Building API-first solutions that aid modern Zero Trust infrastructure
Published May 17 2022 12:00 PM 5,372 Views



I’m Sue Bohn, Microsoft Vice President of Program Management for Identity and Network Access. In this Voice of the ISV blog post, Jeremy Goldstein, Product Marketing Manager, and David Baldwin, Director of Product Management at SentinelOne, explain how Singularity XDR and Azure Active Directory work together to address the challenge of managing high volumes of alerts and integrating processes between security tools, through the API-first development model created by SentinelOne. 




One of the biggest pain points in security operations centers is the volume of alerts and CTRL-“C”/CTRL-“V” workflow. Cutting and pasting information generated by one security tool into another is repetitive, slows response times, and keeps businesses one step behind attackers. When we understand that the average security operations center uses dozens of tools sourced from a wide selection of vendors, the need for automation and interoperability becomes crystal clear. As a security provider focused on helping organizations adopt Zero Trust principles—namely, explicit verification, use of least privileged access, and assumption of breach—SentinelOne works with Microsoft and other security experts to address these needs.  


To create solutions like SentinelOne Singularity XDR, which works with Azure Active Directory (Azure AD) to enact real-time remediation measures using AI and automation, SentinelOne has adopted an API-first development model. We create features as an API before they ever show up in the console. This practice makes it easier for customers and partners to work with us. The same is true when Microsoft releases new APIs relevant to our Extended Detection Response (XDR) platform. We can act fast and get beneficial new features and functionalities to our customers in the shortest time frame possible. The riskyUser API, which provides programmatic access to all your at-risk users in Azure AD, is a prime example of the benefits of an API-first strategy.  


Azure AD Identity Protection detects and defines risky users through a number of factors, including any account-related actions identified as suspicious. Risk detections, linked to both user and sign-in, contribute to the overall user risk score generated by a Risky Users report. Learn more about Identity Protection in Azure AD here. 


Deliver services your customers need, faster than they expect 

When Microsoft released the riskyUser API, along with its companion confirmCompromised API, which marks users as high risk in Azure AD, we saw an opportunity to eliminate some manual labor for our customers. Basically, with these new APIs we can automatically adjust a user’s risk score and compromised status, which in turn effects customer-selected Conditional Access parameters that limit that user’s access. SentinelOne then adds the user’s new risk state to the automatically generated incident notes. 


As an example of how the APIs work, let’s presume I have malware on my laptop. For a malicious actor, compromising my identity is an easy next step. We must assume that if my endpoint is compromised, my credentials—and those of anyone who shares my endpoint—are too. An identity compromised like this would give a malicious actor much greater access to my organization and its proprietary data. That’s where automated risk elevation comes into play. Singularity XDR informs Azure AD in real time via the riskyUser API that it detects malware on my machine, and that I’m confirmed as compromised. Remediating actions, defined and customized by my workplace, then automatically take place.  


Due to our agile development practices and because Microsoft maximizes ease of use for its new APIs, it took only three weeks after we learned about the potential functionality of the riskyUser API to complete a very solid proof of concept (POC). The POC showed a 5- to 10-minute reduction in manual, cut-and-paste data entry between security tools for our customers, per incident. For an action that large organizations repeat dozens of times a day, this adds up to massive savings. And better yet, because these actions are automated in real time, organizations implementing them can keep pace with even the most dedicated of threat actors. Our customers benefit as much from security operations center productivity as they do from functional security. 


Interoperation and automation make it easy to adopt Zero Trust principles 

Especially for customers still in the beginning stages of their Zero Trust journey, interoperations like those we’ve created with the riskyUser API and confirmCompromised API go beyond the immediate benefits. Yes, these users will gain the immediate benefit of controlling the actions of a compromised user identity once a threat has become detected, but they also gain confidence in Zero Trust principles.  


This opens the door to broader conversations around Conditional Access or further expanding Zero Trust principles across the customer’s line of business and software as a service (SaaS) applications integrated with Azure AD. From explicit verification, for instance, access decisions require multiple points of input to determine their validity. Compromised endpoints are vastly more identifiable, as are the real identities of users. By using the least privileged access necessary, attackers are prevented from using credentials-based trust to further breach organizational systems. This prevents the retention of the “super admin” access that attackers so frequently target. Assumption of breach reduces the potential attack surface by disallowing access by default instead of waiting around for a potential breach to happen before shoring up credential-based access.  


When a customer can use best-in-breed solutions like Azure AD and Singularity XDR together, it’s only a win. For real-time Zero Trust implementations to work, we need to focus on the kind of interoperability that API-first development generates. That’s why our ethos, in alignment with Microsoft, is to generate flexibility, integration, and choice in adopting Zero Trust.  


There is a massive shortage of talent in the data security industry. Automation, especially the kind that works across tools from multiple providers, helps security organizations of all sizes make the most of their human capital. This improves efficiency as much as de facto security. At SentinelOne, we work with security solution providers like Microsoft with the shared goal of making it simpler for organizations of all sizes to begin their Zero Trust security journey, to everyone’s benefit.  


Find out more about SentinelOne on Twitter, Facebook, YouTube, and LinkedIn. 



Learn more about Microsoft identity: 

Version history
Last update:
‎May 11 2022 08:20 AM
Updated by: