In this short blog post, I want to show how you can use the Microsoft Graph Security to send alerts and notifications to your end-users. I also want to show you that it is super easy to set up. All you need is:
- Power Automate or Logic Apps
- Microsoft Graph Security Connector (premium)
- Microsoft Teams or Email connector to send the messages
- One of the (Microsoft) security products to work with like Cloud App Security or Identity Protection
Microsoft Graph Security
The Microsoft Graph Security connector uses the Microsoft Graph Security API. The API connects different security products and providers and puts them together in a unified schema. The schema is really easy to work with and provides a lot of information. In this example, I’ve picked 2 vendors to work with: Microsoft Cloud App Security and Azure Active Directory Identity Protection. These products will give some valuable information that is also suitable for end-users.
The connector provides two triggers to work with. This is where you can start scoping the alerts that you want to work with. You can pick all alerts or just the alerts with high severity.
To get an idea of all the alerts, you can use the Graph Explorer. Use the https://graph.microsoft.com/v1.0/security/alerts API to go trough your alerts and see which ones to can act on. You can use filters to narrow down the alerts that you are interested in.
Build the flow
So, lets build the flow. Start with an empty flow and pick your trigger from the Microsoft Graph Security connector.
In this case, I start with all the alerts. I use the Control / Switch feature to filter the alerts. You can start with the vendor name, and after that, you can use another switch to filter on category.
I collected some alerts that you can use as a reference, to get started.
|Sign-in from an anonymous IP address (e.g. Tor browser, anonymizer VPNs)
|Anonymous IP address
|Sign-in with properties we‘ve not seen recently for the given user
|Unfamiliar sign-in properties
|Sign-in from an atypical location based on the user’s recent sign-ins
|Sign-in from a malware linked IP address
|Malware linked IP address
|The anonymous proxy IP address [IP] was accessed by [User] Or A failed sign in was detected from an anonymous proxyThe anonymous proxy IP address [IP] was accessed by [User].
|Activity from an anonymous proxy
|The user [User] performed an impossible travel activity. The user was active from [IP] in [Country] and [IP] in [Country] within [x] minutes.
|Impossible travel activity
|[User] performed an activity. No activity was performed in [Country] in the past [x] days.
|Activity from infrequent country
|The user [User] deleted more than [X] unique objects in a single session.
|A suspicious inbox rule was set on a user’s inbox. This may indicate that the user account is compromised, and that the mailbox is being used to distribute spam and malware in your organization. The user [User] created a MoveToFolder rule named [RuleName] on their own inbox, to move messages to a folder named [Foldername].
|Suspicious inbox manipulation rule
Next, you can pick your notification of choice. You can use the email, a chat message on Teams, or even a text with the use of a 3rd party connector. I suggest you start small. You don’t want to SPAM your end-users, and only provide notifications that make sense. To get the email address of the user, I first use the Get User action. I use the User Principal Name from the alert as input. Here is an example of an email that you can compose to your users:
Or you can send a message using Teams.
Here’s the result.
I exported my flow, so that you can use it as a sample. You can download it from Github.
Let’s wrap up
It’s so cool to integrate Microsoft products and make the most out of it. I made this blog post to give you some ideas of what you can do. You can go nuts here! But, as I said before, you might want to take it slow on the number of messages you send to your end-users. You could also start with high severity alerts.
Here’s some documentation to get you started: