We now have a new PowerShell module for the Microsoft Graph Security API that makes it easier for IT Pros to connect with the API from a PowerShell console. This module is available on the PowerShell gallery, thanks to a community contribution from the Microsoft Cloud Security’s Customer Experience Engineering team.
The Microsoft Graph Security API connects multiple security solutions to enable easier correlation of alerts, provide access to rich contextual information, simplify automations and investigations. This empowers organizations to quickly gain insights and take actions across their security products, while reducing the cost and complexity of building and maintaining multiple integrations. For further details on integrating with the Microsoft Graph Security API, learn about the API and access the schema.
Use this module to get access to security alerts and Secure Score information in your Azure Active Directory (Azure AD) tenant across different security products. Refer to the documentation for further details.
a. Select 'Add Platform' (under Platforms)
b. Select 'Native Application'
c. Retain redirect URI as 'urn:ietf:wg:oauth:2.0:oob' - this is needed for desktop application redirect to work.
*If this is your first time installing a module, you will be prompted to install the Nuget Package Provider.
You’ll need to authenticate before you can start getting and updating data from Microsoft Graph Security API. Authentication will be triggered upon initial data access or when authentication expires.
This covers a representative set of scenarios. Refer to the documentation for the complete list of supported PowerShell command line switches associated with each command to tailor this for your scenario.
You can get top alerts using this module by the command Get-GraphSecurityAlert -top 1. This returns the recent most alert received from each of the security products running in your Azure AD tenant supported by the Microsoft Graph Security API. This enables you to correlate recent suspicious patterns raised by different security products.
You can add multiple command line switches to get alerts across different security products filtered by user principal name, for example,
Get-GraphSecurityAlert -userPrincipalName <enter the value> -severity medium -Verbose | select title, status, description, assignedTo, severity, userStates
as illustrated below. This enables initial investigations where suspicious user activities reported by different security products can be plotted to understand where to plan the next level of investigations.
Run the Get-GraphSecurityAlert -<ctrlkey><space> command to get a list of all properties that you can filter to get your alerts as illustrated in the following diagram. Navigate to know supported types for each of these switches using your arrow keys. For example, in the diagram below we can see -Version switch expects a string type value. You can build your commands using different property values available to get alerts based on your scenario for customized security management and investigations.
You can update alerts by the Set-GraphSecurityAlert -id <enter the value> command. You can update the status of the alert to resolved as shown in this example below or even assign an alert for investigation or tag alerts to filter those as needed for better security management.
Run the Set-GraphSecurityAlert -<ctrlkey><space> command to get a list of all properties that you can use to build your update alert command.
You can also get secure score information by the Get-GraphSecuritySecureScore command as illustrated below to get details on the security posture of your organization and to determine what remediations are needed to improve the score over time.
Run the Get-GraphSecuritySecureScore -<ctrlkey><space> command to get a list of all switches that you can use to build your secure score command.
Try out the new Microsoft Graph Security API PowerShell module and provide your feedback by filing a GitHub issue in the PowerShell module repo.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.