We are happy to announce Microsoft Graph Security connectors for Azure Logic Apps, Microsoft Flow, and PowerApps, which greatly simplify the development of automated security workflows. By building playbooks that use the Microsoft Graph Security connector, you can automate common security tasks across multiple security solutions. This reduces the time and resources required to triage, investigate, and remediate security alerts, without the cost and complexity of building and maintaining multiple integrations. For further details on integrating with the Microsoft Graph Security API, learn about the API and access the schema.
Use these connectors now in your existing workflows or create new workflows. The steps are similar for Azure Logic Apps, Flow, and PowerApps. We’ll use Azure Logic Apps as an example here. Refer to the documentation and connector reference for further details.
The Microsoft Graph Security connectors enable the following actions:
You can mash up the Microsoft Graph Security connector with the 200+ Microsoft and non-Microsoft connectors available for Azure Logic Apps, Flow and PowerApps to build end-to-end scenarios based on your requirements. We have provided a few examples of scenarios that can be enabled using the Microsoft Graph Security and other connectors.
Automating Security Monitoring and Management
It’s always been a challenge to get notified of critical alerts that needs immediate action in an automated manner. At the same time, not all alerts are of equal priority and needs to be handled differently for optimal security management. You can now use the Microsoft Graph Security connector to get your high severity alerts across various security products like Azure Security Center, Windows Defender ATP, Palo Alto Networks, etc. and route those for immediate action. This example workflow below segregates alerts based on severity and routes high severity alerts for investigations.
Automating Security Response Handling
To reduce the workload of security analysts, alerts about suspicious user actions, such as logging in from unusual locations or atypical data access, can be investigated further and in some cases automatically resolved with input from the user in question. An example workflow for this using the Microsoft Graph Security Connector is as follows.
Automating Security Investigations
The often-manual process of correlating related alerts during an investigation can be automated using the Microsoft Graph Security connector. In this example workflow, all recent alerts for the host IP being investigated are automatically collected. This same example can be leveraged to find alerts for a specific file, user, or process user under investigation or other alert properties.
We are working on templates for the Microsoft Graph Security connector to simplify the process of building your security playbooks. Fill out the feedback form to help us design templates for the workflows you need most.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.