Use Microsoft Graph Security for end-user notifications

In this short blog post, I want to show how you can use the Microsoft Graph Security to send alerts and notifications to your end-users. I also want to show you that it is super easy to set up. All you need is:

  • Power Automate or Logic Apps
  • Microsoft Graph Security Connector (premium)
  • Microsoft Teams or Email connector to send the messages
  • One of the (Microsoft) security products to work with like Cloud App Security or Identity Protection

Microsoft Graph Security

The Microsoft Graph Security connector uses the Microsoft Graph Security API. The API connects different security products and providers and puts them together in a unified schema. The schema is really easy to work with and provides a lot of information. In this example, I’ve picked 2 vendors to work with: Microsoft Cloud App Security and Azure Active Directory Identity Protection. These products will give some valuable information that is also suitable for end-users.

The connector provides two triggers to work with. This is where you can start scoping the alerts that you want to work with. You can pick all alerts or just the alerts with high severity.

To get an idea of all the alerts, you can use the Graph Explorer. Use the https://graph.microsoft.com/v1.0/security/alerts API to go trough your alerts and see which ones to can act on. You can use filters to narrow down the alerts that you are interested in.

Build the flow

So, lets build the flow. Start with an empty flow and pick your trigger from the Microsoft Graph Security connector.

In this case, I start with all the alerts. I use the Control / Switch feature to filter the alerts. You can start with the vendor name, and after that, you can use another switch to filter on category.

I collected some alerts that you can use as a reference, to get started.

ProviderCategoryDescriptionTitle
IPCAnonymousLoginSign-in from an anonymous IP address (e.g. Tor browser, anonymizer VPNs)Anonymous IP address
IPCUnfamiliarLocationSign-in with properties we‘ve not seen recently for the given userUnfamiliar sign-in properties
IPCImpossibleTravelSign-in from an atypical location based on the user’s recent sign-insAtypical travel
IPCInfectedDeviceLoginSign-in from a malware linked IP addressMalware linked IP address
MCASMCAS_ALERT_ANUBIS_DETECTION_RISKY_IP_ANONYMOUSThe anonymous proxy IP address [IP] was accessed by [User]   Or   A failed sign in was detected from an anonymous proxyThe anonymous proxy IP address [IP] was accessed by [User].Activity from an anonymous proxy
MCASMCAS_ALERT_ANUBIS_DETECTION_VELOCITYThe user [User] performed an impossible travel activity. The user was active from [IP] in [Country] and [IP] in [Country] within [x] minutes.Impossible travel activity
MCASMCAS_ALERT_ANUBIS_DETECTION_NEW_COUNTRY[User] performed an activity. No activity was performed in [Country] in the past [x] days.Activity from infrequent country
MCASMCAS_ALERT_ANUBIS_DETECTION_REPEATED_ACTIVITY_DELETEThe user [User] deleted more than [X] unique objects in a single session.Mass delete
MCASMCAS_ALERT_ANUBIS_DETECTION_INBOX_HIDINGA suspicious inbox rule was set on a user’s inbox. This may indicate that the user account is compromised, and that the mailbox is being used to distribute spam and malware in your organization. The user [User] created a MoveToFolder rule named [RuleName] on their own inbox, to move messages to a folder named [Foldername].Suspicious inbox manipulation rule

Notifications

Next, you can pick your notification of choice. You can use the email, a chat message on Teams, or even a text with the use of a 3rd party connector. I suggest you start small. You don’t want to SPAM your end-users, and only provide notifications that make sense. To get the email address of the user, I first use the Get User action. I use the User Principal Name from the alert as input. Here is an example of an email that you can compose to your users:

Or you can send a message using Teams.

Here’s the result.

Example flow

I exported my flow, so that you can use it as a sample. You can download it from Github.

Let’s wrap up

It’s so cool to integrate Microsoft products and make the most out of it. I made this blog post to give you some ideas of what you can do. You can go nuts here! But, as I said before, you might want to take it slow on the number of messages you send to your end-users. You could also start with high severity alerts.

Here’s some documentation to get you started:

https://docs.microsoft.com/en-us/graph/api/alert-list?view=graph-rest-1.0&tabs=http
https://docs.microsoft.com/en-us/graph/security-concept-overview
https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-simulate-risk

Stay safe!

1 thought on “Use Microsoft Graph Security for end-user notifications”

  1. Pingback: Use Microsoft Graph Security for end-user notifications in Office 365 – 365 admin service

Leave a Reply

Your email address will not be published. Required fields are marked *