated alerts like the below
    • Unique identifier and also highlight the azure Tenant and subscription, if it's an alert generated by Office 365 security centre 
    • Set of tags based on the configuration of the source system
    • Vendor information
    • User information
    • Severity of the alert (as configured by the originating source)
now let's create a new custom alert policy and see for ourselves how long it will take till the graph security API pick it up
  • Login to your M365 admin portal and click on security, you will either land on protection.office.com or security.microsoft.com based on your subscription  for example if you have a E3 developer Office 365 account you won't be able to use CloudApp security or even add it to your subscription and you will always get redirected to protection.office.com
  • For simplicity we will choose Office 365 alerts if we have landed on security.microsoft.com by clicking on policies then Office 365 alerts 
  • For some other bizarre reason even if you been redirected to protection.office.com via clicking on office 365 alerts you have to choose alerts and alert policies from the left side navigation !

  • Now let's create a new alert policy as below

  • Now I'll navigate to SharePoint site and share it with an external user 
  • after almost a minute or so I've got email notification that the site has been shared , it took longer for Microsoft Graph API to get the alert but not sure about the actual time limit from the alert origination till the aggregation of all alerts
At the end, I know it's a very simple endpoint but the value that this endpoints represents is priceless as it allows developers to enable cross-product scenarios using same code-base through different use cases like security management, threat detection and  information protection