×
Microsoft Graph Security
MS Graph Security

Overview

The Microsoft Graph Security plugin adds the ability to list alerts, get an alert’s details, and update an alert within a customer’s tenant across all integrated solutions.

Functionality

The Security Flow Microsoft Graph Security plugin provides the ability to

  • retrieve filtered alerts periodically or when manually triggered
  • retrieve all information for a specific alert
  • update parameters for a specific alert

Instance Configuration Parameters

Property
Description

Instance Name

Name for the MS Graph Security instance.


Unique ID

A system-wide unique identifier for this plugin instance used to locate the service.


Authorization (OAuth2)

Application authorization used to access Microsoft Graph Security services.

Flow Nodes

This node provides access to security operations with the MS Graph API.

The SecurityEvents.Read.All permission is required to perform the Get Alert operation. The SecurityEvents.ReadWrite.All permission is required to perform the Update Alert operation.

Property
Description

Name

The display name of the node within the flows.


Unique ID

System-wide unique ID of the plugin instance.


Action

Configuration option determining the type of operation to perform:

  • Get Alert: Retrieves the details of an alert using the supplied Alert ID.
  • Update Alert: Updates fields of an alert specified by Alert ID. Any field specified with the value of Do Not Update will not be changed.

Successful results for an action are placed in msg.payload.msgraphsecurity.[uniqueId].response.


Alert ID

Unique identifier for the alert being retrieved or updated.


Status

When updating an alert, the alert life cycle status (stage). Possible values are: unknown, newAlert, inProgress, or resolved.


Assigned To

When updating an alert, the name of the analyst the alert is assigned to for triage, investigation, or remediation.


Closed At

When updating an alert, the time at which the alert was closed. Now represents the current time. If the object referenced is a JavaScript Date, it is converted to an ISO 8601 formatted string (e.g., 2014-01-01T00:00:00Z).


Feedback

When updating an alert, the analyst feedback on the alert. Possible values are: unknown, truePositive, falsePositive, or benignPositive.


Comments

When updating an alert, the analyst comments on the alert (for customer alert management). This action can update the comments field with the following values only: Closed in IPC or Closed in MCAS. This value will be converted to an array if it is not already an array.


Tags

When updating an alert, the user-definable labels that can be applied to an alert and can serve as filter conditions (for example, TAG1, TAG2). This value will be converted to an array if it is not already an array. For a string value, use a comma separated list of tags.

This node provides MS Graph API capabilities for polling security alerts.

The SecurityEvents.Read.All permission is required to access alerts.

Property
Description

Name

The display name of the node within the flows.


Unique ID

System-wide unique ID of the plugin instance.


Repeat

Defines the repeat interval used to pull alerts. If the repeat interval is set to zero, querying will not occur unless manually triggered using the left inject button.


Alerts Filter

Filters the list of alerts for the Azure AD tenant based on the Alerts Filter configuration. Clear the content of the Alerts Filter field to disable filtering. Learn more about filtering using the List Alerts page. The vendor names table in the List Alerts page lists the keywords for filtering on the vendorInformation/provider. For example, to filter on the Azure Active Directory Identity Protection use the following filter:

vendorInformation/provider eq 'IPC'

In addition to List Alerts filtering, the filter field uses variable substitution from the incoming message using a mustache format. A mustache is a set of double curly braces surrounding a variable, i.e. {{ variable }}. For example, {{payload.data}} would substitute in the value of payload.data found in the incoming message. Visit the Template Engine and Formatters page to learn more. However, for this node, the incoming message consists of only a timestamp.


Alert Fields

If specified, the Alert Fields is a comma separated list of fields to load. It is recommended to return the alert id to ensure downstream nodes can operate on the alert. If left blank, all alert fields are loaded by default. Any unrecognized fields are ignored. A reasonable sample Alert Fields list value might be as follows:

id, title, status, severity, vendorInformation

Size Limit

This field sets the maximum number of returned alerts.


Aggregetion

This node supports five modes for aggregating incidents.

  • None: Never aggregate any incidents (default).
  • Field Match: For a given source field of a message (or jsonata query of the message), aggregate together all messages whose field value exactly matches a previously checked message.
  • Exact Match: For a given source field of the message (or jsonata query of the message), aggregate together all messages whose field exactly matches a given value. One can specify multiple values. Each value specifies a separate grouping of incidents. Useful to aggregate messages with known content.
  • Keyword Match: For a given source field of the message (or jsonata query of the message), aggregate together all messages with a given keyword appearing as a word within the field. One can specify multiple keywords. Each keyword specifies a separate grouping of incidents. An incident is grouped with the first keyword it matches. Useful to aggregate messages with somewhat known content.
  • Fuzzy Match: For a given source field of the message (or jsonata query of the message), aggregate together all messages for which this field is sufficiently similar to the message which started the incident. With this method, one can specify a similarity threshold. Messages matched with the fuzzy matcher get a similarity attribute added to the message which can be inspected to assist when establishing a threshold.
Nevelex Labs, Main Office

Metro Office Park
2950 Metro Drive, Suite 104
Bloomington, MN 55425
Phone: +1 952-500-8921

©Nevelex Labs, LLC. 2018-2021, All Rights Reserved.

EULA