How to Collect Microsoft Defender Security Alerts | Graph API Guide
Step-by-step guide to ingesting Microsoft Defender security alerts using Microsoft Graph API. Monitor threats, malware detections, and security incidents from Microsoft 365 Defender.
4 minute read
Overview
Microsoft Graph Security API provides access to security alerts from Microsoft Defender products including Defender for Endpoint, Defender for Office 365, Defender for Identity, and Defender for Cloud Apps. Use this guide to ingest security alerts for SIEM integration, threat monitoring, and incident response.
Common Use Cases:
- Centralize security alerts from all Microsoft Defender products
- Integrate with SIEM for unified threat monitoring
- Automate incident response workflows
- Track malware detections and suspicious activities
- Monitor security alert trends and patterns
Version Requirements: HTTP Pull requires Edge Delta Agent v2.6.0 or higher.
Prerequisites
Before configuring Edge Delta, complete the Azure AD application setup:
- Register an Azure AD application with Application permissions (not Delegated)
- Grant the
SecurityEvents.Read.Allpermission and obtain admin consent - Create a client secret and note your Tenant ID, Client ID, and Client Secret
For detailed setup instructions, see Microsoft Graph API Integration.
License Requirements: Security alerts require Microsoft 365 Defender or individual Defender product licenses.
Configuration
Basic Security Alert Collection
nodes:
- name: microsoft_security_alerts
type: http_pull_input
endpoint: https://graph.microsoft.com/v1.0/security/alerts
method: GET
pull_interval: 5m
authorization:
strategy: oauth_client_credentials
client_credentials:
token_url: https://login.microsoftonline.com/YOUR_TENANT_ID/oauth2/v2.0/token
client_id: YOUR_CLIENT_ID
client_secret: YOUR_CLIENT_SECRET
scopes:
- https://graph.microsoft.com/.default
header_templates:
- header: Authorization
value: Bearer $ACCESS_TOKEN
parameters:
- name: "$orderby"
value: "createdDateTime asc"
- name: "$top"
value: "50"
parameter_expressions:
- name: "$filter"
value_expression: Concat(["createdDateTime ge ", FormatTime(Now() - Duration("5m10s"), "%Y-%m-%dT%H:%M:%SZ")], "")
Monitor High-Severity Alerts Only
Focus on critical and high-severity security events:
nodes:
- name: high_severity_alerts
type: http_pull_input
endpoint: https://graph.microsoft.com/v1.0/security/alerts
method: GET
pull_interval: 2m
authorization:
strategy: oauth_client_credentials
client_credentials:
token_url: https://login.microsoftonline.com/YOUR_TENANT_ID/oauth2/v2.0/token
client_id: YOUR_CLIENT_ID
client_secret: YOUR_CLIENT_SECRET
scopes:
- https://graph.microsoft.com/.default
header_templates:
- header: Authorization
value: Bearer $ACCESS_TOKEN
parameters:
- name: "$orderby"
value: "createdDateTime asc"
- name: "$top"
value: "100"
- name: "$filter"
value: "severity eq 'high' or severity eq 'critical'"
Monitor Active Alerts
Track alerts that require attention (not resolved):
nodes:
- name: active_security_alerts
type: http_pull_input
endpoint: https://graph.microsoft.com/v1.0/security/alerts
method: GET
pull_interval: 5m
authorization:
strategy: oauth_client_credentials
client_credentials:
token_url: https://login.microsoftonline.com/YOUR_TENANT_ID/oauth2/v2.0/token
client_id: YOUR_CLIENT_ID
client_secret: YOUR_CLIENT_SECRET
scopes:
- https://graph.microsoft.com/.default
header_templates:
- header: Authorization
value: Bearer $ACCESS_TOKEN
parameters:
- name: "$orderby"
value: "createdDateTime asc"
- name: "$top"
value: "50"
- name: "$filter"
value: "status eq 'newAlert' or status eq 'inProgress'"
Alert Severity Levels
| Severity | Description | Recommended Pull Interval |
|---|---|---|
critical | Immediate threat, active attack | 1-2 minutes |
high | High-impact threat, quick action needed | 2-5 minutes |
medium | Moderate risk, investigation needed | 5 minutes |
low | Minor issues, routine review | 5-10 minutes |
informational | FYI, no action required | 10-15 minutes |
OData Filter Examples
| Filter | Description |
|---|---|
severity eq 'high' | High-severity alerts only |
status eq 'newAlert' | Unreviewed alerts |
vendorInformation/provider eq 'Microsoft Defender ATP' | Specific Defender product |
category eq 'Malware' | Malware-related alerts |
assignedTo eq 'security-team@company.com' | Assigned to specific team |
Combine multiple conditions:
$filter: "severity eq 'high' and status ne 'resolved' and createdDateTime ge 2024-01-01T00:00:00Z"
Alert Categories
| Category | Description | Source Products |
|---|---|---|
Malware | Malicious software detected | Defender for Endpoint |
SuspiciousActivity | Anomalous behavior patterns | All Defender products |
UnwantedSoftware | Potentially unwanted programs | Defender for Endpoint |
Phishing | Phishing attempts | Defender for Office 365 |
CompromisedCredentials | Leaked or stolen credentials | Defender for Identity |
Ransomware | Ransomware activity | Defender for Endpoint |
Sample Security Alert
{
"id": "alert-guid-here",
"azureTenantId": "tenant-guid",
"createdDateTime": "2024-01-01T10:00:00Z",
"title": "Suspicious PowerShell command detected",
"description": "A potentially malicious PowerShell command was executed on device WORKSTATION-001",
"severity": "high",
"status": "newAlert",
"category": "SuspiciousActivity",
"vendorInformation": {
"provider": "Microsoft Defender ATP",
"vendor": "Microsoft",
"subProvider": "MicrosoftDefenderATP"
},
"userStates": [
{
"userPrincipalName": "user@company.com",
"accountName": "user",
"domainName": "COMPANY"
}
],
"hostStates": [
{
"netBiosName": "WORKSTATION-001",
"fqdn": "workstation-001.company.com",
"os": "Windows 10"
}
],
"fileStates": [
{
"name": "powershell.exe",
"path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe"
}
],
"recommendedActions": [
"Isolate the affected device",
"Review user activity logs",
"Scan for additional threats"
]
}
Key Fields for Analysis
| Field | Description | Use Case |
|---|---|---|
severity | Alert priority level | Triage and routing |
status | newAlert, inProgress, resolved | Track investigation state |
category | Type of threat | Classify incidents |
vendorInformation.provider | Source Defender product | Identify detection source |
userStates | Affected users | Impact assessment |
hostStates | Affected devices | Containment decisions |
recommendedActions | Suggested remediation | Response guidance |
Troubleshooting
| Issue | Solution |
|---|---|
| 401 Unauthorized | Verify tenant ID, client ID, and secret are correct |
| 403 Forbidden | Ensure SecurityEvents.Read.All permission has admin consent |
| Empty results | Verify Microsoft Defender licenses are active |
| Missing alerts | Check alert age; very old alerts may be archived |
Related Pages
- Microsoft Graph API Overview - Complete API reference
- Azure AD Sign-In Logs - Authentication monitoring
- Azure AD Directory Audit Logs - Admin action tracking