Select Page

In this Microsoft Defender XDR article, we will show how to use Microsoft Graph Security API using a REST API client and retrieve XDR alerts.

Microsoft Defender Extended Detection and Response (XDR) is an enterprise end-to-end security solution that detects, prevents, investigates and responds to security threats from endpoints, users, emails and applications.

XTR is also integrated into all of Microsoft Defender and Azure product lines, which includes

  • Defender for endpoint
  • Defender for Office 365
  • Defender for Intntity
  • Defender for Cloud Apps
  • Defender vulnerability management
  • Defender for Cloud
  • Entra ID and DLP

Graph Security API

Using the Graph Security API, we can connect to Defender XDR programmatically and manage Alerts, run attack simulations, close incidents, manage and create detection rules, and much more.

The API allows organisations to build custom applications that handle security incidents or integrate XDR with ERP programs.

Connect to the Security API

Connecting to the Security API is done the same way we connect to the Graph API using the following process.

  • Create App Registration
  • Copy the App Registration details (Client ID, Tenant, creds and more)
  • Requesting a token from Entra ID
  • Run API calls

To create an App Registration that connects to the Security API, please visit the following detailed blog post we published recently: Create an App Registration for Microsoft Intune Graph API

Permissions

Once you finish creating the App Registration, use the following API permissions (SecurityAlert.Read.All)

The above permissions will only perform the read operation of all the alerts.

List Alerts

To list the alerts, I will use the following REST API request (Make sure you create a token and add it as a Bearer token under auth type)

If you configured your API client correctly, you should see all the alerts in the results panel.

Summary

In this article, we showed how to connect to the Microsoft Graph Security API using a REST API client. In our case, we are using Postman, but any client will do the work.

If your organisation needs help developing security solutions using Microsoft Graph Security API, use the contact form below to contact us.