Microsoft Graph Security 2.0.0
App Vendor: Microsoft
App Category: Endpoint
Connector Version: 2.0.0
API Version: 1.0.0
About App
Microsoft Graph Security provides a unified api for automating threat detection, investigation, and response across endpoints, identities, email, and cloud resources, enabling faster and coordinated security operations.
The Microsoft Graph Security app is configured with Cyware Orchestrate to perform the following actions:
Action Name | Description |
|---|---|
Generic Action | This is a generic action used to make requests to any Microsoft Graph Security endpoint. |
Get Alert Details | This action retrieves the properties and relationships of a specific security alert object. |
Get Host Details | This action retrieves the properties and relationships of a host object, which can be a hostname or an IP address. |
Get Host WHOIS Record | This action retrieves the current WHOIS record associated with a specified host. |
Get Identity Account Details | This action retrieves the properties and relationships of a single identity account object. |
Get Incident Details | This action retrieves the details of a specific incident. |
Get Vulnerability Details | This action retrieves the properties and relationships of a specific vulnerability object. |
Invoke Identity Accounts | This action performs security actions, such as revoking sessions or forcing password resets, on identity accounts to help mitigate potential threats. |
List Alerts | This action retrieves a list of alert resources created to track suspicious activities within an organization. |
List Identity Accounts | This action retrieves a collection of identity accounts from the security namespace. |
List Incidents | This action lists all incidents that have been created to track and manage attacks targeting your organization. |
Run Hunting Query | This action runs a query on a specified set of event, activity, or entity data to proactively search for specific threats in your environment. |
Update Alert | This action updates the properties of an existing alert. |
Update Incident | This action updates the details of an existing incident. |
Configuration Parameters
The following configuration parameters are required for the Microsoft Graph Security app to communicate with the Microsoft Graph Security enterprise application. The parameters can be configured by creating instances in the app.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Tenant ID | Enter the tenant ID associated with your account for authentication. | Text | Required | |
Client ID | Enter the client ID for authentication. | Text | Required | |
Client Secret | Enter the client secret linked to your client ID. | Password | Required | |
Timeout | Enter the timeout value in seconds. This is the number of seconds that requests will wait to establish a connection with the {app name}. | Integer | Optional | Allowed range: 15-120. Default timeout: 15 |
Verify | Choose your preference to verify SSL or TLS while making requests. It is recommended to set this option to yes. Passing no may result in connection errors. | Boolean | Optional | By default, verify is enabled. |
API Version | Enter the API version to be used while making requests. | Text | Optional | Default value: v1.0 |
Action: Get Alert Details
This action retrieves the properties and relationships of a specific security alert object.
Note
You must have the SecurityAlert.Read.All permission to perform this action.
Permission type: Delegated (work or school account) or Application. Personal Microsoft accounts are not supported.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Alert ID | Enter the unique alert ID to identify the specific record to be retrieved. Example: da637578995287051192_756343937 | Text | Required |
Example Request
[
{
"alert_id": "dce5d51769-7085-c101-a1bb-4967905d0cae"
}
]Action: Get Host Details
This action retrieves the properties and relationships of a host object, which can be a hostname or an IP address.
Note
You must have the ThreatIntelligence.Read.All permission to perform this action.
Permission type: Delegated (work or school account) or Application. Personal Microsoft accounts are not supported.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Host ID | Enter the host ID (hostname or IP address) to retrieve the specific threat intelligence host record. Example: contoso.com | Text | Required | |
Query Parameters | Enter the key-value pairs to customize the response using Odata query parameters. Example: { "$select" : "id, reputation" } | Key Value | Optional |
Example Request
[
{
"host_name": "contoso.com",
"query_params": {
"$select": "id,reputation,ports"
}
}
]Action: Get Host WHOIS Record
This action retrieves the current WHOIS record associated with a specified host.
Note
You must have the ThreatIntelligence.Read.All permission to perform this action.
Permission type: Delegated (work or school account) or Application. Personal Microsoft accounts are not supported.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Host ID | Enter the host ID (typically the domain name) to identify the specific host for which to retrieve WHOIS data. Example: contoso.com | Text | Required | |
Select | Enter the select ($select) value to specify which properties of the WHOIS record to include in the response. Example: id, domainStatus | Text | Optional |
Example Request
[
{
"select": "“Save Node Input” is disabled.",
"domain_name": "contoso.com"
}
]Action: Get Identity Account Details
This action retrieves the properties and relationships of a single identity account object.
Note
You must have the SecurityIdentitiesAccount.Read.All permission to perform this action.
Permission type: Delegated (work or school account) or Application. Personal Microsoft accounts are not supported.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Identity Account ID | Enter the unique account ID (identityAccountsId) to identify the specific identity account. Example: 256db173-930a-4991-9061-0d51a9a93ba5 | Text | Required | |
Select | Enter the select ($select) value to specify which properties to include in the response. Example, id,displayName | Text | Optional |
Action: Get Incident Details
This action retrieves the details of a specific incident.
Note
You must have the SecurityIncident.Read.All permission to perform this action.
Permission type: Delegated (work or school account) or Application. Personal Microsoft accounts are not supported.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Incident ID | Enter the incident id to retrieve incident information. Example: 2972395 | Text | Required | To retrieve the incident ID use the List Incidents action. |
Example Request
[
{
"incident_id": "2972395"
}
]Action: Get Vulnerability Details
This action retrieves the properties and relationships of a specific vulnerability object.
Note
You must have the ThreatIntelligence.Read.All permission to perform this action. Permission type: Delegated (work or school account) or Application. Personal Microsoft accounts are not supported.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Vulnerability ID | Enter the vulnerability ID to identify the specific record to be retrieved. Example: CVE-2020-0601 | Text | Required | |
Query Parameters | Enter the key-value pairs to customize the response using Odata query parameters. Example: { "$select" : "id" } | Key Value | Optional | |
Include vulnerability components | Choose true if you want to retrieve the list of components associated with the specified vulnerability along with the vulnerability details. | Boolean | Optional | Default value: false |
Example Request
[
{
"query_params": "“Save Node Input” is disabled.",
"vulnerability_id": "CVE-2021-44228"
}
]Action: Invoke Identity Accounts
This action performs security actions, such as revoking sessions or forcing password resets, on identity accounts to help mitigate potential threats.
Note
You must have the SecurityIdentitiesActions.ReadWrite.All permission to perform this action.
Permission type: Delegated (work or school account) or Application. Personal Microsoft accounts are not supported.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Identity Account ID | Enter the identityAccountsId used in the resource path to identify the target account object. Example: 0104216-0539-4838-88b1-55baafdc296b | Text | Required | |
Account ID | Enter the account ID as recognized by the identity provider on which the action will be performed. Example: 256db173-930a-4991-9061-0d51a9a93ba5 | Text | Required | |
Action | Select the type of action to perform on the account. Supported actions depend on the selected identity provider. | Single-select | Required | Allowed values: disable, enable, forcePasswordReset, revokeAllSessions, requireUserToSignInAgain, markUserAsCompromised |
Identity Provider | Select the identity provider associated with the account. | Single-select | Required | Allowed values: entraID, activeDirectory, okta |
Action: List Alerts
This action retrieves a list of alert resources created to track suspicious activities within an organization.
Note
You must have one of the SecurityEvents.Read.All (Read all security events) or SecurityEvents.ReadWrite.All (Read and write all security events) permissions to perform this action.
Permission type: Delegated (work or school account) or Application. Personal Microsoft accounts are not supported.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Filter | Enter the filter ($filter) values to refine the results. Example: severity eq 'high' | Text | Optional | Allowed keys: assignedTo, classification, determination, createdDateTime, lastUpdateDateTime, severity, serviceSource, and status. |
Top | Enter the top ($top) value to define the maximum number of alerts to fetch in the result set. Example: 1000 | Integer | Optional | |
Skip | Enter the skip ($skip) value to specify the number of records to skip before returning results. Example: 100 | Integer | Optional | |
Count | Choose true if you want to include the total count of matching resources in the response. | Boolean | Optional |
Example Request
[
{
"top": "3",
"skip": "1",
"count": "“Save Node Input” is disabled.",
"filter": "severity eq 'high'"
}
]Action: List Identity Accounts
This action retrieves a collection of identity accounts from the security namespace.
Note
You must have the SecurityIdentitiesAccount.Read.All permission to perform this action.
Permission type: Delegated (work or school account) or Application. Personal Microsoft accounts are not supported.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Filter | Enter the filter ($filter) expression to refine the results. Example: isEnabled eq true | Text | Optional | |
Select | Enter the select ($select) value to specify which properties to include in the response. Example: id,displayName | Text | Optional |
Action: List Incidents
This action lists all incidents that have been created to track and manage attacks targeting your organization.
Note
You must have one of the Incident.Read.All (Read all incidents), Incident.ReadWrite.All (Read and write all incidents), Incident.Read (Read incidents), or Incident.ReadWrite (Read and write incidents) permissions to perform this action.
Permission type: Delegated (work or school account) or Application. Personal Microsoft accounts are not supported.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Filter | Enter a query to filter incidents by specific fields. Example: status eq 'open' | Text | Optional | Allowed fields: assignedto, classification, createddatetime, determination, lastupdatedatetime, severity, and status |
Max Results | Enter the maximum number of incidents to retrieve. | Integer | Optional | The maximum allowed value is 50. |
Skip | Enter the number of incidents to skip in the result set. Example: 10 | Integer | Optional | |
Count | Choose true to include the total number of matching incidents in the response. | Boolean | Optional | |
Expand | Enter any related resources you want to include in the response. Example: alerts | Text | Optional |
Example Request
[
{
"skip": "2",
"count": true,
"expand": "alerts",
"filter": "status eq 'active' or severity eq 'medium' or determination eq 'unknown'",
"max_results": "10"
}
]Action: Run Hunting Query
This action runs a query on a specified set of event, activity, or entity data to proactively search for specific threats in your environment.
Note
You must have the ThreatHunting.Read.All permission to perform this action.
Permission type: Delegated (work or school account) or Application. Personal Microsoft accounts are not supported.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query | Enter the query to run using Kusto Query Language (KQL). Example: "devicenetworkevents | where remoteurl contains 'malicious.com'" | Text | Required | |
Time Span | Enter the time range in ISO 8601 duration format to limit the query scope. If your query also specifies a time filter, the shorter of the two will apply. | Text | Optional | Default value is p30d (last 30 days). |
Action: Update Alert
This action updates the properties of an existing alert.
Note
You must have the SecurityAlert.ReadWrite.All permission to perform this action.
Permission type: Delegated (work or school account) or Application. Personal Microsoft accounts are not supported.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Alert ID | Enter the unique alert id to identify the record to be updated. Example: da638720128871256214_191497034 | Text | Required | |
Status | Enter the status to update the alert's lifecycle state. | Text | Optional | Allowed values: new, inprogress, resolved, and unknownfuturevalue |
Assigned To | Enter the email or identifier of the owner to assign the alert to a specific user. | Text | Optional | The default value is null. |
Classification | Enter the classification to specify the nature of the alert. | Text | Optional | Allowed values: unknown, falsepositive, truepositive, informationalexpectedactivity, and unknownfuturevalue |
Determination | Enter the determination to provide the final result of the investigation. | Text | Optional | Allowed values: unknown, apt, malware, securityPersonnel, securityTesting, unwantedSoftware, other, multiStagedAttack, compromisedUser, phishing, maliciousUserActivity, clean, insufficientData, confirmedUserActivity, lineOfBusinessApplication, unknownFutureValue |
Custom Details | Enter the key-value pairs to add user-defined custom fields to the alert for additional context. | Key Value | Optional |
Example Request
Action: Update Incident
This action updates the details of an existing incident.
Note
You must have one of the Incident.ReadWrite.All (Read and write all incidents) or Incident.ReadWrite (Read and write incidents) permissions to perform this action.
Permission type: Delegated (work or school account) or Application. Personal Microsoft accounts are not supported.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Incident ID | Enter the incident ID to update. Example: 2972395 | Text | Required | |
Status | Enter the status of the incident to update. | Text | Optional | Allowed values: active, resolved, redirected, and unknownfuturevalue |
Assigned to | Enter the user or owner to assign the incident to. This can be a username or any identifier. Example: "jdoe@domain.com" | Text | Optional | |
Classification | Enter the classification of the incident. | Text | Optional | Allowed values: unknown, falsepositive, truepositive, informationalexpectedactivity, and unknownfuturevalue. |
Determination | Enter the determination for the incident to indicate its confirmed nature. | Text | Optional | Allowed values: unknown, apt, malware, securityPersonnel, securityTesting, unwantedSoftware, other, multiStagedAttack, compromisedAccount, phishing, maliciousUserActivity, notMalicious, notEnoughDataToValidate, confirmedUserActivity, lineOfBusinessApplication, unknownFutureValue |
Description | Enter a description that provides additional context or findings related to the incident. | Text | Optional | |
Resolving Comment | Enter a comment to explain how the incident was resolved or justify the classification decision. | Text | Optional | |
Severity | Enter the severity level of the incident. | Text | Optional | Allowed values: unknown, informational, low, medium, high, and unknownfuturevalue. |
Display Name | Enter a display name for the incident. This name will appear in the Microsoft XDR portal. Example: credential leak - email account | Text | Optional | |
Summary | Enter a summary of the attack, including what occurred, affected assets, and the attack type. | Text | Optional | |
Custom Tags | Enter one or more custom tags to categorize or label the incident. Example: $list[phishing, criticalasset] | List | Optional |
Example Request
[
{
"status": "active",
"severity": "high",
"custom_tags": [
"Credential Theft",
"Phishing",
"Initial Access"
],
"description": "Suspicious login activity detected from a known malicious IP address. Potential compromise of user credentials.",
"incident_id": "2972395",
"display_name": "Possible Credential Leak via Phishing",
"determination": "apt",
"classification": "truePositive"
}
]Action: Generic Action
This is a generic action used to make requests to any Microsoft Graph Security endpoint.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Method | Enter the HTTP method to make the request. | Text | Required | Allowed values: GET, PUT, POST, and DELETE |
Endpoint | Enter the endpoint to make the request to. Example: security/alerts_v2 | Text | Required | |
Payload | Enter the payload to make the request. Example: $JSON[{"key_1": "value_1","key_2": "value_2"}] | Any | Optional | |
Query Params | Enter the query parameters to pass to the API. | Key Value | Optional | |
Extra Fields | Enter the extra fields to pass to the API. | Key Value | Optional | Allowed keys: headers, payload_json, download, files, filename, retry_wait, retry_count, custom_output, and response_type |
Example Request
[
{
"method": "GET",
"ndpoint": "security/alerts_v2/dce5d51769-7085-c101-a1bb-4967905d0cae?$select=id",
"extra_fields": {},
"query_params": {}
}
]