The Microsoft Graph API is a RESTful web API that enables you to access Microsoft Cloud service resources.
This document provides information about the Microsoft Graph API connector, which facilitates automated interactions using Microsoft Graph API. Add the Microsoft Graph API connector as a step in FortiSOAR™ playbooks and perform automated operations such as retrieving a list of all risky users from Microsoft Graph API, searching for messages based on 'Subject' delivered to the user within the organization using Microsoft Graph API, or deleting a specific message from the specific user's mailbox in Azure.
Connector Version: 1.0.0
Authored By: Community
Certified: No
You can get authentication tokens to access the security graph APIs using the Without a User - Application Permission method. For more information see, https://docs.microsoft.com/en-us/graph/auth-v2-service
Directory.Read.AllDirectory.ReadWrite.AllGroupMember.Read.AllGroup.Read.AllGroup.ReadWrite.AllIdentityRiskyUser.Read.AllMail.ReadBasic.AllMail.ReadMail.ReadWriteSecurityEvents.Read.AllSecurityEvents.ReadWrite.All of type 'Application'Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root user to install connectors from an SSH session:
yum install cyops-connector-microsoft-graph
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Content Hub (or Connector Store) page, click the Manage tab, and then click the Microsoft Graph API connector card. On the connector popup, click the Configurations tab to enter the required configuration details.
| Parameter | Description |
|---|---|
| Tenant ID | Specify the ID of the tenant that is assigned to you by the Azure application registration portal. |
| Client ID | Specify the Unique Application ID of the Azure Active Directory application that is used to create an authentication token required to access the API. For information on getting authentication tokens, see the Getting Authentication Tokens section. |
| Client Secret | Specify the Unique Client Secret of the Azure Active Directory application that is used to create an authentication token required to access the API. For information on how to get the secret key, see https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp. |
| API Version | Specify an API version to be used to perform automated operations. |
| Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations:
| Function | Description | Annotation and Category |
|---|---|---|
| Get Risky Users List | Retrieves a list of all risky users from Microsoft Graph API. | get_risky_users_list Investigation |
| Get Risky User Details | Retrieve details for a specific risky user from Microsoft Graph API based on the user ID you have specified. | get_risky_user_details Investigation |
| Get All Security Alerts | Retrieves a list of all alerts or specific alerts from Microsoft Graph API based on the input parameters you have specified. | get_all_security_alerts Investigation |
| Get Security Alert | Retrieves a specific alert from Microsoft Graph API based on the alert ID you have specified. | get_security_alert Investigation |
| Update Security Alert | Updates a specific alert using Microsoft Graph API based on the alert ID, vendor name, provider name, and other input parameters you have specified. | update_security_alert Investigation |
| Get Groups | Retrieves a list of all groups from Microsoft Graph API. | get_groups Investigation |
| Get Users Within A Group | Retrieves a list of all users within a specific group from Microsoft Graph API based on the group ID you have specified. | get_group_users Investigation |
| Search Message in Users Mailbox | Searches for messages based on 'Subject' delivered to the user within the organization using Microsoft Graph API based on the subject and user list you have specified. | search_message Investigation |
| Delete Message | Deletes a specific message from the specific user's mailbox in Azure based on the user ID and message ID you have specified. | del_message Investigation |
| Delete Message Bulk | Deletes messages from multiple users' mailboxes in Azure based on the comma-separated list of users you have specified. | del_message_bulk Investigation |
None.
The output contains the following populated JSON schema:
{
"value": [
{
"@odata.type": "",
"id": "",
"isDeleted": "",
"isProcessing": "",
"riskLastUpdatedDateTime": "",
"riskLevel": "",
"riskState": "",
"riskDetail": "",
"userDisplayName": "",
"userPrincipalName": ""
}
]
}
| Parameter | Description |
|---|---|
| Risky User ID | Specify the ID of the risky user whose details you want to retrieve from Microsoft Graph API. |
The output contains the following populated JSON schema:
{
"value": [
{
"@odata.type": "",
"id": "",
"isDeleted": "",
"isProcessing": "",
"riskLastUpdatedDateTime": "",
"riskLevel": "",
"riskState": "",
"riskDetail": "",
"userDisplayName": "",
"userPrincipalName": ""
}
]
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list (of endpoints) is returned.
| Parameter | Description |
|---|---|
| Vendor | Specify the name of the vendor for the product that provided the alert you want to retrieve using Microsoft Graph API. For example, Microsoft |
| Provider | Specify the security product that provided the alert you want to retrieve using Microsoft Graph API. For example, Cloud Application Security |
| Severity | Select the alert severity, which is set by the vendor or provider based on which you want to retrieve alerts using Microsoft Graph API. You can choose one or more of the following options: Unknown, Low, Medium, or High. |
| Search From | Select the DateTime at which the event(s) that served as the trigger(s) to generate the alert you want to retrieve using Microsoft Graph API. |
The output contains the following populated JSON schema:
{
"@odata.context": "",
"value": [
{
"id": "",
"azureTenantId": "",
"azureSubscriptionId": "",
"riskScore": "",
"tags": [],
"activityGroupName": "",
"assignedTo": "",
"category": "",
"closedDateTime": "",
"comments": [],
"confidence": "",
"createdDateTime": "",
"description": "",
"detectionIds": [],
"eventDateTime": "",
"feedback": "",
"incidentIds": [],
"lastEventDateTime": "",
"lastModifiedDateTime": "",
"recommendedActions": [],
"severity": "",
"sourceMaterials": [],
"status": "",
"title": "",
"vendorInformation": {
"provider": "",
"providerVersion": "",
"subProvider": "",
"vendor": ""
},
"alertDetections": [],
"cloudAppStates": [],
"fileStates": [],
"hostStates": [],
"historyStates": [],
"investigationSecurityStates": [],
"malwareStates": [],
"messageSecurityStates": [],
"networkConnections": [],
"processes": [],
"registryKeyStates": [],
"securityResources": [],
"triggers": [],
"userStates": [],
"uriClickSecurityStates": [],
"vulnerabilityStates": []
}
]
}
| Parameter | Description |
|---|---|
| Alert ID | Specify the unique Alert ID using which you want to retrieve the specific alert from Microsoft Graph API. The alert ID is generated by the provider when an alert is created in Azure. |
The output contains the following populated JSON schema:
{
"@odata.context": "",
"id": "",
"azureTenantId": "",
"azureSubscriptionId": "",
"riskScore": "",
"tags": "",
"activityGroupName": "",
"assignedTo": "",
"category": "",
"closedDateTime": "",
"comments": "",
"confidence": "",
"createdDateTime": "",
"description": "",
"detectionIds": "",
"eventDateTime": "",
"feedback": "",
"lastModifiedDateTime": "",
"recommendedActions": "",
"severity": "",
"sourceMaterials": "",
"status": "",
"title": "",
"vendorInformation": {
"provider": "",
"providerVersion": "",
"subProvider": "",
"vendor": ""
},
"cloudAppStates": "",
"fileStates": "",
"hostStates": "",
"historyStates": "",
"malwareStates": "",
"networkConnections": "",
"processes": "",
"registryKeyStates": "",
"triggers": "",
"userStates": "",
"vulnerabilityStates": ""
}
| Parameter | Description |
|---|---|
| Alert ID | Specify the unique Alert ID using which you want to update the specific alert from Microsoft Graph API. The alert ID is generated by the provider when an alert is created in Azure. |
| Provider | Specify the provider of product or service in Azure that you want to update in the specific alert in Azure. For example, WindowsDefenderATP. |
| Vendor | Specify the name of the vendor of the alert that you want to update in the specific alert in Azure. For example, Microsoft. |
| Assigned To | (Optional) Specify the name of the analyst to whom you want to assign the specific alert that you want to update for triage, investigation, or remediation in Azure. |
| Update Time Closed | (Optional) Specify the DateTime at which the alert was closed that you want to update in the specific alert in Azure. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. |
| Feedback | (Optional) Select the analyst feedback on the alert that you want to update in the specific alert in Azure. You can choose from the following options: unknown, truePositive, falsePositive, or benignPositive. |
| Comments | (Optional) Select the analyst comments that you want to update in the specific alert in Azure. You can choose between Closed in MCAS or Closed in IPS. |
| Status | (Optional) Select the status (life cycle status) that you want to update in the specific alert in Azure. You can choose from the following options: unknown, newAlert, inProgress, or resolved. |
| Tags | (Optional) Specify the JSON array of strings that store user-definable labels that can be applied to the alert that you want to update in Azure. These tags serve as filter conditions, and you can specify multiple tags using comma-based separators. |
| Provider Version | (Optional) Specify the version of the provider or sub-provider, if it exists, that generated the alert that you want to update in Azure. |
| Subprovider | (Optional) Specify the name of the sub-provider under the aggregating provider in Azure for the alert t that you want to update in Azure. For example, WindowsDefenderATP.SmartScreen |
The output contains a non-dictionary value.
None.
The output contains the following populated JSON schema:
{
"@odata.context": "",
"value": [
{
"id": "",
"deletedDateTime": "",
"classification": "",
"createdDateTime": "",
"description": "",
"displayName": "",
"expirationDateTime": "",
"groupTypes": [],
"isAssignableToRole": "",
"mail": "",
"mailEnabled": "",
"mailNickname": "",
"membershipRule": "",
"membershipRuleProcessingState": "",
"onPremisesLastSyncDateTime": "",
"onPremisesSecurityIdentifier": "",
"onPremisesSyncEnabled": "",
"preferredDataLocation": "",
"preferredLanguage": "",
"proxyAddresses": [],
"renewedDateTime": "",
"resourceBehaviorOptions": [],
"resourceProvisioningOptions": [],
"securityEnabled": "",
"theme": "",
"visibility": "",
"onPremisesProvisioningErrors": []
}
]
}
| Parameter | Description |
|---|---|
| Group ID | Specify an ID of the group whose users you want to retrieve from Microsoft Graph. Note: To get the 'Group ID' use the 'Get Groups' operation. |
The output contains the following populated JSON schema:
{
"@odata.context": "",
"value": [
{
"id": "",
"mail": ""
}
]
}
| Parameter | Description |
|---|---|
| Subject | Specify a subject based on which you want to search messages in Azure. |
| User List | Specify a comma-separated list of user IDs based on which you want to search messages in Azure. |
The output contains the following populated JSON schema:
{
"@odata.context": "",
"value": [
{
"@odata.etag": "",
"id": "",
"subject": "",
"sender": {
"emailAddress": {
"name": "",
"address": ""
}
}
}
]
}
| Parameter | Description |
|---|---|
| User ID | Specify the ID of the user based on which you want to delete the specific message from Azure. |
| Message ID | Specify the ID of the message that you want to delete from Azure. |
The output contains the following populated JSON schema:
{
"status_code": ""
}
| Parameter | Description |
|---|---|
| User List | Specify a comma-separated list of users' mailboxes, which is a list of JSON objects, i.e., [{'user_id':", 'message_id':"}, ...] based on which you want to delete bulk messages in Azure. |
The output contains a non-dictionary value.
The Sample - Microsoft Graph API - 1.0.0 playbook collection comes bundled with the Microsoft Graph API connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Microsoft Graph API connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
The Microsoft Graph API is a RESTful web API that enables you to access Microsoft Cloud service resources.
This document provides information about the Microsoft Graph API connector, which facilitates automated interactions using Microsoft Graph API. Add the Microsoft Graph API connector as a step in FortiSOAR™ playbooks and perform automated operations such as retrieving a list of all risky users from Microsoft Graph API, searching for messages based on 'Subject' delivered to the user within the organization using Microsoft Graph API, or deleting a specific message from the specific user's mailbox in Azure.
Connector Version: 1.0.0
Authored By: Community
Certified: No
You can get authentication tokens to access the security graph APIs using the Without a User - Application Permission method. For more information see, https://docs.microsoft.com/en-us/graph/auth-v2-service
Directory.Read.AllDirectory.ReadWrite.AllGroupMember.Read.AllGroup.Read.AllGroup.ReadWrite.AllIdentityRiskyUser.Read.AllMail.ReadBasic.AllMail.ReadMail.ReadWriteSecurityEvents.Read.AllSecurityEvents.ReadWrite.All of type 'Application'Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root user to install connectors from an SSH session:
yum install cyops-connector-microsoft-graph
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Content Hub (or Connector Store) page, click the Manage tab, and then click the Microsoft Graph API connector card. On the connector popup, click the Configurations tab to enter the required configuration details.
| Parameter | Description |
|---|---|
| Tenant ID | Specify the ID of the tenant that is assigned to you by the Azure application registration portal. |
| Client ID | Specify the Unique Application ID of the Azure Active Directory application that is used to create an authentication token required to access the API. For information on getting authentication tokens, see the Getting Authentication Tokens section. |
| Client Secret | Specify the Unique Client Secret of the Azure Active Directory application that is used to create an authentication token required to access the API. For information on how to get the secret key, see https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp. |
| API Version | Specify an API version to be used to perform automated operations. |
| Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations:
| Function | Description | Annotation and Category |
|---|---|---|
| Get Risky Users List | Retrieves a list of all risky users from Microsoft Graph API. | get_risky_users_list Investigation |
| Get Risky User Details | Retrieve details for a specific risky user from Microsoft Graph API based on the user ID you have specified. | get_risky_user_details Investigation |
| Get All Security Alerts | Retrieves a list of all alerts or specific alerts from Microsoft Graph API based on the input parameters you have specified. | get_all_security_alerts Investigation |
| Get Security Alert | Retrieves a specific alert from Microsoft Graph API based on the alert ID you have specified. | get_security_alert Investigation |
| Update Security Alert | Updates a specific alert using Microsoft Graph API based on the alert ID, vendor name, provider name, and other input parameters you have specified. | update_security_alert Investigation |
| Get Groups | Retrieves a list of all groups from Microsoft Graph API. | get_groups Investigation |
| Get Users Within A Group | Retrieves a list of all users within a specific group from Microsoft Graph API based on the group ID you have specified. | get_group_users Investigation |
| Search Message in Users Mailbox | Searches for messages based on 'Subject' delivered to the user within the organization using Microsoft Graph API based on the subject and user list you have specified. | search_message Investigation |
| Delete Message | Deletes a specific message from the specific user's mailbox in Azure based on the user ID and message ID you have specified. | del_message Investigation |
| Delete Message Bulk | Deletes messages from multiple users' mailboxes in Azure based on the comma-separated list of users you have specified. | del_message_bulk Investigation |
None.
The output contains the following populated JSON schema:
{
"value": [
{
"@odata.type": "",
"id": "",
"isDeleted": "",
"isProcessing": "",
"riskLastUpdatedDateTime": "",
"riskLevel": "",
"riskState": "",
"riskDetail": "",
"userDisplayName": "",
"userPrincipalName": ""
}
]
}
| Parameter | Description |
|---|---|
| Risky User ID | Specify the ID of the risky user whose details you want to retrieve from Microsoft Graph API. |
The output contains the following populated JSON schema:
{
"value": [
{
"@odata.type": "",
"id": "",
"isDeleted": "",
"isProcessing": "",
"riskLastUpdatedDateTime": "",
"riskLevel": "",
"riskState": "",
"riskDetail": "",
"userDisplayName": "",
"userPrincipalName": ""
}
]
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list (of endpoints) is returned.
| Parameter | Description |
|---|---|
| Vendor | Specify the name of the vendor for the product that provided the alert you want to retrieve using Microsoft Graph API. For example, Microsoft |
| Provider | Specify the security product that provided the alert you want to retrieve using Microsoft Graph API. For example, Cloud Application Security |
| Severity | Select the alert severity, which is set by the vendor or provider based on which you want to retrieve alerts using Microsoft Graph API. You can choose one or more of the following options: Unknown, Low, Medium, or High. |
| Search From | Select the DateTime at which the event(s) that served as the trigger(s) to generate the alert you want to retrieve using Microsoft Graph API. |
The output contains the following populated JSON schema:
{
"@odata.context": "",
"value": [
{
"id": "",
"azureTenantId": "",
"azureSubscriptionId": "",
"riskScore": "",
"tags": [],
"activityGroupName": "",
"assignedTo": "",
"category": "",
"closedDateTime": "",
"comments": [],
"confidence": "",
"createdDateTime": "",
"description": "",
"detectionIds": [],
"eventDateTime": "",
"feedback": "",
"incidentIds": [],
"lastEventDateTime": "",
"lastModifiedDateTime": "",
"recommendedActions": [],
"severity": "",
"sourceMaterials": [],
"status": "",
"title": "",
"vendorInformation": {
"provider": "",
"providerVersion": "",
"subProvider": "",
"vendor": ""
},
"alertDetections": [],
"cloudAppStates": [],
"fileStates": [],
"hostStates": [],
"historyStates": [],
"investigationSecurityStates": [],
"malwareStates": [],
"messageSecurityStates": [],
"networkConnections": [],
"processes": [],
"registryKeyStates": [],
"securityResources": [],
"triggers": [],
"userStates": [],
"uriClickSecurityStates": [],
"vulnerabilityStates": []
}
]
}
| Parameter | Description |
|---|---|
| Alert ID | Specify the unique Alert ID using which you want to retrieve the specific alert from Microsoft Graph API. The alert ID is generated by the provider when an alert is created in Azure. |
The output contains the following populated JSON schema:
{
"@odata.context": "",
"id": "",
"azureTenantId": "",
"azureSubscriptionId": "",
"riskScore": "",
"tags": "",
"activityGroupName": "",
"assignedTo": "",
"category": "",
"closedDateTime": "",
"comments": "",
"confidence": "",
"createdDateTime": "",
"description": "",
"detectionIds": "",
"eventDateTime": "",
"feedback": "",
"lastModifiedDateTime": "",
"recommendedActions": "",
"severity": "",
"sourceMaterials": "",
"status": "",
"title": "",
"vendorInformation": {
"provider": "",
"providerVersion": "",
"subProvider": "",
"vendor": ""
},
"cloudAppStates": "",
"fileStates": "",
"hostStates": "",
"historyStates": "",
"malwareStates": "",
"networkConnections": "",
"processes": "",
"registryKeyStates": "",
"triggers": "",
"userStates": "",
"vulnerabilityStates": ""
}
| Parameter | Description |
|---|---|
| Alert ID | Specify the unique Alert ID using which you want to update the specific alert from Microsoft Graph API. The alert ID is generated by the provider when an alert is created in Azure. |
| Provider | Specify the provider of product or service in Azure that you want to update in the specific alert in Azure. For example, WindowsDefenderATP. |
| Vendor | Specify the name of the vendor of the alert that you want to update in the specific alert in Azure. For example, Microsoft. |
| Assigned To | (Optional) Specify the name of the analyst to whom you want to assign the specific alert that you want to update for triage, investigation, or remediation in Azure. |
| Update Time Closed | (Optional) Specify the DateTime at which the alert was closed that you want to update in the specific alert in Azure. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. |
| Feedback | (Optional) Select the analyst feedback on the alert that you want to update in the specific alert in Azure. You can choose from the following options: unknown, truePositive, falsePositive, or benignPositive. |
| Comments | (Optional) Select the analyst comments that you want to update in the specific alert in Azure. You can choose between Closed in MCAS or Closed in IPS. |
| Status | (Optional) Select the status (life cycle status) that you want to update in the specific alert in Azure. You can choose from the following options: unknown, newAlert, inProgress, or resolved. |
| Tags | (Optional) Specify the JSON array of strings that store user-definable labels that can be applied to the alert that you want to update in Azure. These tags serve as filter conditions, and you can specify multiple tags using comma-based separators. |
| Provider Version | (Optional) Specify the version of the provider or sub-provider, if it exists, that generated the alert that you want to update in Azure. |
| Subprovider | (Optional) Specify the name of the sub-provider under the aggregating provider in Azure for the alert t that you want to update in Azure. For example, WindowsDefenderATP.SmartScreen |
The output contains a non-dictionary value.
None.
The output contains the following populated JSON schema:
{
"@odata.context": "",
"value": [
{
"id": "",
"deletedDateTime": "",
"classification": "",
"createdDateTime": "",
"description": "",
"displayName": "",
"expirationDateTime": "",
"groupTypes": [],
"isAssignableToRole": "",
"mail": "",
"mailEnabled": "",
"mailNickname": "",
"membershipRule": "",
"membershipRuleProcessingState": "",
"onPremisesLastSyncDateTime": "",
"onPremisesSecurityIdentifier": "",
"onPremisesSyncEnabled": "",
"preferredDataLocation": "",
"preferredLanguage": "",
"proxyAddresses": [],
"renewedDateTime": "",
"resourceBehaviorOptions": [],
"resourceProvisioningOptions": [],
"securityEnabled": "",
"theme": "",
"visibility": "",
"onPremisesProvisioningErrors": []
}
]
}
| Parameter | Description |
|---|---|
| Group ID | Specify an ID of the group whose users you want to retrieve from Microsoft Graph. Note: To get the 'Group ID' use the 'Get Groups' operation. |
The output contains the following populated JSON schema:
{
"@odata.context": "",
"value": [
{
"id": "",
"mail": ""
}
]
}
| Parameter | Description |
|---|---|
| Subject | Specify a subject based on which you want to search messages in Azure. |
| User List | Specify a comma-separated list of user IDs based on which you want to search messages in Azure. |
The output contains the following populated JSON schema:
{
"@odata.context": "",
"value": [
{
"@odata.etag": "",
"id": "",
"subject": "",
"sender": {
"emailAddress": {
"name": "",
"address": ""
}
}
}
]
}
| Parameter | Description |
|---|---|
| User ID | Specify the ID of the user based on which you want to delete the specific message from Azure. |
| Message ID | Specify the ID of the message that you want to delete from Azure. |
The output contains the following populated JSON schema:
{
"status_code": ""
}
| Parameter | Description |
|---|---|
| User List | Specify a comma-separated list of users' mailboxes, which is a list of JSON objects, i.e., [{'user_id':", 'message_id':"}, ...] based on which you want to delete bulk messages in Azure. |
The output contains a non-dictionary value.
The Sample - Microsoft Graph API - 1.0.0 playbook collection comes bundled with the Microsoft Graph API connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Microsoft Graph API connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.