Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Microsoft Graph API

    Home FortiSOAR Connectors Microsoft Graph API
    1.1.0
    2.1.0
    2.0.0
    1.1.0
    1.0.0

    Microsoft Graph API v1.1.0

    About the connector

    The Microsoft Graph API is a RESTful web API that enables you to access Microsoft Cloud service resources.

    This document provides information about the Microsoft Graph API connector, which facilitates automated interactions using Microsoft Graph API. Add the Microsoft Graph API connector as a step in FortiSOAR™ playbooks and perform automated operations such as retrieving a list of all risky users from Microsoft Graph API, searching for messages based on Subject delivered to the user within the organization using Microsoft Graph API, or deleting a specific message from the specific user's mailbox in Azure.

    Version information

    Connector Version: 1.1.0

    Authored By: Fortinet

    Certified: Yes

    FortiSOAR™ Version Tested on: 7.3.1-2105

    Microsoft Graph API Version Tested on: v1

    Release Notes for version 1.1.0

    Following enhancements have been made to the Microsoft Graph API Connector in version 1.1.0:

    • Added the following new operations and playbooks:
      • Revoke User Session
      • Get All Named Locations
      • Block New IP Ranges
    • Upgraded connector dependency from adal to msal.
    • Added Page Size and Offset parameters in Search Message in Users Mailbox action.
    • removed Update Time Closed parameter from Update Security Alert action.

    Getting Access Tokens

    You can get authentication tokens to access the security graph APIs using the Without a User- Application Permission method. For more information see, https://docs.microsoft.com/en-us/graph/auth-v2-service.

    Getting Access Tokens using the Without a User - Application Permission method

    1. Ensure that the required permissions are granted for the registration of the application.
      For example, for a Microsoft Graph User: API/Permission name that should be granted is:
      • Directory.Read.All
      • Directory.ReadWrite.All
      • GroupMember.Read.All
      • Group.Read.All
      • Group.ReadWrite.All
      • IdentityRiskyUser.Read.All
      • Mail.ReadBasic.All
      • Mail.Read
      • Mail.ReadWrite
      • SecurityEvents.Read.All
      • SecurityEvents.ReadWrite.All
      • Policy.Read.All
      • Policy.ReadWrite.ConditionalAccess of type Application
    2. Enter your client ID in the Client ID parameter field.
    3. Enter your client secret in the Client Secret parameter field.
    4. Enter your tenant ID in the Tenant ID parameter field.

    Installing the connector

    Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
    You can also use the following yum command as a root user to install connectors from an SSH session:
    yum install cyops-connector-microsoft-graph

    Prerequisites to configuring the connector

    • You must have the Tenant and Client ID for your Azure Active Directory instance to which you will connect and perform automated operations and the Client secret to access that instance.
    • Ensure that host login.microsoftonline.com on port 443 is whitelisted.

    Minimum Permissions Required

    Configuring the connector

    For the procedure to configure a connector, click here.

    Configuration parameters

    In FortiSOAR™, on the Content Hub (or Connector Store) page, click the Manage tab, and then click the Microsoft Graph API connector card. On the connector popup, click the Configurations tab to enter the required configuration details.

    Parameter Description
    Tenant ID Specify the ID of the tenant assigned to you by the Azure application registration portal.
    Client ID Specify the Unique Application ID of the Azure Active Directory application to create an authentication token required to access the API. For information on getting authentication tokens, see the Getting Authentication Tokens section.
    Client Secret Specify the Unique Client Secret of the Azure Active Directory application that is used to create an authentication token required to access the API. For information on how to get the secret key, see https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp.
    API Version Specify an API version to be used to perform automated operations.
    Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.

    Actions supported by the connector

    The following automated operations can be included in playbooks and you can also use the annotations to access operations:

    Function Description Annotation and Category
    Get Risky Users List Retrieves a list of all risky users from Microsoft Graph API. get_risky_users_list
    Investigation
    Get Risky User Details Retrieve details for a specific risky user from Microsoft Graph API based on the user ID you have specified. get_risky_user_details
    Investigation
    Get All Security Alerts Retrieves a list of alerts from Microsoft Graph API based on the input parameters you have specified. get_all_security_alerts
    Investigation
    Get Security Alert Retrieves details of a specific alert from Microsoft Graph API based on the alert ID you have specified. get_security_alert
    Investigation
    Update Security Alert Updates a specific alert using Microsoft Graph API based on the alert ID, vendor name, provider name, and other input parameters you have specified. update_security_alert
    Investigation
    Get Groups Retrieves a list of groups from Microsoft Graph API. get_groups
    Investigation
    Get Users Within A Group Retrieves a list of users within a specific group from Microsoft Graph API based on the group ID you have specified. get_group_users
    Investigation
    Search Message in Users Mailbox Searches for messages in a user's mailbox within an organization based on the Subject and user list you have specified. search_message
    Investigation
    Delete Message Deletes a specific message from the specific user's mailbox in Azure based on the user ID and message ID you have specified. del_message
    Investigation
    Delete Message Bulk Deletes messages from multiple users mailboxes in Azure based on the comma-separated list of users you have specified. del_message_bulk
    Investigation
    Revoke User Session Invalidates all the refresh tokens issued to applications for a user. revoke_user_sessions
    Remediation
    Get All Named Locations Retrieves a list of named location from Azure based on display name, sort order, and other input parameters that you have specified. get_all_named_locations
    Investigation
    Block New IP Ranges Blocks IPv4 and IPv6 address ranges in specified NamedLocation in Azure. block_new_ips
    Containment

    operation: Get Risky Users List

    Input parameters

    None.

    Output

    The output contains the following populated JSON schema:
    {
    "value": [
    {
    "@odata.type": "",
    "id": "",
    "isDeleted": "",
    "isProcessing": "",
    "riskLastUpdatedDateTime": "",
    "riskLevel": "",
    "riskState": "",
    "riskDetail": "",
    "userDisplayName": "",
    "userPrincipalName": ""
    }
    ]
    }

    operation: Get Risky User Details

    Input parameters

    Parameter Description
    Risky User ID Specify the ID of the risky user whose details you want to retrieve from Microsoft Graph API.

    Output

    The output contains the following populated JSON schema:
    {
    "value": [
    {
    "@odata.type": "",
    "id": "",
    "isDeleted": "",
    "isProcessing": "",
    "riskLastUpdatedDateTime": "",
    "riskLevel": "",
    "riskState": "",
    "riskDetail": "",
    "userDisplayName": "",
    "userPrincipalName": ""
    }
    ]
    }

    operation: Get All Security Alerts

    Input parameters

    Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list (of endpoints) is returned.

    Parameter Description
    Vendor Specify the name of the product vendor that provided the alert you want to retrieve using Microsoft Graph API. For example, Microsoft
    Provider Specify the security product that provided the alert you want to retrieve using Microsoft Graph API. For example, Cloud Application Security
    Severity Select the alert severity, set by the vendor or provider, to retrieve alerts using Microsoft Graph API. You can choose from the following options:
    • Unknown
    • Low
    • Medium
    • High
    • Informational
    Search From Select the date and time of alert triggering event(s) to retrieve using Microsoft Graph API.

    Output

    The output contains the following populated JSON schema:
    {
    "@odata.context": "",
    "value": [
    {
    "id": "",
    "azureTenantId": "",
    "azureSubscriptionId": "",
    "riskScore": "",
    "tags": [],
    "activityGroupName": "",
    "assignedTo": "",
    "category": "",
    "closedDateTime": "",
    "comments": [],
    "confidence": "",
    "createdDateTime": "",
    "description": "",
    "detectionIds": [],
    "eventDateTime": "",
    "feedback": "",
    "incidentIds": [],
    "lastEventDateTime": "",
    "lastModifiedDateTime": "",
    "recommendedActions": [],
    "severity": "",
    "sourceMaterials": [],
    "status": "",
    "title": "",
    "vendorInformation": {
    "provider": "",
    "providerVersion": "",
    "subProvider": "",
    "vendor": ""
    },
    "alertDetections": [],
    "cloudAppStates": [],
    "fileStates": [],
    "hostStates": [],
    "historyStates": [],
    "investigationSecurityStates": [],
    "malwareStates": [],
    "messageSecurityStates": [],
    "networkConnections": [],
    "processes": [],
    "registryKeyStates": [],
    "securityResources": [],
    "triggers": [],
    "userStates": [],
    "uriClickSecurityStates": [],
    "vulnerabilityStates": []
    }
    ]
    }

    operation: Get Security Alert

    Input parameters

    Parameter Description
    Alert ID Specify the unique Alert ID to retrieve that alert from Microsoft Graph API. The alert ID is generated by the provider when an alert is created in Azure.

    Output

    The output contains the following populated JSON schema:
    {
    "@odata.context": "",
    "id": "",
    "azureTenantId": "",
    "azureSubscriptionId": "",
    "riskScore": "",
    "tags": "",
    "activityGroupName": "",
    "assignedTo": "",
    "category": "",
    "closedDateTime": "",
    "comments": "",
    "confidence": "",
    "createdDateTime": "",
    "description": "",
    "detectionIds": "",
    "eventDateTime": "",
    "feedback": "",
    "lastModifiedDateTime": "",
    "recommendedActions": "",
    "severity": "",
    "sourceMaterials": "",
    "status": "",
    "title": "",
    "vendorInformation": {
    "provider": "",
    "providerVersion": "",
    "subProvider": "",
    "vendor": ""
    },
    "cloudAppStates": "",
    "fileStates": "",
    "hostStates": "",
    "historyStates": "",
    "malwareStates": "",
    "networkConnections": "",
    "processes": "",
    "registryKeyStates": "",
    "triggers": "",
    "userStates": "",
    "vulnerabilityStates": ""
    }

    operation: Update Security Alert

    Input parameters

    Parameter Description
    Alert ID Specify the unique alert ID to update that alert through Microsoft Graph API. The alert ID is generated by the provider when an alert is created in Azure.
    Provider Specify the provider of product or service in Azure to update in the specific alert in Azure. For example, WindowsDefenderATP.
    Vendor Specify the name of the vendor to update in the specific alert in Azure. For example, Microsoft.
    Assigned To (Optional) Specify the name of the analyst to whom you want to assign the specific alert that you want to update for triage, investigation, or remediation in Azure.
    Feedback (Optional) Select the analyst feedback on the alert that you want to update in the specific alert in Azure. You can choose from the following options: Unknown, True Positive, False Positive, or Benign Positive.
    Comments (Optional) Select the analyst comments that you want to update in the specific alert in Azure. You can choose between Closed in MCAS or Closed in IPS.
    Status (Optional) Select the status (life cycle status) that you want to update in the specific alert in Azure. You can choose from the following options: Unknown, New Alert, In Progress, or Resolved.
    Tags (Optional) Specify the JSON array of strings that store user-definable labels that can be applied to the alert that you want to update in Azure. These tags serve as filter conditions, and you can specify multiple tags using comma-based separators.
    Provider Version (Optional) Specify the version of the provider or sub-provider, if it exists, that generated the alert that you want to update in Azure.
    Subprovider (Optional) Specify the name of the sub-provider under the aggregating provider in Azure for the alert t that you want to update in Azure. For example, WindowsDefenderATP.SmartScreen

    Output

    The output contains a non-dictionary value.

    operation: Get Groups

    Input parameters

    None.

    Output

    The output contains the following populated JSON schema:
    {
    "@odata.context": "",
    "value": [
    {
    "id": "",
    "deletedDateTime": "",
    "classification": "",
    "createdDateTime": "",
    "description": "",
    "displayName": "",
    "expirationDateTime": "",
    "groupTypes": [],
    "isAssignableToRole": "",
    "mail": "",
    "mailEnabled": "",
    "mailNickname": "",
    "membershipRule": "",
    "membershipRuleProcessingState": "",
    "onPremisesLastSyncDateTime": "",
    "onPremisesSecurityIdentifier": "",
    "onPremisesSyncEnabled": "",
    "preferredDataLocation": "",
    "preferredLanguage": "",
    "proxyAddresses": [],
    "renewedDateTime": "",
    "resourceBehaviorOptions": [],
    "resourceProvisioningOptions": [],
    "securityEnabled": "",
    "theme": "",
    "visibility": "",
    "onPremisesProvisioningErrors": []
    }
    ]
    }

    operation: Get Users Within A Group

    Input parameters

    Parameter Description
    Group ID Specify an ID of the group whose users you want to retrieve from Microsoft Graph.
    Note: To get the Group ID use the Get Groups operation.

    Output

    The output contains the following populated JSON schema:
    {
    "@odata.context": "",
    "value": [
    {
    "id": "",
    "mail": ""
    }
    ]
    }

    operation: Search Message in Users Mailbox

    Input parameters

    Parameter Description
    Subject Specify a subject based on which you want to search messages in Azure.
    User List Specify a comma-separated list of user IDs based on which you want to search messages in Azure.
    Page Size (Optional) Number of messages you want to retrieve per user in this request. Default page size is 10. Page size should be between 1 to 1000
    Offset (Optional) Number of messages you want to skip for each in this request.

    Output

    The output contains the following populated JSON schema:
    {
    "@odata.context": "",
    "value": [
    {
    "@odata.etag": "",
    "id": "",
    "subject": "",
    "sender": {
    "emailAddress": {
    "name": "",
    "address": ""
    }
    }
    }
    ]
    }

    operation: Delete Message

    Input parameters

    Parameter Description
    User ID Specify the ID of the user based on which you want to delete the specific message from Azure.
    Message ID Specify the ID of the message that you want to delete from Azure.

    Output

    The output contains the following populated JSON schema:
    {
    "status_code": ""
    }

    operation: Delete Message Bulk

    Input parameters

    Parameter Description
    User List Specify a comma-separated list of users' mailboxes, which is a list of JSON objects, i.e., [{'user_id':", 'message_id':"}, ...] based on which you want to delete bulk messages in Azure.

    Output

    The output contains the following populated JSON schema:
    {
    "Error_List": [
    {
    "error_msg": "",
    "user_id": {
    "user_id": "",
    "message_id": ""
    }
    }
    ],
    "Message_Deleted_List": [
    {
    "msg_deleted": "",
    "user_id": {
    "user_id": "",
    "message_id": ""
    }
    }
    ],
    "Run_Time": "",
    "Total_Users_Processed": ""
    }

    operation: Revoke User Session

    Input parameters

    Parameter Description
    User ID or PrincipalName Specify the User ID or PrincipalName of the user whose refresh tokens you want to invalidate (revoke) from Microsoft Graph API.

    Output

    The output contains the following populated JSON schema:
    {
    "@odata.context": "",
    "value": ""
    }

    operation: Get All Named Locations

    Input parameters

    Parameter Description
    Display Name Specify the display name of the named location to retrieve from Azure.
    Required Fields (Optional) Specify filters properties (columns) to retrieve only specified fields in response from Azure. You can choose one or more from ID, Display Name, Created Date Time and Modified Date Time
    Order By (Optional) Select the sort order criterion to sort the results. Select the sorting order in Sort Order field. You can choose from following options:
    • ID
    • Display Name
    • Created Date Time
    • Modified Date Time
    Sort Order (Conditional - This field appears after selecting an order criterion in Order By field)
    Specify the sort order from the following options:
    • Ascending
    • Descending
    • By default it retrieves named locations in ascending order.
    Count Select to retrieve the total count of named locations matched in Azure. By default it is set to false.
    Size (Optional) Specify the number of named locations to retrieve in this request.
    Offset (Optional) Specify the number of named locations you want to skip in this request.

    Output

    The output contains the following populated JSON schema:
    {
    "@odata.context": "",
    "value": [
    {
    "@odata.type": "",
    "id": "",
    "displayName": "",
    "modifiedDateTime": "",
    "createdDateTime": "",
    "isTrusted": false,
    "ipRanges": [
    {
    "@odata.type": "",
    "cidrAddress": ""
    }
    ]
    }
    ]
    }

    operation: Block New IP Ranges

    Input parameters

    Parameter Description
    IP Named Location's UUID Specify the unique Named Location ID for which you want block the IP addresses.
    IPv4 Ranges Specify IP address ranges in IPv4 CIDR format (1.2.3.4/32) to be blocked in the specified named location. You can specify multiple IPv4 ranges as comma-separated values. e.g. 10.10.10.10/14, 10.10.10.10/13, 10.10.10.10/09
    IPv6 Ranges Specify IP address ranges in allowable IPv6 format, defined in IETF RFC5962, to be blocked in the specified named location. You can specify multiple IPv6 ranges as comma-separated values. e.g. 2001:db8::/43, 2001:db8::/47

    Output

    The output contains the following populated JSON schema:
    {
    "@odata.context": "",
    "@odata.type": "",
    "id": "",
    "displayName": "",
    "modifiedDateTime": "",
    "createdDateTime": "",
    "isTrusted": "",
    "ipRanges": [
    {
    "@odata.type": "",
    "cidrAddress": ""
    }
    ]
    }

    Included playbooks

    The Sample - Microsoft Graph API - 1.1.0 playbook collection comes bundled with the Microsoft Graph API connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Microsoft Graph API connector.

    • Block New IP Ranges
    • Delete Message
    • Delete Message Bulk
    • Get All Named Locations
    • Get All Security Alerts
    • Get Groups
    • Get Risky User Details
    • Get Risky Users List
    • Get Security Alert
    • Get Users Within A Group
    • Search Message in Users Mailbox
    • Update Security Alert
    • Revoke User Session

    Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.

    Previous
    Next

    Microsoft Graph API v1.1.0

    About the connector

    The Microsoft Graph API is a RESTful web API that enables you to access Microsoft Cloud service resources.

    This document provides information about the Microsoft Graph API connector, which facilitates automated interactions using Microsoft Graph API. Add the Microsoft Graph API connector as a step in FortiSOAR™ playbooks and perform automated operations such as retrieving a list of all risky users from Microsoft Graph API, searching for messages based on Subject delivered to the user within the organization using Microsoft Graph API, or deleting a specific message from the specific user's mailbox in Azure.

    Version information

    Connector Version: 1.1.0

    Authored By: Fortinet

    Certified: Yes

    FortiSOAR™ Version Tested on: 7.3.1-2105

    Microsoft Graph API Version Tested on: v1

    Release Notes for version 1.1.0

    Following enhancements have been made to the Microsoft Graph API Connector in version 1.1.0:

    Getting Access Tokens

    You can get authentication tokens to access the security graph APIs using the Without a User- Application Permission method. For more information see, https://docs.microsoft.com/en-us/graph/auth-v2-service.

    Getting Access Tokens using the Without a User - Application Permission method

    1. Ensure that the required permissions are granted for the registration of the application.
      For example, for a Microsoft Graph User: API/Permission name that should be granted is:
      • Directory.Read.All
      • Directory.ReadWrite.All
      • GroupMember.Read.All
      • Group.Read.All
      • Group.ReadWrite.All
      • IdentityRiskyUser.Read.All
      • Mail.ReadBasic.All
      • Mail.Read
      • Mail.ReadWrite
      • SecurityEvents.Read.All
      • SecurityEvents.ReadWrite.All
      • Policy.Read.All
      • Policy.ReadWrite.ConditionalAccess of type Application
    2. Enter your client ID in the Client ID parameter field.
    3. Enter your client secret in the Client Secret parameter field.
    4. Enter your tenant ID in the Tenant ID parameter field.

    Installing the connector

    Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
    You can also use the following yum command as a root user to install connectors from an SSH session:
    yum install cyops-connector-microsoft-graph

    Prerequisites to configuring the connector

    Minimum Permissions Required

    Configuring the connector

    For the procedure to configure a connector, click here.

    Configuration parameters

    In FortiSOAR™, on the Content Hub (or Connector Store) page, click the Manage tab, and then click the Microsoft Graph API connector card. On the connector popup, click the Configurations tab to enter the required configuration details.

    Parameter Description
    Tenant ID Specify the ID of the tenant assigned to you by the Azure application registration portal.
    Client ID Specify the Unique Application ID of the Azure Active Directory application to create an authentication token required to access the API. For information on getting authentication tokens, see the Getting Authentication Tokens section.
    Client Secret Specify the Unique Client Secret of the Azure Active Directory application that is used to create an authentication token required to access the API. For information on how to get the secret key, see https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp.
    API Version Specify an API version to be used to perform automated operations.
    Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.

    Actions supported by the connector

    The following automated operations can be included in playbooks and you can also use the annotations to access operations:

    Function Description Annotation and Category
    Get Risky Users List Retrieves a list of all risky users from Microsoft Graph API. get_risky_users_list
    Investigation
    Get Risky User Details Retrieve details for a specific risky user from Microsoft Graph API based on the user ID you have specified. get_risky_user_details
    Investigation
    Get All Security Alerts Retrieves a list of alerts from Microsoft Graph API based on the input parameters you have specified. get_all_security_alerts
    Investigation
    Get Security Alert Retrieves details of a specific alert from Microsoft Graph API based on the alert ID you have specified. get_security_alert
    Investigation
    Update Security Alert Updates a specific alert using Microsoft Graph API based on the alert ID, vendor name, provider name, and other input parameters you have specified. update_security_alert
    Investigation
    Get Groups Retrieves a list of groups from Microsoft Graph API. get_groups
    Investigation
    Get Users Within A Group Retrieves a list of users within a specific group from Microsoft Graph API based on the group ID you have specified. get_group_users
    Investigation
    Search Message in Users Mailbox Searches for messages in a user's mailbox within an organization based on the Subject and user list you have specified. search_message
    Investigation
    Delete Message Deletes a specific message from the specific user's mailbox in Azure based on the user ID and message ID you have specified. del_message
    Investigation
    Delete Message Bulk Deletes messages from multiple users mailboxes in Azure based on the comma-separated list of users you have specified. del_message_bulk
    Investigation
    Revoke User Session Invalidates all the refresh tokens issued to applications for a user. revoke_user_sessions
    Remediation
    Get All Named Locations Retrieves a list of named location from Azure based on display name, sort order, and other input parameters that you have specified. get_all_named_locations
    Investigation
    Block New IP Ranges Blocks IPv4 and IPv6 address ranges in specified NamedLocation in Azure. block_new_ips
    Containment

    operation: Get Risky Users List

    Input parameters

    None.

    Output

    The output contains the following populated JSON schema:
    {
    "value": [
    {
    "@odata.type": "",
    "id": "",
    "isDeleted": "",
    "isProcessing": "",
    "riskLastUpdatedDateTime": "",
    "riskLevel": "",
    "riskState": "",
    "riskDetail": "",
    "userDisplayName": "",
    "userPrincipalName": ""
    }
    ]
    }

    operation: Get Risky User Details

    Input parameters

    Parameter Description
    Risky User ID Specify the ID of the risky user whose details you want to retrieve from Microsoft Graph API.

    Output

    The output contains the following populated JSON schema:
    {
    "value": [
    {
    "@odata.type": "",
    "id": "",
    "isDeleted": "",
    "isProcessing": "",
    "riskLastUpdatedDateTime": "",
    "riskLevel": "",
    "riskState": "",
    "riskDetail": "",
    "userDisplayName": "",
    "userPrincipalName": ""
    }
    ]
    }

    operation: Get All Security Alerts

    Input parameters

    Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list (of endpoints) is returned.

    Parameter Description
    Vendor Specify the name of the product vendor that provided the alert you want to retrieve using Microsoft Graph API. For example, Microsoft
    Provider Specify the security product that provided the alert you want to retrieve using Microsoft Graph API. For example, Cloud Application Security
    Severity Select the alert severity, set by the vendor or provider, to retrieve alerts using Microsoft Graph API. You can choose from the following options:
    • Unknown
    • Low
    • Medium
    • High
    • Informational
    Search From Select the date and time of alert triggering event(s) to retrieve using Microsoft Graph API.

    Output

    The output contains the following populated JSON schema:
    {
    "@odata.context": "",
    "value": [
    {
    "id": "",
    "azureTenantId": "",
    "azureSubscriptionId": "",
    "riskScore": "",
    "tags": [],
    "activityGroupName": "",
    "assignedTo": "",
    "category": "",
    "closedDateTime": "",
    "comments": [],
    "confidence": "",
    "createdDateTime": "",
    "description": "",
    "detectionIds": [],
    "eventDateTime": "",
    "feedback": "",
    "incidentIds": [],
    "lastEventDateTime": "",
    "lastModifiedDateTime": "",
    "recommendedActions": [],
    "severity": "",
    "sourceMaterials": [],
    "status": "",
    "title": "",
    "vendorInformation": {
    "provider": "",
    "providerVersion": "",
    "subProvider": "",
    "vendor": ""
    },
    "alertDetections": [],
    "cloudAppStates": [],
    "fileStates": [],
    "hostStates": [],
    "historyStates": [],
    "investigationSecurityStates": [],
    "malwareStates": [],
    "messageSecurityStates": [],
    "networkConnections": [],
    "processes": [],
    "registryKeyStates": [],
    "securityResources": [],
    "triggers": [],
    "userStates": [],
    "uriClickSecurityStates": [],
    "vulnerabilityStates": []
    }
    ]
    }

    operation: Get Security Alert

    Input parameters

    Parameter Description
    Alert ID Specify the unique Alert ID to retrieve that alert from Microsoft Graph API. The alert ID is generated by the provider when an alert is created in Azure.

    Output

    The output contains the following populated JSON schema:
    {
    "@odata.context": "",
    "id": "",
    "azureTenantId": "",
    "azureSubscriptionId": "",
    "riskScore": "",
    "tags": "",
    "activityGroupName": "",
    "assignedTo": "",
    "category": "",
    "closedDateTime": "",
    "comments": "",
    "confidence": "",
    "createdDateTime": "",
    "description": "",
    "detectionIds": "",
    "eventDateTime": "",
    "feedback": "",
    "lastModifiedDateTime": "",
    "recommendedActions": "",
    "severity": "",
    "sourceMaterials": "",
    "status": "",
    "title": "",
    "vendorInformation": {
    "provider": "",
    "providerVersion": "",
    "subProvider": "",
    "vendor": ""
    },
    "cloudAppStates": "",
    "fileStates": "",
    "hostStates": "",
    "historyStates": "",
    "malwareStates": "",
    "networkConnections": "",
    "processes": "",
    "registryKeyStates": "",
    "triggers": "",
    "userStates": "",
    "vulnerabilityStates": ""
    }

    operation: Update Security Alert

    Input parameters

    Parameter Description
    Alert ID Specify the unique alert ID to update that alert through Microsoft Graph API. The alert ID is generated by the provider when an alert is created in Azure.
    Provider Specify the provider of product or service in Azure to update in the specific alert in Azure. For example, WindowsDefenderATP.
    Vendor Specify the name of the vendor to update in the specific alert in Azure. For example, Microsoft.
    Assigned To (Optional) Specify the name of the analyst to whom you want to assign the specific alert that you want to update for triage, investigation, or remediation in Azure.
    Feedback (Optional) Select the analyst feedback on the alert that you want to update in the specific alert in Azure. You can choose from the following options: Unknown, True Positive, False Positive, or Benign Positive.
    Comments (Optional) Select the analyst comments that you want to update in the specific alert in Azure. You can choose between Closed in MCAS or Closed in IPS.
    Status (Optional) Select the status (life cycle status) that you want to update in the specific alert in Azure. You can choose from the following options: Unknown, New Alert, In Progress, or Resolved.
    Tags (Optional) Specify the JSON array of strings that store user-definable labels that can be applied to the alert that you want to update in Azure. These tags serve as filter conditions, and you can specify multiple tags using comma-based separators.
    Provider Version (Optional) Specify the version of the provider or sub-provider, if it exists, that generated the alert that you want to update in Azure.
    Subprovider (Optional) Specify the name of the sub-provider under the aggregating provider in Azure for the alert t that you want to update in Azure. For example, WindowsDefenderATP.SmartScreen

    Output

    The output contains a non-dictionary value.

    operation: Get Groups

    Input parameters

    None.

    Output

    The output contains the following populated JSON schema:
    {
    "@odata.context": "",
    "value": [
    {
    "id": "",
    "deletedDateTime": "",
    "classification": "",
    "createdDateTime": "",
    "description": "",
    "displayName": "",
    "expirationDateTime": "",
    "groupTypes": [],
    "isAssignableToRole": "",
    "mail": "",
    "mailEnabled": "",
    "mailNickname": "",
    "membershipRule": "",
    "membershipRuleProcessingState": "",
    "onPremisesLastSyncDateTime": "",
    "onPremisesSecurityIdentifier": "",
    "onPremisesSyncEnabled": "",
    "preferredDataLocation": "",
    "preferredLanguage": "",
    "proxyAddresses": [],
    "renewedDateTime": "",
    "resourceBehaviorOptions": [],
    "resourceProvisioningOptions": [],
    "securityEnabled": "",
    "theme": "",
    "visibility": "",
    "onPremisesProvisioningErrors": []
    }
    ]
    }

    operation: Get Users Within A Group

    Input parameters

    Parameter Description
    Group ID Specify an ID of the group whose users you want to retrieve from Microsoft Graph.
    Note: To get the Group ID use the Get Groups operation.

    Output

    The output contains the following populated JSON schema:
    {
    "@odata.context": "",
    "value": [
    {
    "id": "",
    "mail": ""
    }
    ]
    }

    operation: Search Message in Users Mailbox

    Input parameters

    Parameter Description
    Subject Specify a subject based on which you want to search messages in Azure.
    User List Specify a comma-separated list of user IDs based on which you want to search messages in Azure.
    Page Size (Optional) Number of messages you want to retrieve per user in this request. Default page size is 10. Page size should be between 1 to 1000
    Offset (Optional) Number of messages you want to skip for each in this request.

    Output

    The output contains the following populated JSON schema:
    {
    "@odata.context": "",
    "value": [
    {
    "@odata.etag": "",
    "id": "",
    "subject": "",
    "sender": {
    "emailAddress": {
    "name": "",
    "address": ""
    }
    }
    }
    ]
    }

    operation: Delete Message

    Input parameters

    Parameter Description
    User ID Specify the ID of the user based on which you want to delete the specific message from Azure.
    Message ID Specify the ID of the message that you want to delete from Azure.

    Output

    The output contains the following populated JSON schema:
    {
    "status_code": ""
    }

    operation: Delete Message Bulk

    Input parameters

    Parameter Description
    User List Specify a comma-separated list of users' mailboxes, which is a list of JSON objects, i.e., [{'user_id':", 'message_id':"}, ...] based on which you want to delete bulk messages in Azure.

    Output

    The output contains the following populated JSON schema:
    {
    "Error_List": [
    {
    "error_msg": "",
    "user_id": {
    "user_id": "",
    "message_id": ""
    }
    }
    ],
    "Message_Deleted_List": [
    {
    "msg_deleted": "",
    "user_id": {
    "user_id": "",
    "message_id": ""
    }
    }
    ],
    "Run_Time": "",
    "Total_Users_Processed": ""
    }

    operation: Revoke User Session

    Input parameters

    Parameter Description
    User ID or PrincipalName Specify the User ID or PrincipalName of the user whose refresh tokens you want to invalidate (revoke) from Microsoft Graph API.

    Output

    The output contains the following populated JSON schema:
    {
    "@odata.context": "",
    "value": ""
    }

    operation: Get All Named Locations

    Input parameters

    Parameter Description
    Display Name Specify the display name of the named location to retrieve from Azure.
    Required Fields (Optional) Specify filters properties (columns) to retrieve only specified fields in response from Azure. You can choose one or more from ID, Display Name, Created Date Time and Modified Date Time
    Order By (Optional) Select the sort order criterion to sort the results. Select the sorting order in Sort Order field. You can choose from following options:
    • ID
    • Display Name
    • Created Date Time
    • Modified Date Time
    Sort Order (Conditional - This field appears after selecting an order criterion in Order By field)
    Specify the sort order from the following options:
    • Ascending
    • Descending
    • By default it retrieves named locations in ascending order.
    Count Select to retrieve the total count of named locations matched in Azure. By default it is set to false.
    Size (Optional) Specify the number of named locations to retrieve in this request.
    Offset (Optional) Specify the number of named locations you want to skip in this request.

    Output

    The output contains the following populated JSON schema:
    {
    "@odata.context": "",
    "value": [
    {
    "@odata.type": "",
    "id": "",
    "displayName": "",
    "modifiedDateTime": "",
    "createdDateTime": "",
    "isTrusted": false,
    "ipRanges": [
    {
    "@odata.type": "",
    "cidrAddress": ""
    }
    ]
    }
    ]
    }

    operation: Block New IP Ranges

    Input parameters

    Parameter Description
    IP Named Location's UUID Specify the unique Named Location ID for which you want block the IP addresses.
    IPv4 Ranges Specify IP address ranges in IPv4 CIDR format (1.2.3.4/32) to be blocked in the specified named location. You can specify multiple IPv4 ranges as comma-separated values. e.g. 10.10.10.10/14, 10.10.10.10/13, 10.10.10.10/09
    IPv6 Ranges Specify IP address ranges in allowable IPv6 format, defined in IETF RFC5962, to be blocked in the specified named location. You can specify multiple IPv6 ranges as comma-separated values. e.g. 2001:db8::/43, 2001:db8::/47

    Output

    The output contains the following populated JSON schema:
    {
    "@odata.context": "",
    "@odata.type": "",
    "id": "",
    "displayName": "",
    "modifiedDateTime": "",
    "createdDateTime": "",
    "isTrusted": "",
    "ipRanges": [
    {
    "@odata.type": "",
    "cidrAddress": ""
    }
    ]
    }

    Included playbooks

    The Sample - Microsoft Graph API - 1.1.0 playbook collection comes bundled with the Microsoft Graph API connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Microsoft Graph API connector.

    Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.

    Previous
    Next