Explore Microsoft Intelligent Security Graph
Microsoft created the Microsoft Intelligent Security Graph, or Microsoft Graph for short, to help its customers:
- Focus on breach prevention.
- Spend less on breach recovery.
The Intelligent Security Graph uses advanced analytics to link a massive amount of threat intelligence and security data from Microsoft and partners to combat cyber threats. Insights from the Intelligent Security Graph power real-time threat protection in Microsoft products and services. Every second, Microsoft adds hundreds of GB's worth of data to the Security Graph. This anonymized data comes from:
- Over a hundred Microsoft data centers across the globe.
- Threats faced by over 1 billion PCs that Windows Update updates each month.
- External data points collected through extensive research and partnership with industry and law enforcement. Microsoft’s Digital Crime Unit and Cybersecurity Defense Operations Center manages this research.
Microsoft Intelligent Security Graph powers Threat intelligence in Microsoft 365. Microsoft Intelligent Security Graph:
- Consumes 6.5 trillion signals daily across the Microsoft 365 network. A signal is a term meaning information traffic.
- Uses advanced analytics consisting of artificial intelligence and machine learning capabilities.
- Integrates this data across Microsoft's threat detection and response capabilities to address different attack scenarios.
The Intelligent Security Graph and other third-party feeds, including teams of experts hunting for malicious activities around the globe, gather these signals. Machine learning models and artificial intelligence analyze vast security signals to identify vulnerabilities and threats. The massive scope of signals enables Microsoft to understand the full context of an event to power quick threat detection and automated response.
Microsoft feeds these signals into its following platforms: Windows, Azure, and Microsoft 365. Microsoft then integrates these signals so that security services in one platform can communicate with security services in one of the other platforms.
As a result, any threat seen in Windows is automatically and quickly added to the set of threats that Microsoft 365 views. This design provides deep insight into the evolving cyber threat landscape.
Microsoft Graph security API
Microsoft Graph also supports the Microsoft Graph security API, which is part of Microsoft Graph. The Graph security API provides a unified gateway to share and act on security insights across the Microsoft platform and partner solutions. This design enables organizations to integrate their security solutions to improve security operations and efficiency. Developers can use the Security Graph to build intelligent security services that:
- Use a single API call to access or act on security insights from multiple security solutions.
- Unlock contextual data to inform investigations.
- Automate SecOps for greater efficiency.
The Microsoft Graph security API is an intermediary service (or broker) that provides a single programmatic interface to connect multiple Microsoft Graph security providers (also called security providers or providers). Requests to the Microsoft Graph security API are federated to all applicable security providers. The results are aggregated and returned to the requesting application in a common schema, as shown in the following diagram. For details, see Microsoft Graph security API data flow.
The Microsoft Graph Security API is a unified API that:
- Provides a standard interface and uniform schema.
- Integrates security alerts and threat intelligence from multiple sources.
- Enriches alerts and data with contextual information.
- Automates security operations.
Additional viewing. Take a few minutes and watch the following short video: Microsoft Graph and Security API.
Benefits of using the Microsoft Graph security API
The following table identifies some of the key benefits of using the Microsoft Graph security API.
| Benefit | Description |
|---|---|
| Submit threats and trigger whole automation flow | Submit threats across security solutions more easily with a unified security threat submission API. This benefit allows you to not only submit threats but also get threat submission results and trigger downstream alert flows. The new unified security threat submission API supports both application and delegated permissions to help you build new security solutions. |
| Unify and standardize alert tracking | Connect once to integrate alerts from any Microsoft Graph-integrated security solution and keep alert status and assignments in sync across all solutions. You can also stream alerts to security information and event management (SIEM) solutions, such as Splunk using Microsoft Graph security API connectors. For more info about solution integrations with the security API entities, see Security solution integrations using the Microsoft Graph security API. |
| Correlate security alerts to improve threat protection and response | Correlate alerts across security solutions more easily with a unified alert schema. This benefit allows you to receive actionable alert information. It also allows security analysts to pivot and enrich alerts with asset and user information. This information enables faster response to threats and asset protection. |
| Update alert tags, status, and assignments | Tag alerts with extra context or threat intelligence to inform response and remediation. The system captures comments and feedback on alerts for visibility to all workflows. Keep alert status and assignments in sync so that all integrated solutions reflect the current state. Use webhook subscriptions to get notified of changes. |
| Unlock security context to drive investigation | Dive deep into related security-relevant inventory (like users, hosts, and apps), then add organizational context from other Microsoft Graph providers (Microsoft Entra ID, Microsoft Intune, Microsoft 365) to bring business and security contexts together and improve threat response. Note: Azure Active Directory (Azure AD) is now Microsoft Entra ID. Learn more. |
| Automate security workflows and reporting | Automate security management, monitoring, and investigations to improve operational efficiencies-and response times. Get deeper insights and context by integrating Microsoft Graph security into your reports and dashboards. |
| Get deep insights to train security solutions | Visualize your data across different security products running in your organization to get deeper security insights. Discover opportunities to learn from the data and train your security solutions. The schema provides multiple properties to pivot on to build rich exploratory datasets using your security data. |
| Manage your eDiscovery workflows | Organizations rely on Microsoft Purview eDiscovery capabilities to find the truth about what happened in their organization. They do so based on internal or external requirements, such as litigation, investigation, or regulatory compliance. In many organizations, eDiscovery workflows are frequent, critical, and high volume. In the cases where there are common repeated tasks or a high volume of activities, the APIs help provide a scalable way to repeat processes consistently and effectively. Many organizations handle a high volume of cases and eDiscovery requests and would prefer to automate some tasks. The Microsoft Graph APIs for Microsoft Purview eDiscovery (Premium) provide API access to most functions available within the Microsoft Purview eDiscovery (Premium) solution. Depending on their current systems and processes, organizations might have various priorities for automation and integration. For example, from upstream processes such as case creation, to downstream such as collection, review set queries, or export. Supporting workflows with APIs throughout Microsoft Purview eDiscovery (Premium) provides flexibility and options. |
Partner integration using the Microsoft Graph security API
The Microsoft Graph security API makes it easy to connect with security solutions from Microsoft and partners. It allows you to more readily realize and enrich the value of these solutions. Organizations uncover more value when they explore the other Microsoft Graph entities (Microsoft 365, Microsoft Entra ID, Intune, and more). Doing so ties business context with their security insights.
Microsoft enables technology partner integration in two key ways.
- As a consumer of information from Microsoft Graph, you can enrich your solutions with information contained in Microsoft Graph. You can also use the Microsoft Graph API to perform tasks on behalf of a customer.
- You can also contribute your alerts and actions to Microsoft Graph alongside Microsoft providers.
| How do you integrate? | Data available | Capabilities supported |
|---|---|---|
| Integrate your application with the Microsoft Graph security API. | - Alerts from Microsoft Graph Security Providers - Secure Scores from Microsoft |
- Query alerts/Secure Score - Call a Microsoft Graph Security Action - Update a Microsoft Graph Security alert - Upload Customer threat indicators to Microsoft |
| Enable others to integrate with your products through the Microsoft Graph security API. | - Alerts from your security products |
- Security Actions for your security product |
The following table lists the benefits that different security solutions can access by integrating with the Microsoft Graph security API.
| Area | Benefits |
|---|---|
| Managed Security Service Providers (MSSPs) | - Streamlined integration with security operations tools, workflows, and reporting. - Reduced deployment and maintenance time and efforts. - Automated response to alerts by taking action on threats. - Ability to deliver more value to MSSP customers. |
| SIEM and IT Risk management solutions | - Smooth integration with Microsoft security solutions and ecosystem partners. - Rich alert metadata. - Better alert correlation. |
| Applications (Threat intelligence, mobile, cloud, IOT, fraud detection, identity and access, risk and compliance, firewall, and so on) |
- Unified threat management, prevention, and risk management across various security solutions. - Alerts, actions, and customer threat intelligence exposed through Microsoft Graph. - Instant integration with Microsoft Graph-enabled solutions. - Gain deep security insights to train other security solutions. |
Additional reading. For more information, see Partnering with the Microsoft Graph Security API – technology partner opportunities.