Microsoft Graph Security — Alert Ingestion Guide

this guide covers two approaches for ingesting microsoft security alerts into swimlane turbine via the microsoft graph security api, normalized to teds format connector — use the microsoft graph api connector actions directly in a playbook for full control over your workflow component — use the microsoft graph alert ingestion component for a turnkey pipeline that retrieves alerts, extracts iocs, and ingests enriched alerts via webhook both approaches support the same authentication methods (oauth 2 0 client credentials or delegated flow) the component adds automated ioc extraction and webhook based ingestion on top of the connector's alert retrieval capabilities key capabilities automatic ioc extraction — indicators of compromise (domains, ips, emails, urls, file hashes) are automatically parsed from alert descriptions and evidence using the swimlane utilities ioc parser unified teds format — every microsoft security alert is normalized to teds, enabling cross vendor playbooks and dashboards alongside crowdstrike, sentinelone, and other sources configurable ingestion window — control exactly how far back to pull alerts using a timestamp input run continuously on a schedule, backfill historical alerts on demand, or use manual triggers for testing dual authentication support — works with both oauth 2 0 client credentials (sercomponente accounts) and delegated flow (user based authentication), fitting any azure ad deployment model multi provider coverage — ingests alerts from any microsoft security product surfaced through the graph security api, including microsoft defender for endpoint, azure ad identity protection, microsoft defender for cloud, and others using the connector the microsoft graph api security connector provides dedicated alert ingestion actions list alerts , get alert , and update alert use this approach when you want full control over your playbook logic and custom processing how it works list alerts — use the list alerts action to retrieve security alerts from the microsoft graph security api, filtered by time range, severity, or status using odata filters get alert details — use the get alert action to fetch detailed information for specific alerts by alert id normalize — use playbook logic or transform blocks to map alert fields to teds or your desired record format create records — build cim records, ti records, or custom record types based on your application's data model connector setup prerequisites azure ad application registration with microsoft graph security api permissions the microsoft graph api security connector installed from the turbine marketplace steps create an asset — in turbine, create a new microsoft graph api security asset with your oauth 2 0 credentials create a playbook — create a new playbook with a scheduled trigger (e g , every 5 minutes) add the list alerts action — add the microsoft graph api security connector's list alerts action to retrieve alerts configure time window — add a transform block to calculate the ingestion window (e g , current time minus 10 minutes) and pass it as an odata filter to the alert query build processing logic — add playbook steps to extract observables, create records, and handle any custom normalization authentication the connector supports two authentication methods oauth 2 0 client credentials (sercomponente to sercomponente) field required description url yes base url of the microsoft graph api (default https //graph microsoft com ) client id yes oauth 2 0 client id registered in azure ad client secret yes oauth 2 0 client secret token url yes token endpoint https //login microsoftonline com/{tenant id}/oauth2/v2 0/token scope yes permission scopes for the action delegated flow (user based) field required description url yes base url of the microsoft graph api (default https //graph microsoft com ) login url yes login url (default https //login microsoftonline com ) tenant id yes microsoft tenant id oauth un yes microsoft graph username oauth pwd yes microsoft graph password oauth cl id yes microsoft graph client id oauth cl secret yes microsoft graph client secret scope yes permission scopes for the action required api permissions securityevents read all — read all security alerts securityevents readwrite all — read and write security events (if alert management is needed) using the component the microsoft graph alert ingestion component retrieves security alerts from the microsoft graph security api, extracts iocs from each alert using the swimlane utilities ioc parser, enriches alerts with the extracted observables, and ingests them into swimlane via webhook use this approach when you want automated alert ingestion with built in ioc extraction what the component adds automatic ioc extraction — uses the swimlane utilities ioc parser to identify domains, ip addresses, email addresses, urls, and file hashes (md5, sha1, sha256) from alert text and evidence alert enrichment — appends extracted observables to each alert before ingestion, so downstream playbooks have iocs ready for correlation and response webhook based ingestion — sends each enriched alert to a configured swimlane webhook endpoint for flexible downstream processing how it works query alerts — calls the microsoft graph security api to retrieve alerts created or updated since the configured start time loop through alerts — for each alert extract iocs — parses alert description, title, and evidence text through the ioc parser to identify observables (domains, ips, emails, urls, hashes) enrich alert — appends the extracted observables array to the alert object post to webhook — sends the enriched alert to the configured swimlane webhook endpoint compile results — aggregates all processed alerts with their observables into the output alerts array component setup prerequisites azure ad application registration with microsoft graph security api permissions ( securityevents read all ) the microsoft graph api connector installed from the turbine marketplace the microsoft graph alert ingestion component imported from the marketplace a swimlane webhook endpoint configured to receive alert payloads steps create an asset — in turbine, create a new microsoft graph api asset with your oauth 2 0 credentials (client credentials or delegated flow) install the component — import the microsoft graph alert ingestion component from the marketplace configure the component — add the component component to your playbook and assign the microsoft graph api asset set inputs — provide the start time (iso 8601 timestamp for the ingestion window) and organisation (organization identifier) configure webhook — ensure the webhook endpoint is configured to receive and process enriched alerts schedule the playbook — set up a scheduled trigger (e g , every 5 minutes) for continuous ingestion component inputs parameter required description start time yes iso 8601 timestamp to retrieve alerts from (e g , 2025 09 15t00 00 00z ) use a transform block to calculate dynamically organisation yes organization identifier or name for scoping alert retrieval component outputs field type description alerts array array of enriched alert objects, each containing teds normalized alert data with extracted observables error handling scenario behavior alert retrieval fails error logged, processing stops ioc extraction fails for an alert alert continues processing without observables webhook post fails error logged, processing continues with next alert partial success returns successfully processed alerts even if some fail recommended configuration scenario polling interval start time (lookback) standard deployment every 5 minutes 10 minutes ago high volume environments every 2 minutes 5 minutes ago initial backfill one time run 24 hours ago testing manual trigger 1 hour ago teds output schema both the connector and component produce alerts in this standardized format teds field type description alert uid string unique alert identifier from microsoft graph alert title string alert display name alert description string description of what was detected alert severity string low , medium , high , critical alert provider string source product (e g , "aad identity protection" , "microsoft defender for endpoint" ) alert organization string organization identifier alert categories array alert category classifications (e g , \["initialaccess"] ) alert created timestamp string iso 8601 creation time alert start timestamp string when the activity was first observed alert end timestamp string when the activity was last observed alert ingested timestamp string when the alert was ingested by turbine alert impacted hostnames array affected endpoint hostnames alert impacted ip addresses array affected endpoint ips alert impacted usernames array affected user accounts alert risk score number risk score (if available) alert permalink string direct link to the alert in the microsoft security portal alert rules array detection rules with rule id , rule name , rule description , rule type alert mitre attack tactic technique array mitre att\&ck tactics and techniques observables array extracted iocs — objects with observable type and observable value alert originating files array file objects with name, hashes, and mime type raw alert object complete original alert from the microsoft graph api observable types the ioc parser extracts the following observable types from alert content type example domain malicious site com ipv4 public 35 169 90 250 ipv6 2001\ db8 1 email user\@contoso com url https //phishing site com/login md5 d41d8cd98f00b204e9800998ecf8427e sha1 da39a3ee5e6b4b0d3255bfef95601890afd80709 sha256 e3b0c44298fc1c149afbf4c8996fb924 sample output { "alert uid" "adba921ff0463beedb23c12bebb82225d013ca982c", "alert title" "unfamiliar sign in properties", "alert description" "the following properties of this sign in are unfamiliar for the given user asn, browser, decomponente, ip", "alert severity" "low", "alert provider" "aad identity protection", "alert categories" \["initialaccess"], "alert created timestamp" "2025 09 15t15 30 17 213z", "alert start timestamp" "2025 09 15t15 26 41 123z", "alert end timestamp" "2025 09 15t15 26 41 123z", "alert ingested timestamp" "2026 03 10t13 22 00 332z", "alert impacted usernames" \["pov"], "alert permalink" "https //security microsoft com/alerts/ ", "alert rules" \[ { "rule id" "unfamiliarlocation", "rule name" "unfamiliar sign in properties", "rule description" "initialaccess / azureadidentityprotection", "rule type" "azureadidentityprotection" } ], "alert mitre attack tactic technique" \[ { "tactics" \[], "technique" {"uid" "t1078", "name" "unknown"} } ], "observables" \[ {"observable type" "domain", "observable value" "microsoft graph security"}, {"observable type" "ipv4 public", "observable value" "35 169 90 250"}, {"observable type" "email", "observable value" "pov\@swimlaneintegrations onmicrosoft com"} ], "alert originating files" \[], "raw alert" {} } connector reference for the full list of actions, input/output schemas, and authentication setup, see the https //docs swimlane com/connectors/microsoft graph api security