azure-sentinelazure-securityazure-alertsazure-information-protection

How to retrieve information on users and applications vulnerable to risk with API?


We are currently integrating Microsoft Security Insights into our application to strengthen Security monitoring capabilities. For alerts list report, found this API https://learn.microsoft.com/en-us/rest/api/securityinsights/incidents/list-alerts?view=rest-securityinsights-2024-03-01&tabs=HTTP

POST https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/alerts?api-version=2024-03-01

Our focus is to expand this functionality to include detailed reports on users and applications vulnerable to Security risks. Could someone help us on any available APIs or methods within Microsoft Security Insights or any other that can generate such reports?

PFB:

GUI_with_info


Solution

  • You can make use of Microsoft Graph Beta API to retrieve information on users and applications vulnerable to risk. Note that, you need to have "Microsoft Entra ID P2" license to use riskyUsers API.

    I have below list of users vulnerable to risk in my Microsoft Entra ID tenant:

    enter image description here

    To get this risky users information, I ran below API requests in Graph Explorer by signing in with user having "Global Reader" role:

    GET https://graph.microsoft.com/beta/identityProtection/riskyUsers?$filter=riskLevel eq microsoft.graph.riskLevel'medium'
    

    Response:

    enter image description here

    Similarly, I have below application vulnerable to risk that can be found in "Risky workload identities" tab:

    enter image description here To get information regarding risky applications, make use of below API call:

    GET https://graph.microsoft.com/beta/identityProtection/riskyServicePrincipals
    

    Response:

    enter image description here

    References:

    List riskyUsers - Microsoft Graph beta

    List riskyServicePrincipals - Microsoft Graph beta