Azure Logic Apps & Graph Security API: easy integration of all security alerts to your ticketing system
If you are working in the security business, you probably know solving alerts “in the wild” isn’t the best thing to do. You should follow a decent Incident Management process. In the more professional companies an Incident Management System is deployed that supports this process. These kind of systems will track the incident in the process of solving and will make life of the SOC engineers easier.
Connecting all security services to an incident management system can be a tough job. You need to have a good understanding of the software development world (so you can implement the API using the program language of your like) or the implementation contains a “not so solid” alert-flow that includes mailboxes, various scripts etc. In order to connect applications/apis in a decent way, without having any software development knowledge, Microsoft has invented Logic Apps.
Logic Apps
According to Microsofts own documentation: “A Logic App is a cloud service that helps you schedule, automate, and orchestrate tasks, business processes, and workflows when you need to integrate apps, data, systems, and services across enterprises or organizations. Logic Apps simplifies how you design and build scalable solutions for app integration, data integration, system integration, enterprise application integration (EAI), and business-to-business (B2B) communication, whether in the cloud, on premises, or both.”
In short: it is the magic glue that sits between your applications and you can build without hiring a software developer.
Azure Logic Apps let you define a “flow.” This flow starts with a “trigger” and various activities can follow after this trigger. Each activity let you run logic that is provided by a connector (e.g. create a ticket in a ticketing system).
Logic Apps work with connectors. For each application/service you want to integrate, a connector needs to be available. For the most common “ticketing systems” like ServiceNow or FreshDesk a connector is available. You can find a complete list of all connectors here. Connectors provide activities and triggers to interact with application/service they are build for. If you build your own Incident Management System you can easily integrate by building your own custom Logic App connector.
One of the connectors you could use is the connector for the Microsoft Graph Security API. This connector lets you use activities that get data out of the Graph Security API.
Microsoft Graph Security API
According to Microsoft, the Graph Security API is: “ Microsoft Graph Security API is an intermediary service (or broker) that provides a single programmatic interface to connect multiple Microsoft Graph Security providers (also called security providers or providers)” So the Microsoft Graph Security API is an programming interface that lets you:
- Get alerts from almost all Microsoft Security products.
- Update alerts from most Microsoft Security API (e.g. update the status of an alert)
- Get the secure score from multiple Microsoft security products.
At the moment of writing, the following Microsoft Security products are supported by the Graph Security API:
- Azure Sentinel
- Azure Security Center
- Azure Active Directory (identity protection)
- Microsoft Cloud App Security
- Microsoft Defender ATP
- Azure ATP
- Office 365
- Azure Information Protection
As stated earlier in this post, a Logic Apps connector is available for the Graph Security API. This means that you can integrate with the Graph Security API without having any software development/programming knowledge.
Microsoft has made a schema that contains the alert data. This schema is the same for each alert. Please have a look at the Microsoft documentation for all properties that are available trough the Graph Security API.
Learning and displaying what’s in the Graph API can be hard. Microsoft has build the Graph Explorer, this a web application that let you explore the Graph API, and see what’s in it.
Pro Tip: You can use the Graph Explorer to explore what data of your organisation in the Graph API. You can modify the list of “example queries” and enable the security examples. By logging in and clicking on “modify permissions” you can make sure your account has the right permissions.
Integrate with your ticketing system
You could use the following flow (logic app) to integrate with a ticketing system. In this case I used FreshDesk to integrate with the Graph Security API.
Let me explain the steps used in the above example:
— Recurrence: In this step I make sure that the logic app will every minute. Unfortunately the Graph Security API connector does not have a trigger available. By running the Logic App with an interval we can pull the Graph Security API.
— Get Alerts: In this activity (step) I will collect all new alerts out of the Graph Security API. Using Status eq 'newAlert' I make sure only new alerts will be collected. In a later activity I will update the state of an alert as it is processed.
— For Each: The result of the previous activity is an array (list) of alerts. In this activity I will loop trough al the alerts and execute some logic on them.
— Create Ticket: In this activity I will create a ticket in the ticketing system (e.g. FreshDesk). Depending on the ticketing system of your like, you need to replace this activity with an activity that connects with you ticketing system. In these kinds of activities you can set the description, title, severity etc. of the ticket. In this activity you can reference the values that are coming from the Graph Security API.
— Update Alert: This is the last activity of the Logic App. In this activity I will update the status of the Graph Security API alert status. I’ll update the status from newAlert to inProgress. Doing so will make sure the next time you run the Logic App, this alert is not collected anymore.
Pro Tip: In the activity “Get Alerts” you could also apply a filter to only get alerts from a certain security products. For example, you could use the following filter
vendorInformation/provider eq ‘ASC’&Status eq ‘newAlert'to only get new alerts from Azure Security Center.
Summary
Using the Graph Security API together with Logic Apps make it quite easy to have all Microsoft products integrated in your ticketing system or incident management system.
Integrating all security products in one time might cause alert fatigue. This means you probably will get a huge amount of alerts. This can be solved by using a lot of automation or tuning your security products. If you have not tuned your security products, I would rather start doing that before integrating using the Graph Security API
Happy integrating the Microsoft security products by using Logic Apps and the Graph Security API!
— Jeroen Niesen
