Overview
The Microsoft Graph Security plugin adds the ability to list alerts, get an alert’s details, and update an alert within a customer’s tenant across all integrated solutions.
Functionality
The Security Flow Microsoft Graph Security plugin provides the ability to
- retrieve filtered alerts periodically or when manually triggered
- retrieve all information for a specific alert
- update parameters for a specific alert
Instance Configuration Parameters
Name for the MS Graph Security instance.
A system-wide unique identifier for this plugin instance used to locate the service.
Application authorization used to access Microsoft Graph Security services.
Flow Nodes
The SecurityEvents.Read.All
permission is required to perform the Get Alert operation. The SecurityEvents.ReadWrite.All
permission is required to perform the Update Alert operation.
The display name of the node within the flows.
System-wide unique ID of the plugin instance.
Configuration option determining the type of operation to perform:
- Get Alert: Retrieves the details of an alert using the supplied
Alert ID
. - Update Alert: Updates fields of an alert specified by
Alert ID
. Any field specified with the value ofDo Not Update
will not be changed.
Successful results for an action are placed in msg.payload.msgraphsecurity.[uniqueId].response
.
Unique identifier for the alert being retrieved or updated.
When updating an alert, the alert life cycle status (stage). Possible values are: unknown
, newAlert
, inProgress
, or resolved
.
When updating an alert, the name of the analyst the alert is assigned to for triage, investigation, or remediation.
When updating an alert, the time at which the alert was closed. Now
represents the current time. If the object referenced is a JavaScript Date, it is converted to an ISO 8601 formatted string (e.g., 2014-01-01T00:00:00Z).
When updating an alert, the analyst feedback on the alert. Possible values are: unknown
, truePositive
, falsePositive
, or benignPositive
.
When updating an alert, the analyst comments on the alert (for customer alert management). This action can update the comments field with the following values only: Closed in IPC
or Closed in MCAS
. This value will be converted to an array if it is not already an array.
When updating an alert, the user-definable labels that can be applied to an alert and can serve as filter conditions (for example, TAG1, TAG2
). This value will be converted to an array if it is not already an array. For a string value, use a comma separated list of tags.
The SecurityEvents.Read.All
permission is required to access alerts.
The display name of the node within the flows.
System-wide unique ID of the plugin instance.
Defines the repeat interval used to pull alerts. If the repeat interval is set to zero, querying will not occur unless manually triggered using the left inject button.
Filters the list of alerts for the Azure AD tenant based on the Alerts Filter configuration. Clear the content of the Alerts Filter field to disable filtering. Learn more about filtering using the List Alerts page. The vendor names table in the List Alerts page lists the keywords for filtering on the vendorInformation/provider
. For example, to filter on the Azure Active Directory Identity Protection use the following filter:
vendorInformation/provider eq 'IPC'
In addition to List Alerts filtering, the filter field uses variable substitution from the incoming message using a mustache format. A mustache is a set of double curly braces surrounding a variable, i.e. {{ variable }}
. For example, {{payload.data}}
would substitute in the value of payload.data
found in the incoming message. Visit the Template Engine and Formatters page to learn more. However, for this node, the incoming message consists of only a timestamp
.
If specified, the Alert Fields is a comma separated list of fields to load. It is recommended to return the alert id
to ensure downstream nodes can operate on the alert. If left blank, all alert fields are loaded by default. Any unrecognized fields are ignored. A reasonable sample Alert Fields list value might be as follows:
id, title, status, severity, vendorInformation
This field sets the maximum number of returned alerts.
This node supports five modes for aggregating incidents.
- None: Never aggregate any incidents (default).
- Field Match: For a given source field of a message (or jsonata query of the message), aggregate together all messages whose field value exactly matches a previously checked message.
- Exact Match: For a given source field of the message (or jsonata query of the message), aggregate together all messages whose field exactly matches a given value. One can specify multiple values. Each value specifies a separate grouping of incidents. Useful to aggregate messages with known content.
- Keyword Match: For a given source field of the message (or jsonata query of the message), aggregate together all messages with a given keyword appearing as a word within the field. One can specify multiple keywords. Each keyword specifies a separate grouping of incidents. An incident is grouped with the first keyword it matches. Useful to aggregate messages with somewhat known content.
- Fuzzy Match: For a given source field of the message (or jsonata query of the message), aggregate together all messages for which this field is sufficiently similar to the message which started the incident. With this method, one can specify a similarity threshold. Messages matched with the fuzzy matcher get a similarity attribute added to the message which can be inspected to assist when establishing a threshold.
Metro Office Park
2950 Metro Drive, Suite 104
Bloomington, MN 55425
Phone: +1 952-500-8921
©Nevelex Labs, LLC. 2018-2024, All Rights Reserved.
EULA