Correlate security alerts - Microsoft Graph

"The security API not only allows us to receive actionable alert information but also allows our security analysts to pivot and enrich alerts with asset and user information."

Anomali.com

Image showing security alerts API aggregating alerts from multiple sources for an application

Use one API to access security alerts from Microsoft and partners

Calls to the Security API are federated to all supported Microsoft security products, services, and partners. The results are aggregated in a common schema, making it easier to correlate alerts from multiple sources. By connecting and enriching alerts, you can more easily understand the scope and impact of an attack. Query for all alerts pertaining to specific users, devices, files, or even command lines when investigating a specific threat or use webhook subscriptions to get notified when any new alert matching your search criteria is created or updated.

Image showing an alert update with status, assignment, feedback, and tags.

Update alert tags, status, and assignments

Tag alerts with additional context or threat intelligence to inform response and remediation. Ensure that comments and feedback on alerts are captured for visibility to all workflows. Keep alert status and assignments in sync so that all integrated solutions reflect the current state. Use webhook subscriptions to get notified of changes.

Use Microsoft Graph to correlate multiple security alerts in order to improve threat protection and response

"The security API not only allows us to receive actionable alert information but also allows our security analysts to pivot and enrich alerts with asset and user information."

Use one API to access security alerts from Microsoft and partners

Update alert tags, status, and assignments

Learn more about correlating security alerts

Security API overview

Get started with the security API

Security API whitepaper