Graph Security API - Specific service permissions?

%3CLINGO-SUB%20id%3D%22lingo-sub-1878682%22%20slang%3D%22en-US%22%3EGraph%20Security%20API%20-%20Specific%20service%20permissions%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1878682%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20have%20configured%20our%20application%20and%20granted%20%22SecurityEvents.ReadAll%22%20permissions%20to%20be%20able%20to%20pull%20alerts%2C%20and%20we%20can%20see%20alerts%20from%20Sentinel%2CSecurity%20Center%2C%20Microsoft%20365%20Alerts%20and%20so%20forth.%20From%20my%20research%20it%20seems%20the%20scope%20for%20Graph%20permissions%20are%20the%20following.%20Is%20it%20possible%20to%20limit%20an%20application%20to%20pull%20%3CSTRONG%3EONLY%20%3C%2FSTRONG%3ESecurity%20Center%20or%20Sentinel%20alerts%3F%3C%2FP%3E%3CP%3EPermission%20Entity%20Supported%20requests%3C%2FP%3E%3CTABLE%3E%3CTBODY%3E%3CTR%3E%3CTD%3ESecurityActions.Read.All%3C%2FTD%3E%3CTD%3E%E2%80%A2%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fgraph%2Fapi%2Fresources%2Fsecurityaction%3Fview%3Dgraph-rest-beta%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EsecurityActions%3C%2FA%3E%20(preview)%3C%2FTD%3E%3CTD%3EGET%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%3ESecurityActions.ReadWrite.All%3C%2FTD%3E%3CTD%3E%E2%80%A2%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fgraph%2Fapi%2Fresources%2Fsecurityaction%3Fview%3Dgraph-rest-beta%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EsecurityActions%3C%2FA%3E%20(preview)%3C%2FTD%3E%3CTD%3EGET%2C%20POST%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%3ESecurityEvents.Read.All%3C%2FTD%3E%3CTD%3E%E2%80%A2%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fgraph%2Fapi%2Fresources%2Falert%3Fview%3Dgraph-rest-1.0%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ealerts%3C%2FA%3E%3CBR%20%2F%3E%E2%80%A2%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fgraph%2Fapi%2Fresources%2Fsecurescores%3Fview%3Dgraph-rest-beta%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EsecureScores%3C%2FA%3E%3CBR%20%2F%3E%E2%80%A2%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fgraph%2Fapi%2Fresources%2Fsecurescorecontrolprofiles%3Fview%3Dgraph-rest-beta%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EsecureScoreControlProfiles%3C%2FA%3E%3C%2FTD%3E%3CTD%3EGET%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%3ESecurityEvents.ReadWrite.All%3C%2FTD%3E%3CTD%3E%E2%80%A2%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fgraph%2Fapi%2Fresources%2Falert%3Fview%3Dgraph-rest-1.0%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ealerts%3C%2FA%3E%3CBR%20%2F%3E%E2%80%A2%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fgraph%2Fapi%2Fresources%2Fsecurescores%3Fview%3Dgraph-rest-beta%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EsecureScores%3C%2FA%3E%3CBR%20%2F%3E%E2%80%A2%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fgraph%2Fapi%2Fresources%2Fsecurescorecontrolprofiles%3Fview%3Dgraph-rest-beta%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EsecureScoreControlProfiles%3C%2FA%3E%3C%2FTD%3E%3CTD%3EGET%2C%20POST%2C%20PATCH%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%3EThreatIndicators.ReadWrite.OwnedBy%3C%2FTD%3E%3CTD%3E%E2%80%A2%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fgraph%2Fapi%2Fresources%2Ftiindicator%3Fview%3Dgraph-rest-beta%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EtiIndicator%3C%2FA%3E%20(preview)%3C%2FTD%3E%3CTD%3EGET%2C%20POST%2C%20PATCH%2C%20DELETE%3C%2FTD%3E%3C%2FTR%3E%3C%2FTBODY%3E%3C%2FTABLE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPS%20I%20know%20you%20can%20filter%20them%20out%2C%20but%20I%20want%20to%20limit%20the%20applications%20from%20being%20able%20to%20pull%20them%20in%20the%20first%20place.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1878682%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EGraph%20API%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EPermisions%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
New Contributor

We have configured our application and granted "SecurityEvents.ReadAll" permissions to be able to pull alerts, and we can see alerts from Sentinel,Security Center, Microsoft 365 Alerts and so forth. From my research it seems the scope for Graph permissions are the following. Is it possible to limit an application to pull ONLY Security Center or Sentinel alerts?

Permission Entity Supported requests

SecurityActions.Read.AllsecurityActions (preview)GET
SecurityActions.ReadWrite.AllsecurityActions (preview)GET, POST
SecurityEvents.Read.Allalerts
secureScores
secureScoreControlProfiles
GET
SecurityEvents.ReadWrite.Allalerts
secureScores
secureScoreControlProfiles
GET, POST, PATCH
ThreatIndicators.ReadWrite.OwnedBytiIndicator (preview)GET, POST, PATCH, DELETE

 

PS I know you can filter them out, but I want to limit the applications from being able to pull them in the first place.

0 Replies