Microsoft Graph Security API v1 Integration Guide 🔗
This API has been deprecated by Microsoft
Microsoft has discontinued the Graph Security API v1 endpoint, and XDR has stopped ingesting alerts from it. New v1 integrations can no longer be configured.
Use the Microsoft Graph Security API Alerts v2 integration instead. The v2 integration is the supported path forward and covers Microsoft's currently maintained security products.
Existing Graph Security API v1 integrations have been left in place so configurations are preserved, but they will report as unhealthy until they are deleted. To remove a v1 integration, go to Integrations > Cloud APIs in XDR and delete the integration.
Searching Historical v1 Detections🔗
While v1 ingestion has stopped, detections collected before the API was discontinued may still be searchable in XDR. Use the references below when reviewing historical v1 data.
To return all Graph Security v1 events:
where ingest.product.name = 'GRAPH_ALERTS' and ingest.product.version = 'Legacy'
To filter historical v1 detections by a specific Microsoft provider, use the detector_name values listed in the table below. For example, to search for Microsoft 365 Defender detections:
FROM detection WHERE sensor_types = 'MICROSOFT_GRAPH_ALERTS' AND detector_name = 'Microsoft 365 Defender'
Microsoft Provider to XDR Detector Name Mapping🔗
| Microsoft Provider | XDR Detector Name |
|---|---|
| ASC | Azure Security Center |
| MCAS | Microsoft Cloud App Security |
| IPC | Azure Active Directory Identity Protection |
| Microsoft Sentinel | Microsoft Sentinel |
| Microsoft Defender ATP | Microsoft Defender ATP |
| Azure Advanced Threat Protection | Azure Advanced Threat Protection |
| Microsoft 365 Defender | Microsoft 365 Defender |
| Office 365 Security and Compliance | Microsoft Office 365 Security and Compliance |
Note
Some Microsoft provider names listed above have since been rebranded; for example, ASC is now Microsoft Defender for Cloud and MCAS is now Microsoft Defender for Cloud Apps. The values shown reflect the original Graph Security v1 provider strings as they were stored on detections at ingest time, and are what you should use when searching historical data.