Using Microsoft Graph Security API for Custom Security Automations
Hi Security Experts, I’ve recently started exploring the Microsoft Graph Security API to centralize and automate security operations across different Microsoft 365 services. The idea is to build a single automation layer that can: Collect alerts from Defender for Endpoint, Defender for Cloud, and Identity Protection; Enrich them with context (user, device, and location data); And automatically push them to an external system like Jira, n8n, or a custom SOAR workflow. I was able to authenticate and list alerts using the endpoint: “GET https://graph.microsoft.com/v1.0/security/alerts” However, I’m still trying to understand the best practices for handling rate limits, pagination, and permissions — especially when integrating continuous polling or real-time ingestion into external tools. Has anyone here implemented Graph Security API automations in production? I’d love to hear about your experiences — specifically around performance, alert filtering, and authentication (App Registration vs Managed Identity). Thanks in advance, Luca
Major Delay with /alerts endpoint
Hey folks, I've been seeing some significant delays with the /alerts API endpoint. Ball park range of 2-5 hours. For example, there is an alert in Azure Sentinel that fires at ~13:00 UTC (based on TimeGenerated field). Our internal process that polls for new events from /alerts every ~2-3minutes doesn't pick up this new alert until ~17:00 UTC. I know there is the /alerts_v2 endpoint, and we're working on upgrading our processes to use that - but for the time being, I'm trying to find a solution / answer to this particular endpoint. Anyone experience this or have any insights?
MS Graph Authorization issue (Status code 401) - Power Automate Flow for Copilot Studio
Hi Folks, I am trying to develop a MS Power Automate Flow that can post QMS documents information to Copilot Studio bot based on users' question. I am using 'Create text with GPT using Prompt" to extract users' intention about documents from their natural language. Then use HTTP connector to post the results to Copilot Studio bot. I have done all the steps: 1. Registered App in Azure Portal 2. Granted Sites.Selected (Read) permission to my app so that it can read the information from QMS document library in SharePoint. We only want the app permission related to subsite not the whole site. The issue I am facing is that the HTTP action is still showing unauthorized Status code 401. Could you guide me if there is something incomplete or insufficient? Many thanks. After running please see below error: Best regards, perlite77
Create alert when a login was attempted from certain IP address (or block of addresses)
I'm trying to create an alert when there is a login attempt to certain IP, using the following MG Graph PS command: $newAlert = Invoke-RestMethod -Uri $alertUrl -Method Post -Headers $authHeader -Body $alertBody The response I got is: Invoke-RestMethod: {"error":{"code":"","message":"POST is not supported".... $alertUrl = "https://graph.microsoft.com/v1.0/security/alerts" $AlertBody = { "networkConnections": [{ "destinationAddress": "30.1XX.XX.XX" }], "title": "Login Attempt from Specific IP", "category": "SuspiciousActivity", "description": "Login attempt detected from IP address: 30.1XX.XX.XX", "vendorInformation": { "subProvider": "Sub Prov EFI", "provider": "Prov EFI"}, "assignedTo": "me", "cloudAppStates": [{ "servicePlanId": "00000000-0000-0000-0000-000000000000", "appId": "00000002-0000-0ff1-ce00-000000000000"}] } Assume Headers are OK (they are, verified) Question: What caused the error?. Is that the endpoint URI is not the correct one? or is that this kind of alerts cannot be set using Graph?How can I publish any application in MS Defender portal?
I want to create an indicators in defender from my application using https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/post-ti-indicator. Just want to know if I can publish my application on defender portal, just the way we can publish a data connector and other services in sentinel portal.
Issues with timespan on log analytics query API
Hi, This appears to be the best place for this query: We've been trying to set the API timespan for log analytics queries. However, even when using the correct ISO8601 format (PT1H for example), it does not work as it should - it does not work in a comparable manner to using the time period piece in the UI. There is no difference between using the Timespan piece and not - it returns the same details either way, in the example I was testing, multiple weeks worth (no time period was set inside the query). https://learn.microsoft.com/en-us/rest/api/loganalytics/dataaccess/query/get?tabs=HTTP Is this a bug, or is there a different format required for this? We have also tried with 1H, 01:00:00, etc., to no avail. Many thanks, Keith
CreatetiIndicator Rate Limting HTTP 400 Status instead of 429
We're getting back HTTP 400 instead of 429 from the Security API. This is causing the Logic Apps connector to not retry as it's looking for 429. I do see the 429 code contained in the body, but this should be returned at the HTTP status code also. It wouldn't matter much, except that it seems the bulk submission only works for Azure Sentinel and not Defender. We're trying to add indicators to Defender. { "statusCode": 400, "headers": { "Transfer-Encoding": "chunked", "Vary": "Accept-Encoding", "Strict-Transport-Security": "max-age=31536000", "request-id": "XXXXXXXXXXX, "client-request-id": "XXXXXXXXXXXX", "x-ms-ags-diagnostic": "{\"ServerInfo\":{\"DataCenter\":\"West US 2\",\"Slice\":\"E\",\"Ring\":\"1\",\"ScaleUnit\":\"001\",\"RoleInstance\":\"MW2PEPF0000836D\"}}", "Timing-Allow-Origin": "*", "x-ms-apihub-cached-response": "true", "x-ms-apihub-obo": "false", "Cache-Control": "no-cache", "Date": "Thu, 17 Nov 2022 16:23:39 GMT", "Content-Type": "application/json", "Content-Length": "560" }, "body": { "error": { "code": "", "message": "Http request failed with statusCode=429 : {\"error\":{\"code\":\"TooManyRequests\",\"message\":\"API calls quota exceeded! Maximum allowed 50 per 00:01:00 for the key Destination+TenantID+AppID. You can send requests again in 14 seconds.\",\"target\":\"|XXXXXXXXXXXXXXXXXXXX\"}}; ", "innerError": { "date": "2022-11-17T16:23:40", "request-id": "XXXXXXXXXXX", "client-request-id": "XXXXXXXXX" } } } }
Creating Script to extract last Sing In signInActivity from excluded Users from Azure CA
Dear Community I try to create a Script what is fetching me out the last signInActivity and here is the place where I stuck and have no chance to coming forward (I paste just the necessary columns from the Script $CustomObject is for another Excel Sheet ) ##here I fetch the excluded Users from the Group and Store the Value into the Variable Member## $ExcludeGroupMembers = @() $ExcludeGroupMembers = foreach ($Object in ($CAPolicies.excludeGroupsId | Select-Object -Unique)) { Write-Verbose -Verbose -Message "Getting exclude group members for policy $($Policy.displayName)..." $Uri = "https://graph.microsoft.com/beta/groups/$Object" $GroupName = { (Get-MsGraph -AccessToken $AccessToken -Uri $Uri -ErrorAction Stop).displayName } $Uri = "https://graph.microsoft.com/beta/groups/$Object/members" $Members = (Get-MsGraph -AccessToken $AccessToken -Uri $Uri).userPrincipalName| Sort-Object userPrincipalName $CustomObject = New-Object -TypeName psobject $CustomObject | Add-Member -MemberType NoteProperty -Name "Group" -Value $GroupName $CustomObject | Add-Member -MemberType NoteProperty -Name "Members" -Value $Members so far so good this works User Objects are stored into the Variable my next step here is to foreach the Members but here i stuck I allways get an error : (404) Not Found. In Zeile:16 Zeichen:13 + $Response = Invoke-WebRequest -Method GET -Uri $ApiUrl -ContentType " ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-WebRequest], WebException + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand ########################################### If I try it with a single User, for example mailto:email address removed for privacy reasons https://graph.microsoft.com/beta/users?%60$select=displayName,userPrincipalName,signInActivity,userType,assignedLicenses&%60$top=999mailto:email address removed for privacy reasons?`$select=displayName,userPrincipalName,signInActivity,userType,assignedLicenses&`$top=999 it works and also when I try to select over all the User also like here: https://graph.microsoft.com/beta/users?%60$select=displayName,userPrincipalName,signInActivity,userType,assignedLicenses&%60$top=999 But if i just store the User into a Variable like $TheUser = "mailto:email address removed for privacy reasons" "https://graph.microsoft.com/beta/users/$TheUser?$select=displayName,userPrincipalName,signInActivity,userType,assignedLicenses" i get an Error and also when I wanna use the Varible $Members from above i get the error So this would be the Lines I try to run to get just the Selected Values from the Variable $Members foreach ($Member in ($Members | Select-Object -Unique)) { $ApiUrl = "https://graph.microsoft.com/beta/users/Member? $select=displayName,userPrincipalName,signInActivity,userType,assignedLicenses" $Result = @() While ($ApiUrl -ne $Null) #Perform pagination if next page link (odata.nextlink) returned. { $Response = Invoke-WebRequest -Method GET -Uri $ApiUrl -ContentType "application\json" -Headers $headers | ConvertFrom-Json } if($Response.value) { $Users = $Response.value ForEach($User in $Members) { $Result += New-Object PSObject -property $([ordered]@{ DisplayName = $User.displayName UserPrincipalName = $User.userPrincipalName LastSignInDateTime = if($User.signInActivity.lastSignInDateTime) { [DateTime]$User.signInActivity.lastSignInDateTime } Else {$null} IsLicensed = if ($User.assignedLicenses.Count -ne 0) { $true } else { $false } IsGuestUser = if ($User.userType -eq 'Guest') { $true } else { $false } }) } } $ApiUrl=$Response.'@odata.nextlink' } $Result | Export-CSV "C:\LastLoginDateReport.CSV" -NoTypeInformation -Encoding UTF8 Would be really happy for any advice here because here i stuck now for a long Time Kind Regards, Martin
