More easy ways to connect with the Microsoft Graph Security API

November 5, 2019
The original article is published on the Microsoft Tech Community Security, Privacy and Compliance Blog.

Today, we are announcing new capabilities in the Microsoft Graph Security API that will enable customers to derive further value by integrating with the API with the ability to share threat intelligence across additional Microsoft products and be able to easily orchestrate automated security workflows. Our announcements also include a range of new out-of-the-box partner integrations using which customers have more options to gain efficiencies in their security investments. Finally, we’re announcing additional resources for developers to easily build solutions leveraging the Microsoft Graph Security API.

Customers can now send custom threat intelligence or IoCs (Indicators of Compromise) using the Microsoft Graph Security API threat indicators entity to Microsoft Defender ATP to block or alert on threats. With this capability, customers can use a single integration to send threat indicators like a malicious IP, URL, file, etc. to multiple Microsoft security products as follows:

  • Azure Sentinel – Enables customers to correlate threat indicators with log data to get custom alerts on malicious activity.
  • Microsoft Defender ATP – Enables customers to alert and/or block on threat indicators associated with malicious activity. Customers can also allow an indicator for ignoring the indicator from automated investigations.
  • We are working with more partners to land additional integrations soon

You can use this capability in the following ways.

  • Leverage available threat intelligence platform integrations as follows:
    • We’ve added capability to submit threat indicators to Microsoft Defender ATP and Azure Sentinel using MISP, an open source threat intelligence platform. To get started, follow the steps to download and configure the MISP connector.
    • ThreatConnect has built an integration with Microsoft Graph Security threat indicators that supports indicators for both Microsoft Defender ATP and Azure Sentinel. To get started, install the “Microsoft Graph Security Threat Indicators” app in the ThreatConnect App Catalog. For an example of how the app can be used to manage Threat Indicators in Microsoft Graph Security, install and import the ‘Microsoft Graph Security – Deploy Indicators' Playbook template. This can also be installed from the Templates section of the ThreatConnect App Catalog.
  • Build your own integration to submit custom threat indicators to Azure Sentinel and Microsoft Defender ATP. Check out the new quick starts in C#, Python and NodeJS for you to get started on this now.

MISP.pngMISP Threat Intelligence Platform

We’ve added features to enable customers to build workflows and playbooks of their choice without having to write any code to expedite incident and response. New integration with ServiceNow enables customers to reap the benefits that Microsoft Graph Security API provides by connecting different security products natively in the respective security operations solutions.

ServiceNow

ServiceNow has built an integration using the Microsoft Graph Security API, in which security alerts from multiple security products like Azure Sentinel, Microsoft Defender ATP, Azure Security Center and more will be ingested into ServiceNow Security Operations to automatically create security incidents. Read the ServiceNow – Microsoft Graph Security API integration blog post for further details and get started.

ServiceNow_new.pngServiceNow integration with the Microsoft Graph Security API

Azure Logic Apps and Microsoft Flow

We’ve added support for triggers to the Microsoft Graph Security API connectors for Azure Logic Apps, Microsoft Flow. With this, now you can initiate your playbook when a new alert is created. Use the Microsoft Graph Security API connector with over 100s of other connectors available to design workflows that expedite alert routing, triage, investigation, and remediation.

To get started,

LogicApps.pngAn Azure Logic App Playbook using Trigger

Splunk and RSA NetWitness customers can leverage integrations available with Microsoft Graph Security API to get alerts from multiple security products in a unified format with a single connection, streamed to their SIEM (Security incident and event management).

RSA NetWitness has built a native integration that uses Microsoft Graph Security API to stream alerts from all Microsoft Security products, including Microsoft Defender Advanced Threat Protection, Azure Advanced Threat Protection and more into RSA NetWitness. Get started by following steps outlined in the RSA NetWitness integrations documentation.

RSA_Netwitness.pngRSA NetWitness integration with Microsoft Graph Security API

We recently released a new Splunk add-on to enable customers to easily integrate security alerts and insights from their Microsoft security products into Splunk. Get started by following steps outlined in the blog post announcing this add-on.

Managed security service providers like InSpark, Softeng, SWC and more continue to integrate with the Microsoft Graph Security API. Now, Trustwave uses Microsoft Security Graph API to connect alerts across Microsoft security products, the security ecosystem and the Trustwave Fusion platform for enhanced threat detection, investigation and response. Refer to Trustwave integrations document for further details to get started.

We’ve been continuously investing in enabling our developers to easily build solutions of their choice using the Microsoft Graph Security API and partner with us to showcase these using different options. As always, please share your feedback by filing a GitHub issue

If you are at Microsoft Ignite 2019, remember to check out the following Microsoft Graph Security API sessions to learn more about these announcements and chat with us.

  • Tuesday, November 5, 2019
    • 1:50 PM – 2:10 PM: THR3091 – Gain Efficiencies in Security Response with ServiceNow and Azure Sentinel Integration powered by Microsoft Graph
  • Friday, November 8, 2019
    • 11:30 AM – 12:15 PM: BRK3073 – Five cool security apps you can build using Microsoft Graph
Discuss this article in the Microsoft Technical Community.