Microsoft Graph Security REST API

1
Microsoft 365 Security Products Integration Design - August 2021 © Marius Mocanu, Adrian Grigorof High Definition available at http://www.managedsentinel.com Log Analytics Workspace SecurityAlerts Table Kusto Query Language Queries / Log Correlation / Enrichment / Log Retention Playbooks Automation Rules Azure Sentinel Managed Sentinel www.managedsentinel.com Custom Alerts 24x7 Managed Detection and Response Security Investigation Third Party Risk Threat Intelligence Cyber Forensics Incident Response Vulnerability Management https://www.bluevoyant.com Azure Lighthouse Remote Management SOAR Automation M365 Deployment Via M365 Defender Data Connector (bi-directional) Alerts tune-up Health Monitoring Alert Rules Defender for Office 365 Safe Attachments – SharePoint/OneDrive/Teams/Office clients Safe Links – Links in emails and documents Anti Phishing/ Anti Spam Office 365 Protection – Sharepoint/OneDrive/Teams Time of Click Protection – Teams/Outlook Threat Explorer Threat Tracker Campaign Views Attack Simulator Automated Investigation and Response (AIR) Microsoft Defender for Office Plan 2 Alerts Alert Policy REST APIs Webhooks Reporting Event Search User Tagging Dashboards Enhanced Filtering DKIM Allow/Block Lists Threat Policies Templates Policies Rules Via M365 Defender Data Connector (bi-directional) Microsoft Cloud App Security Information Protection Threat Detection Conditional Access App Control Cloud Discovery Dashboards Storage * Policies Reports Governance Actions Via M365 Defender Data Connector (bi- directional) ATP sensor Windows Events Monitored: 4776, 4732, 4733, 4728, 4729, 4756, 4757, 7045, 8004 Windows Domain Controller ATP sensor Windows Events Monitored: 4776, 4732, 4733, 4728, 4729, 4756, 4757, 7045, 8004 Windows Domain Controller VPN Gateway Cisco ASA, Checkpoint, F5, Microsoft RADIUS Accounting On-Premises Infrastructure Defender for Identity Advanced Threats Detection Attack Surface Reduction Alert Investigation User and Entity Behavior Analytics (UEBA) Storage * Reports Notifications Health Activities, Alert, Identity Metadata Software Inventory Security Recommendations Defender for Endpoint Threat & Vulnerability Management Attack Surface Reduction Next Generation Protection Automated Threat Investigation Microsoft Threat Experts Endpoint Detection and Response (EDR) Storage * Reports Dashboards Alerts Rules Live Response Data Enrichment Android 6.0 and above Android 6.0 and above Windows OS Windows 7 SP1 Windows 10 Windows OS Windows 7 SP1 Windows 10 macOS Versions: 10.15 (Catalina), 10.14 (Mojave), 10.13 (High Sierra) macOS Versions: 10.15 (Catalina), 10.14 (Mojave), 10.13 (High Sierra) Linux Linux Alerts, Incidents (security and health) Alerts, Incidents, Automated Investigations (security and health) Event IDs: 5007, 1121, 1122 Azure AD Identity Protection Risk Detection Risk Investigation Minimum Azure AD Premium P2 license Risk Remediation Reports Risky users Risky sign-ins Risk detections Policies MFA registration User risk remediation Sign-in risk remediation Alerts Dashboards Governance Actions Microsoft 365 Compliance Data Loss Prevention Classification Record Management Information Governance Supervision Service Assurance Suspicious inbox manipulation rules Impossible travel Azure AD 3 rd Party SaaS Applications Conditional Access App Control SAML 2.0 Via M365 Defender Data Connector (bi-directional) Microsoft Graph Security REST API Data Collection and Normalization Analytics – Machine Learning, Insights Publish to Internal APIs Relationships Discovery REST APIs Webhooks Graph Explorer Security Score Defender for Identities only via MCAS Security Alerts Microsoft Intelligence Sample zoos Dark markets Threat feeds Sinkholes honeypots Detonation Sandboxes Services IR Intelligence Threat Intelligence Azure Security Center Continuous Assessment & Recommendations Azure Secure Score Regulatory Compliance JIT VM Access AAC & Network Hardening Azure Defender Dashboards Alerts Inventory Workflow Automation REST APIs Webhooks Auto Provisioning Vulnerability Scanning Automated Remediation Threat Protection Azure DNS Resource Manager Kubernetes Azure SQL Database Key Vault Azure VMs Storage Container Registry IoT Azure Defender App Services Network Security Groups Azure Firewall Event Hubs App Gateway Virtual Networks Azure AD Azure Cloud Services Threat Detection MFA, Access hygiene recommendations, Identity recommendations, Configuration Review, Network Maps, SSL usage Centralized Management Detection 3 rd Party Cloud Connectors Policy Mgmt., Vulnerability Mgmt., EDR, Security Compliance Security Alerts Data Enrichment via API calls Real Time app control Office 365 Azure AD Office 365 Azure AD Office 365 Azure AD | Security Alerts Security Alerts Security Alerts Data Enrichment Data Connectors UEBA Workbooks Security Alerts Security Recommendations Security Score Security Alerts Regulatory compliance Security Alerts Azure Security Baseline Security Alerts Detected Events Discovery Logs (optional) Security Alerts Activities Alerts Host Metadata Security Alerts KPI Reporting & Monitoring Windows Server Security Alerts Centralized Management Requires E5 Licenses 180 days Data Retention 90 days Data Retention (Audit Trail) Data Retention: Activity log: 180 days Discovery data: 90 days Alerts: 180 days Governance log: 120 days 90 days Data Retention MDR Service MDR Service MDR Service MDR Service MDR Service MDR Service AD Entities, Network Traffic, Windows Events Security Alerts MDR Service UEBA, Productivity App Discovery, Oauth apps, Conditional Access App Control Threat Intel Feeds Notebooks Hunting Scripts

Transcript of Microsoft Graph Security REST API

Page 1: Microsoft Graph Security REST API

Microsoft 365 Security Products Integration Design - August 2021 © Marius Mocanu, Adrian Grigorof

High Definition available at http://www.managedsentinel.com

Log Analytics Workspace

SecurityAlerts Table

Kusto Query Language Queries / Log Correlation / Enrichment / Log Retention

Playbooks

Automation Rules

Playbooks

Automation Rules

Azure Sentinel

Managed Sentinelwww.managedsentinel.com

Custom Alerts

24x7 Managed Detection and

Response

Security Investigation

Third Party RiskThreat

IntelligenceCyber Forensics

Incident ResponseVulnerability Management

https://www.bluevoyant.com

Managed Sentinelwww.managedsentinel.com

Custom Alerts

24x7 Managed Detection and

Response

Security Investigation

Third Party RiskThreat

IntelligenceCyber Forensics

Incident ResponseVulnerability Management

https://www.bluevoyant.com

Azure Lighthouse

Remote Management

SOAR Automation

M365 Deployment

Via M365 Defender Data Connector (bi-directional)

Alerts tune-up

Health Monitoring

Alert RulesAlert Rules

Defender for Office 365Defender for Office 365

Safe Attachments – SharePoint/OneDrive/Teams/Office clients

Safe Links – Links in emails and documents

Anti Phishing/ Anti Spam

Office 365 Protection – Sharepoint/OneDrive/Teams

Time of Click Protection – Teams/Outlook

Threat Explorer

Threat Tracker

Campaign Views

Attack Simulator

Automated Investigation and Response

(AIR)

Automated Investigation and Response

(AIR)

Mic

roso

ft D

efen

der

fo

r O

ffic

e P

lan

2

AlertsAlertsAlert PolicyAlert Policy

REST APIs WebhooksREST APIs Webhooks

ReportingReportingEvent SearchEvent SearchUser

TaggingUser

Tagging DashboardsDashboardsAlertsAlert Policy

REST APIs Webhooks

ReportingEvent SearchUser

Tagging Dashboards

Enhanced FilteringDKIMDKIM Allow/Block ListsAllow/Block Lists

ThreatPolicies

TemplatesPolicies

Rules

Defender for Office 365

Safe Attachments – SharePoint/OneDrive/Teams/Office clients

Safe Links – Links in emails and documents

Anti Phishing/ Anti Spam

Office 365 Protection – Sharepoint/OneDrive/Teams

Time of Click Protection – Teams/Outlook

Threat Explorer

Threat Tracker

Campaign Views

Attack Simulator

Automated Investigation and Response

(AIR)

Mic

roso

ft D

efen

der

fo

r O

ffic

e P

lan

2

AlertsAlert Policy

REST APIs Webhooks

ReportingEvent SearchUser

Tagging Dashboards

Enhanced FilteringDKIM Allow/Block Lists

ThreatPolicies

TemplatesPolicies

Rules

Via M365 Defender Data Connector (bi-directional)

Microsoft Cloud App Security

Information Protection

Threat Detection

Conditional Access App Control

Cloud Discovery

DashboardsDashboardsStorage *Storage * PoliciesPolicies ReportsReports

Governance ActionsGovernance Actions

Microsoft Cloud App Security

Information Protection

Threat Detection

Conditional Access App Control

Cloud Discovery

DashboardsStorage * Policies Reports

Governance Actions

Via M365 Defender Data Connector (bi-

directional)

ATP sensor

Windows Events Monitored:

4776, 4732, 4733, 4728, 4729, 4756, 4757, 7045, 8004

Windows Domain Controller

ATP sensor

Windows Events Monitored:

4776, 4732, 4733, 4728, 4729, 4756, 4757, 7045, 8004

Windows Domain Controller

VPN Gateway

Cisco ASA, Checkpoint, F5, Microsoft

RADIUS Accounting

On-Premises Infrastructure

Defender for Identity

Advanced Threats DetectionAdvanced Threats Detection

Attack Surface ReductionAttack Surface Reduction

Alert InvestigationAlert Investigation

User and Entity Behavior Analytics (UEBA) User and Entity Behavior Analytics (UEBA)

Storage *Storage * ReportsReports NotificationsNotifications Health

Defender for Identity

Advanced Threats Detection

Attack Surface Reduction

Alert Investigation

User and Entity Behavior Analytics (UEBA)

Storage * Reports Notifications Health

Activities, Alert,

Identity Metadata

Activities, Alert,

Identity Metadata

Software InventorySoftware Inventory Security RecommendationsSecurity Recommendations

Defender for EndpointDefender for Endpoint

Threat & Vulnerability ManagementThreat & Vulnerability Management

Attack Surface ReductionAttack Surface Reduction

Next Generation ProtectionNext Generation Protection

Automated Threat InvestigationAutomated Threat Investigation

Microsoft Threat ExpertsMicrosoft Threat Experts

Endpoint Detection and Response (EDR)Endpoint Detection and Response (EDR)Endpoint Detection and Response (EDR)

Threat & Vulnerability Management

Attack Surface Reduction

Next Generation Protection

Automated Threat Investigation

Microsoft Threat Experts

Endpoint Detection and Response (EDR)

Storage *Storage * ReportsReports DashboardsDashboardsAlertsAlerts RulesRules Live Response

Live Response

Software Inventory Security Recommendations

Defender for Endpoint

Threat & Vulnerability Management

Attack Surface Reduction

Next Generation Protection

Automated Threat Investigation

Microsoft Threat Experts

Endpoint Detection and Response (EDR)

Storage * Reports DashboardsAlerts Rules Live Response

Data Enrichment

Android 6.0 and aboveAndroid 6.0 and above

Windows OS

Windows 7 SP1Windows 10

Windows OS

Windows 7 SP1Windows 10

macOS

Versions:10.15 (Catalina), 10.14 (Mojave), 10.13 (High Sierra)

macOS

Versions:10.15 (Catalina), 10.14 (Mojave), 10.13 (High Sierra)

LinuxLinux

Alerts, Incidents(security and health)

Alerts, Incidents, Automated Investigations

(security and health)

Event IDs:5007, 1121, 1122

Azure AD Identity Protection

Risk Detection

Risk Investigation

Minimum Azure AD Premium P2 license

Risk Remediation

Reports

Risky usersRisky sign-ins

Risk detections

Reports

Risky usersRisky sign-ins

Risk detections

Policies

MFA registrationUser risk remediation

Sign-in risk remediation

Policies

MFA registrationUser risk remediation

Sign-in risk remediation

Policies

MFA registrationUser risk remediation

Sign-in risk remediation

AlertsAlerts DashboardsDashboards

Governance Actions

Azure AD Identity Protection

Risk Detection

Risk Investigation

Minimum Azure AD Premium P2 license

Risk Remediation

Reports

Risky usersRisky sign-ins

Risk detections

Policies

MFA registrationUser risk remediation

Sign-in risk remediation

Alerts Dashboards

Governance Actions

Microsoft 365 Compliance

Data Loss Prevention Classification

Record Management Information Governance

Supervision Service Assurance

Microsoft 365 Compliance

Data Loss Prevention Classification

Record Management Information Governance

Supervision Service Assurance

Suspicious inbox manipulation rulesImpossible travel

Azure ADAzure AD

3rd Party SaaS Applications

Conditional Access App Control

SAML 2.0

Via M365 Defender Data Connector (bi-directional)

Microsoft Graph Security REST API

Data Collection and Normalization

Analytics – Machine Learning, Insights

Publish to Internal APIs

Relationships Discovery

REST APIs WebhooksREST APIs Webhooks Graph ExplorerGraph ExplorerSecurity ScoreSecurity Score

Microsoft Graph Security REST API

Data Collection and Normalization

Analytics – Machine Learning, Insights

Publish to Internal APIs

Relationships Discovery

REST APIs Webhooks Graph ExplorerSecurity Score

Defender for Identities only via MCAS

Security AlertsSecurity Alerts

Microsoft Intelligence

Sample zoos

Dark markets

Threat feeds

Sinkholes honeypots

Detonation Sandboxes

Services IRIntelligence

Microsoft Intelligence

Sample zoos

Dark markets

Threat feeds

Sinkholes honeypots

Detonation Sandboxes

Services IRIntelligence

Threat Intelligence

Azure Security Center

Continuous Assessment & Recommendations

Azure Secure Score

Regulatory Compliance JIT VM Access AAC & Network Hardening

Azu

re

De

fen

der

DashboardsDashboardsAlertsAlertsInventoryInventoryWorkflow

AutomationWorkflow

Automation

REST APIs WebhooksREST APIs Webhooks

Auto Provisioning

Auto Provisioning

Vulnerability Scanning

Vulnerability Scanning

Automated RemediationAutomated

Remediation

Threat Protection

Azure Security Center

Continuous Assessment & Recommendations

Azure Secure Score

Regulatory Compliance JIT VM Access AAC & Network Hardening

Azu

re

De

fen

der

DashboardsAlertsInventoryWorkflow

Automation

REST APIs Webhooks

Auto Provisioning

Vulnerability Scanning

Automated Remediation

Threat Protection

Config checks

Azure DNSAzure DNS

Resource ManagerResource Manager

KubernetesKubernetes

Azure SQL DatabaseAzure SQL Database

Key VaultKey VaultAzure VMsAzure VMs StorageStorage

Container Registry

Container Registry

IoTIoT

Azu

re

De

fen

der

App ServicesApp Services

Network Security Groups

Network Security Groups

Azure FirewallAzure

FirewallEvent HubsEvent Hubs

App Gateway

App Gateway

Virtual Networks

Virtual Networks

Azure ADAzure AD

Azure Cloud ServicesAzure Cloud ServicesConfig checks

Azure DNS

Resource Manager

Kubernetes

Azure SQL Database

Key VaultAzure VMs Storage

Container Registry

IoT

Azu

re

De

fen

der

App Services

Network Security Groups

Azure Firewall

Event Hubs

App Gateway

Virtual Networks

Azure AD

Azure Cloud Services

Threat DetectionThreat DetectionMFA, Access hygiene recommendations, Identity

recommendations, Configuration Review, Network Maps, SSL usage

Centralized Management

Detection

3rd Party Cloud Connectors

Policy Mgmt., Vulnerability Mgmt., EDR, Security

Compliance

Security AlertsSecurity Alerts

Data Enrichment via API calls

Real Time app control

Real Time app control

Office 365Office 365

Azure ADAzure AD

Office 365Office 365

Azure ADAzure AD

Office 365Office 365

Azure AD

|

Azure AD

|

Security AlertsSecurity Alerts

Security AlertsSecurity AlertsSecurity AlertsSecurity Alerts

Data Enrichment

Data Connectors UEBA

Workbooks

Security AlertsSecurity Alerts

Security RecommendationsSecurity ScoreSecurity Alerts

Regulatory compliance

Security AlertsSecurity Alerts

Azure Security Baseline

Security AlertsSecurity Alerts

Detected Events

Discovery Logs(optional)

Security AlertsSecurity Alerts

ActivitiesAlerts

Host Metadata

ActivitiesAlerts

Host Metadata

Security AlertsSecurity Alerts

KPI Reporting & Monitoring

Windows Server

Security AlertsSecurity Alerts

Centralized Management

Requires E5 Licenses

180 days Data Retention

90 days Data Retention (Audit Trail)

Data Retention: Activity log: 180 days

Discovery data: 90 days Alerts: 180 days

Governance log: 120 days90 days Data Retention

MDR Service

MDR Service

MDR ServiceMDR Service MDR ServiceMDR Service MDR ServiceMDR Service

MDR ServiceMDR Service

AD Entities, Network Traffic, Windows Events

Security AlertsSecurity Alerts

MDR ServiceMDR Service

UEBA, Productivity App Discovery,

Oauth apps, Conditional Access

App Control

Threat Intel Feeds

NotebooksHunting Scripts

Creating a proxy REST API with IBM API Management 4.0.0files.meetup.com/19095698/How to create a REST API... · Creating a proxy REST API with IBM API Management 4.0.0.0 April 29,

Creating a proxy REST API with IBM API Management 4.0.0files.meetup.com/19095698/How to create a REST API... · Creating a proxy REST API with IBM API Management 4.0.0.0 April 29,

REST API Recommendations

REST API Recommendations

Arquitectura API Rest.

Arquitectura API Rest.

Practical REST API

Practical REST API

Mail, Calendar, and Contacts Graph API Demonstration€¦ · 19/4/2016  · services through a single REST API endpoint. •Using the Microsoft Graph, you can turn formerly difficult

Mail, Calendar, and Contacts Graph API Demonstration€¦ · 19/4/2016  · services through a single REST API endpoint. •Using the Microsoft Graph, you can turn formerly difficult

SFDC REST API

SFDC REST API

[MS-CPREST]: Control Plane REST API... · 2020-03-05 · Control Plane REST API . . . , .

[MS-CPREST]: Control Plane REST API... · 2020-03-05 · Control Plane REST API . . . , .

Rest API Documentation - Gier API... · Rest API Documentation {{}, {}],}

Rest API Documentation - Gier API... · Rest API Documentation {{}, {}],}

Microsoft REST API Guidelines Microsoft REST API ...The Microsoft REST API Guidelines, as a design principle, encourages application ... Developers access most Microsoft Cloud Platform

Microsoft REST API Guidelines Microsoft REST API ...The Microsoft REST API Guidelines, as a design principle, encourages application ... Developers access most Microsoft Cloud Platform

Rest API Security

Rest API Security

WP REST API - · PDF fileWhat About WP Rest API • It’s Rest API for WordPress, ... Custom Endpoint 21. ... • Register Post Type Endpoint - https:

WP REST API - · PDF fileWhat About WP Rest API • It’s Rest API for WordPress, ... Custom Endpoint 21. ... • Register Post Type Endpoint - https:

Force.com REST API Developer Guide 1 Introducing Force.com REST API REST API provides a powerful, convenient, and simple Web services API for interacting with Force.com. Its advantages

Force.com REST API Developer Guide 1 Introducing Force.com REST API REST API provides a powerful, convenient, and simple Web services API for interacting with Force.com. Its advantages

REST API Specification

REST API Specification

REST API Guide - Informatica · REST API Guide - Informatica ... 6

REST API Guide - Informatica · REST API Guide - Informatica ... 6

Unisphere Management REST API Reference Guide · Unisphere Management REST API Reference Guide The Unisphere Management REST API lets you manage Unisphere through web browsers.and

Unisphere Management REST API Reference Guide · Unisphere Management REST API Reference Guide The Unisphere Management REST API lets you manage Unisphere through web browsers.and

REST API Getting Started Guide - Emboticsftp.embotics.com/REST/v2.3/vCommander REST API Getting Started... · REST API Getting Started Guide vCommander version 5.2 REST API version

REST API Getting Started Guide - Emboticsftp.embotics.com/REST/v2.3/vCommander REST API Getting Started... · REST API Getting Started Guide vCommander version 5.2 REST API version

Salesforce REST API

Salesforce REST API

CallFire API Introduction. Outline Overview Generating API credentials 7 Services CallFire API information REST API REST Example SendText SOAP API SOAP.

CallFire API Introduction. Outline Overview Generating API credentials 7 Services CallFire API information REST API REST Example SendText SOAP API SOAP.

Cisco VIM REST API · Cisco VIM REST API ThefollowingtopicsexplainhowtousetheCiscoVIMRESTAPItomanageCiscoNFVI. • OverviewtoCiscoVIMRESTAPI, page 1 • CiscoVIMRESTAPIResources,

Cisco VIM REST API · Cisco VIM REST API ThefollowingtopicsexplainhowtousetheCiscoVIMRESTAPItomanageCiscoNFVI. • OverviewtoCiscoVIMRESTAPI, page 1 • CiscoVIMRESTAPIResources,

REST based API

REST based API