Skip to content

Microsoft Graph API

Microsoft Graph API

About

The Microsoft Graph Security API provides a unified interface and schema to integrate with security solutions from Microsoft and ecosystem partners. This empowers customers to streamline security operations and better defend against increasing cyber threats. The Microsoft Graph Security API federates queries to all onboarded security providers and aggregates responses. Use the Microsoft Graph Security API to build applications that:

  • Consolidate and correlate security alerts from multiple sources
  • Unlock contextual data to inform investigations
  • Automate security tasks, business processes, workflows, and reporting
  • Send threat indicators to Microsoft products for customized detections
  • Invoke actions to in response to new threats
  • Provide visibility into security data to enable proactive risk management

Product Details

Vendor URL: Microsoft Graph API

Product Type: SaaS

Product Tier: Tier II

Integration Method: Custom

Integration URL: Microsoft Graph API - Cyderes Documentation

Log Guide: Sample Logs by Log Type

Parser Details

Log Format: JSON

Expected Normalization Rate: near 100%

Data Label: MICROSOFT_GRAPH_ALERT

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field
azureTenantId principal.location.country_or_region
category,properties.alertName,riskType security_result.rule_name
description,properties.description,riskEventType metadata.description
description,properties.description,riskEventType security_result.description
fileStates.0.path target.file.full_path
hostStates.0.fqdn principal.hostname
hostStates.0.netBiosName src.hostname
hostStates.0.os principal.platform
location.countryOrRegion principal.location.country_or_region
malwareStates.0.nam security_result.threat_name
networkConnections.0.protocol network.ip_protocol
networkConnections.0.sourceAddress principal.ip
processes.0.commandLine principal.process.parent_process.command_line
processes.0.parentProcessId principal.process.parent_process.pid
processes.0.path principal.process.parent_process.file.full_path
properties.extendedProperties.client Hostname principal.hostname
properties.extendedProperties.client IP Address principal.ip
properties.extendedProperties.client Principal Name target.user.email_addresses
properties.extendedProperties.client Principal Name target.user.userid
recommendedActions.0-5 security_result.category_details
securityResources.0.resource security_result.about.resource.name
securityResources.0.resourceType security_result.about.resource_subtype
severity,properties.reportedSeverity,riskLevel security_result.severity
source metadata.product_name
sourceMaterials.0 metadata.url_back_to_product
title,properties.alertDisplayName,activity metadata.product_event_type
title,properties.alertDisplayName,activity security_result.summary
userPrincipalName,userStates.0.userPrincipalName target.user.email_addresses
userStates.0.accountName,userDisplayName principal.user.user_display_name
userStates.0.accountName,userDisplayName target.user.user_display_name
userStates.0.domainName principal.administrative_domain
userStates.0.domainName target.administrative_domain
userStates.0.logonIp target.ip
userStates.0.logonIp,ipAddress principal.ip
userStates.0.logonLocation principal.location.city
userStates.0.logonLocation principal.location.country_or_region
userStates.0.logonLocation principal.location.state
userStates.0.userPrincipalName network.email.from
userStates.0.userPrincipalName network.email.to
userStates.0.userPrincipalName target.user.email_addresses
userStates.0.userPrincipalName,userPrincipalName principal.user.userid
userStates.0.userPrincipalName,userPrincipalName target.user.userid
userStates.1.accountName about.user.user_display_name
userStates.1.domainName about.user.administrative_domain
userStates.1.logonIp about.ip
userStates.1.userPrincipalName about.user.userid
vendorInformation.provider,properties.extendedProperties.client Application metadata.product_name

Product Event Types

Event, severity UDM Event Classification Security Category alerting enabled
all other events GENERIC_EVENT
Antimalware Action Taken SCAN_FILE
Atypical travel USER_UNCATEGORIZED
Email reported by user as malware or phish EMAIL_TRANSACTION TRUE
Impossible travel activity USER_UNCATEGORIZED
Logon by an unfamiliar principal USER_UNCATEGORIZED
Ransomware TRUE
Critical, High, Medium TRUE
signin USER_UNCATEGORIZED
Unusual volume of file deletion GENERIC_EVENT DATA_DESTRUCTION
newAlert TRUE

Log Sample

{"detectionIds":[],"severity":"low","vendorInformation":{"provider":"Office 365 Security and Compliance","providerVersion":null,"subProvider":null,"vendor":"Microsoft"},"id":"id","lastModifiedDateTime":"2021-09-26T04:10:51.557Z","sourceMaterials":["url"],"alertDetections":[],"cloudAppStates":[],"closedDateTime":null,"createdDateTime":"2021-09-26T04:15:00Z","fileStates":[],"historyStates":[],"comments":["New alert"],"category":"ThreatManagement","incidentIds":[],"malwareStates":[],"azureSubscriptionId":null,"status":"newAlert","title":"Email reported by user as malware or phish","investigationSecurityStates":[],"vulnerabilityStates":[],"tags":[],"eventDateTime":"2021-09-26T04:15:00Z","recommendedActions":[],"networkConnections":[],"uriClickSecurityStates":[],"assignedTo":null,"activityGroupName":null,"description":"This alert is triggered when any email message is reported as malware or phish by users -V1.0.0.3","feedback":null,"messageSecurityStates":[],"processes":[],"userStates":[{"logonIp":null,"logonType":null,"userAccountType":null,"aadUserId":null,"isVpn":null,"logonId":null,"emailRole":"unknown","logonDateTime":null,"userPrincipalName":"john.doe@domain.com","accountName":"john.doe","domainName":"acme.com","logonLocation":null,"onPremisesSecurityIdentifier":null,"riskScore":null},{"logonLocation":null,"userPrincipalName":"serviceuser","userAccountType":null,"emailRole":"sender","logonDateTime":null,"logonIp":"127.0.0.1","logonType":null,"aadUserId":null,"isVpn":null,"logonId":null,"accountName":"jane.doe","domainName":"domain","onPremisesSecurityIdentifier":null,"riskScore":null},{"logonDateTime":null,"logonId":null,"riskScore":null,"userPrincipalName":"john.doe@domain.com","logonIp":null,"logonLocation":null,"onPremisesSecurityIdentifier":null,"logonType":null,"userAccountType":null,"aadUserId":null,"accountName":"john.doe","domainName":"acme.com","emailRole":"recipient","isVpn":null}],"azureTenantId":"tenantid","confidence":null,"lastEventDateTime":null,"hostStates":[],"registryKeyStates":[],"securityResources":[],"triggers":[],"riskScore":null}

Sample Parsing

metadata.event_timestamp = "2021-09-26T04:15:00Z"
metadata.event_type = "EMAIL_TRANSACTION"
metadata.vendor_name = "Microsoft"
metadata.product_name = "Office 365 Security and Compliance"
metadata.product_event_type = "Email reported by user as malware or phish"
metadata.description = "This alert is triggered when any email message is reported as malware or phish by users -V1.0.0.3"
metadata.url_back_to_product = "url"
metadata.ingested_timestamp = "2021-09-26T04:17:10.243424Z"
principal.user.userid = "john.doe@domain.com"
principal.user.user_display_name = "john.doe"
principal.administrative_domain = "domain.com"
security_result.rule_name = "ThreatManagement"
security_result.summary = "Email reported by user as malware or phish"
security_result.description = "This alert is triggered when any email message is reported as malware or phish by users -V1.0.0.3"
security_result.severity = "LOW"
network.email.from = "jane.doe"
network.email.to = "john.doe@domain.com"

Parser Alerting

Alerting criteria is listed in the Product Event Types table above.