Security analysts use the Microsoft Graph security API to investigate cyber alerts by consolidating and correlating security alerts from multiple sources, enriching security alerts with additional context, and automating security investigations.

Salem offers configurable integrations with a customer's Microsoft Graph API to automate the process of building context around alerts. Users can create webhook ActionConfs that accept query instructions from users and apply the information in the response to alert data to identify endpoints, system activity, or other context building activity.

Microsoft Graph API - Webhook Action

Description: In the default case, Salem retrieves data from a Microsoft Graph API resource by authenticating using a secret stored in a digital key vault and returning data based on a user-defined query. The user can then process the output using an eval string to build Salem ActionConfs.

Request Workflow:

1. The user defines the Microsoft Graph API endpoint to query in the api_path input field.

2. The user refines the results of the query by including optional query parameters in the select, search, and filter input fields.

3. Salem retrieves a bearer token using the secret value uses this value to authenticate against the defined endpoint. An HTTP GET request is .

4. The filters defined in step 2 are passed with the request to narrow the response data.

Configuring Microsoft Graph API

1. Credentials/Authentication

By default, the Microsoft Graph API ActionDefinition expects a key vault resource that contains a client secret. This secret is passed as part of the bearer token request. To match this configuration, create a secret value in a key vault resource Salem can access.

2. Input Keys - User input

The default Microsoft Graph API ActionDefinition includes 4 fields for the user to define as part of the request generation:

• api_path - The Microsoft Graph API endpoint that the user wants to query

• select - Optional parameter to select which fields to return from the API. Not all fields are returned by default, so leaving this field blank is not always a good idea

• search - Optional parameter to search for specific results from the API query

• filter - Optional parameter to filter for specific results from the API query

3. Requests - HTTP requests

The format/structure of requests made by Salem to the target resources (defined in other parameters) is defined in this object.

In the default case, Salem uses OAuth2 to authenticate using a key vault secret and then includes the resulting bearer token as part of the query to Microsoft Graph API. The user input, as described in the preceding section, is also passed as part of the request to Microsoft Graph API.