Flow and the Microsoft Secure Graph

Posted by

During a cloud event at Motion10 my respected colleague Ralph Blokpoel demonstrated how you could use LogicApps to connect to the Microsoft Secure Graph. This connection is now in preview.

Ralph’s demonstration triggered (no pun intended) me. What if I could create a Flow to connect to the secure graph and to Microsoft Teams as well? Well, this works 🙂

Flow info

Hold-on, what about those dashboard and alerts?

Why use these connectors and Flow to send out all those notifications? Most platforms (the Office 365 auditlog, Cloud App Security, Log Analytics, to name a view) all have notification functions.

But let’s remember that Flow is not just a notification engine (duh….). With Flow you can take the details of an alert, set conditions and add your own actions. So you can really create cool workflows, combined with the other Office 365 (and Azure) functions. So let’s take a look….

Creating the flow

My basic flow is very easy. It is based on a recurrence and runs every 15 minutes. During the run it connects to the Microsoft Secure Graph and checks for alerts with severity “High”. It returns the top five alerts.

Based on these alerts, I receive an e-mail. Also, the details are added to a specific channel in Microsoft Teams. Easy isn’t it?

complete flow
The flow in all its glory

Secure Graph options

When using the Secure Graph connector (hint: look for Microsoft Graph when adding this one), you get access to a lot of alert information.

actions
Actions related to connector

In my flow I use some of these dynamic fields. Some I used in the e-mail action while others were used in the Teams action.

email flow
Send an email action

The Microsoft Teams action is really nice. As this platform is used more and more, I like that you can now use Flow to post messages as-well. Another example would be to post a message to a channel when a file is added to a document library. Great stuff.

Teams
Microsoft Teams action

Results!

Now that the Flow is done, let’s test it out. I do know that I have some high severity alerts in my tenant. I created these when testing the OAuth policy in Cloud App Security. So the Flow should give me some results.

email
Alert in e-mail

And yes, the alerts are also posted to Teams. Although it took some time, as Teams suffered from an outage when I tested this Flow 😦

Teams_client

Alert posted to Teams channel

This is a great new function for Flow, in my opinion. One fun-fact – if you want to use the new connector with LogicApps, you cannot in the Azure Government and Azure China regions…..

Want to know more about this connector, just read the documentation here: https://docs.microsoft.com/en-us/connectors/microsoftgraphsecurity/

One comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s