Details
Content
Dependencies
Version History

Unified gateway to security insights - all from a unified Microsoft Graph Security API.

Microsoft Graph Security

This pack includes XSIAM content.

Use the Microsoft Graph integration to fetch and manage alerts from various Microsoft security sources, such as:

Azure ATP
Azure Security Center
Microsoft CAS
Azure Active Directory Identity Protection
Azure Sentinel
Microsoft Defender for Endpoint (ATP)

What does this pack do?

Unify and standardize alert tracking
Correlate security alerts to improve threat protection and response
Update alert tags, status, and assignments
Unlock security context to drive investigation
Automate security workflows and reporting
Get deep insights to train security solutions

Microsoft Graph Security

This pack includes XSIAM content.

Pay attention: Timestamp parsing is available for UTC timezone, using the yyyy-mm-ssTHH:MM:SS.3msZ format.

Use the Microsoft Graph integration to fetch and manage alerts from various Microsoft security sources, such as:

Microsoft 365 Defender unified alerts API
Microsoft Defender for Endpoint
Microsoft Defender for Office 365
Microsoft Defender for Identity
Microsoft Defender for Cloud Apps
Microsoft Purview Data Loss Prevention (including any future new signals integrated into M365D).

What does this pack do?

This content XDM mappings are based on the Office 365 integration, in the Graph API section enable alertv2 Doc.
Unify and standardize alert tracking
Correlate security alerts to improve threat protection and response
Update alert tags, status, and assignments
Unlock security context to drive investigation
Automate security workflows and reporting
Get deep insights to train security solutions

Classifiers

Name	Description
Graph Security Alert

Incident Fields

Name	Description
Microsoft Graph Security Service Source
Microsoft Graph Security Alert Evidence
Microsoft Graph Security Recommended Action
Microsoft Graph Security Alert Determination
Microsoft Graph Security Id
Microsoft Graph Security Comment
Microsoft Graph Security Detector Id

Incident Types

Name	Description
Graph Security Alert

Integrations

Name	Description
Microsoft Graph Security	Unified gateway to security insights - all from a unified Microsoft Graph Security API.

Playbooks

Name	Description
Search And Delete Emails - Microsoft Graph Security	This playbook performs the following steps: Checks that the Microsoft Graph integration is available and active. Lists existing eDiscovery cases and finds the specified case, or creates it if missing. Composes the KQL content query based on the mailbox scope (recipientsOnly, allTenantMailboxes, or other). Creates a new eDiscovery search with the composed query, or reuses an existing search based on the force input. Runs an estimate statistics operation to count emails matching the query. Waits for the estimate operation to complete and checks whether any emails were found. Optionally previews the results (statistics summary or full export), based on the preview input. Purges the matching emails (Hard delete / Soft delete / manual analyst approval). Cleans up the eDiscovery search based on the cleanup input.

Name

Description

Search And Delete Emails - Microsoft Graph Security

This playbook performs the following steps:

Checks that the Microsoft Graph integration is available and active.
Lists existing eDiscovery cases and finds the specified case, or creates it if missing.
Composes the KQL content query based on the mailbox scope (recipientsOnly, allTenantMailboxes, or other).
Creates a new eDiscovery search with the composed query, or reuses an existing search based on the force input.
Runs an estimate statistics operation to count emails matching the query.
Waits for the estimate operation to complete and checks whether any emails were found.
Optionally previews the results (statistics summary or full export), based on the preview input.
Purges the matching emails (Hard delete / Soft delete / manual analyst approval).
Cleans up the eDiscovery search based on the cleanup input.

Classifiers

Name	Description
Graph Security Alert

Incident Fields

Name	Description
Microsoft Graph Security Service Source
Microsoft Graph Security Recommended Action
Microsoft Graph Security Id
Microsoft Graph Security Alert Determination
Microsoft Graph Security Detector Id
Microsoft Graph Security Alert Evidence
Microsoft Graph Security Comment

Incident Types

Name	Description
Graph Security Alert

Integrations

Name	Description
Microsoft Graph Security	Unified gateway to security insights - all from a unified Microsoft Graph Security API.

Modeling Rules

Name	Description
Microsoft Graph Security Modeling Rules

Parsing Rules

Name	Description
Microsoft Graph Security Parsing Rules

Playbooks

Name	Description
Search And Delete Emails - Microsoft Graph Security	This playbook performs the following steps: Checks that the Microsoft Graph integration is available and active. Lists existing eDiscovery cases and finds the specified case, or creates it if missing. Composes the KQL content query based on the mailbox scope (recipientsOnly, allTenantMailboxes, or other). Creates a new eDiscovery search with the composed query, or reuses an existing search based on the force input. Runs an estimate statistics operation to count emails matching the query. Waits for the estimate operation to complete and checks whether any emails were found. Optionally previews the results (statistics summary or full export), based on the preview input. Purges the matching emails (Hard delete / Soft delete / manual analyst approval). Cleans up the eDiscovery search based on the cleanup input.

Name

Description

Search And Delete Emails - Microsoft Graph Security

This playbook performs the following steps:

Checks that the Microsoft Graph integration is available and active.
Lists existing eDiscovery cases and finds the specified case, or creates it if missing.
Composes the KQL content query based on the mailbox scope (recipientsOnly, allTenantMailboxes, or other).
Creates a new eDiscovery search with the composed query, or reuses an existing search based on the force input.
Runs an estimate statistics operation to count emails matching the query.
Waits for the estimate operation to complete and checks whether any emails were found.
Optionally previews the results (statistics summary or full export), based on the preview input.
Purges the matching emails (Hard delete / Soft delete / manual analyst approval).
Cleans up the eDiscovery search based on the cleanup input.

Required Content Packs (3)

Pack Name	Pack By
Base	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR

Optional Content Packs (2)

Pack Name	Pack By
Common Types	By: Cortex XSOAR
Malware Core	By: Cortex XSOAR

All level dependencies (5)

Pack Name	Pack By
Filters And Transformers	By: Cortex XSOAR
Base	By: Cortex XSOAR
Cortex REST API	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Aggregated Scripts	By: Cortex XSOAR

2.5.1 - 10004541 (June 9, 2026)

Integrations

Microsoft Graph Security

Updated the error message displayed when an invalid or malformed authorization code is provided during Authorization Code flow configuration.

Related pull requests:
- 44467

Download

2.5.0 - 9705440 (June 1, 2026)

Playbooks

New: Search And Delete Emails - Microsoft Graph Security

This playbook performs the following steps:

Checks that the Microsoft Graph integration is available and active.
Lists existing eDiscovery cases and finds the specified case, or creates it if missing.
Composes the KQL content query based on the mailbox scope (recipientsOnly, allTenantMailboxes, or other).
Creates a new eDiscovery search with the composed query, or reuses an existing search based on the force input.
Runs an estimate statistics operation to count emails matching the query.
Waits for the estimate operation to complete and checks whether any emails were found.
Optionally previews the results (statistics summary or full export), based on the preview input.
Purges the matching emails (Hard delete / Soft delete / manual analyst approval).
Cleans up the eDiscovery search based on the cleanup input.

Related pull requests:
- 44461

Download

2.4.1 - 9460622 (May 27, 2026)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 44412

Download

2.4.0 - 8937460 (May 12, 2026)

Integrations

Microsoft Graph Security

Removed support for the deprecated Legacy Alerts API. The Legacy Alerts API stopped returning data on April 10, 2026. The integration now exclusively uses the Alerts v2 API.
Removed the MS graph security alert API Version configuration parameter.
Removed the Fetch incidents of the given providers only configuration parameter (use Fetch incidents of the given service sources only instead).
Removed the Legacy Alerts-only command arguments from msg-update-alert: closed_date_time, comments, feedback, tags, vendor_information, provider_information.
Removed the fields_to_include argument from msg-get-alert-details.

Related pull requests:
- 44030

Download

2.3.6 - 8769861 (May 5, 2026)

Integrations

Microsoft Graph Security

Updated the Docker image to: demisto/crypto:1.0.0.8187750.

Related pull requests:
- 44123

Download

2.3.5 - 8515806 (April 27, 2026)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 43940

Download

2.3.4 - 8479105 (April 26, 2026)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 43941

Download

2.3.3 - 7827247 (March 22, 2026)

Documentation and metadata improvements.

Related pull requests:
- 43566

Download

2.3.2 - 7422049 (March 3, 2026)

Integrations

Microsoft Graph Security

Added support for severity and resolving_comment arguments in the msg-update-security-incident command.

Related pull requests:
- 43312
- 43329

Download

2.3.1 - 7364401 (February 27, 2026)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 43309

Download

2.3.0 - 6936977 (January 29, 2026)

Integrations

Microsoft Graph Security

Added support for the msg-list-ediscovery-case-hold-policy command that gets a list of the ediscovery hold policy objects and their properties.
Added support for the msg-export-result-ediscovery-data command that exports results from an estimated ediscovery search.
Added support for the msg-create-ediscovery-case-hold-policy command that creates a new ediscovery hold policy object.
Added support for the msg-delete-ediscovery-case-hold-policy command that deletes an ediscovery hold policy object.
Added support for the msg-update-ediscovery-case-hold-policy command that updates the properties of an ediscovery hold policy object.
Added support for the msg-list-case-operation command that gets a list of the case operation objects and their properties.

Related pull requests:
- 42603

Download

2.2.43 - 6476854 (December 29, 2025)

Integrations

Microsoft Graph Security

⚠️ Important: Microsoft Graph Security Legacy Alerts Deprecation According to Microsoft documentation, the Legacy Alerts option will be fully deprecated on April 10, 2026.
- Impact: After this date, configuring this integration to use the "Legacy Alerts" option will stop returning data.
- Action Required: Users currently utilizing Legacy Alerts must migrate to the new Alerts v2 API option to ensure continued data ingestion.
Updated the Docker image to: demisto/crypto:1.0.0.6308375.

Related pull requests:
- 42424

Download

2.2.42 - 5923996 (November 19, 2025)

Integrations

Microsoft Graph Security

Added support for the following commands:
- msg-run-estimate-statistics
- msg-get-last-estimate-statistics-operation
Updated documentation for the msg-purge-ediscovery-data command.
Fixed an issue where the following commands failed with an exception::
- msg-auth-test
- msg-list-threat-assessment-requests

Related pull requests:
- 41798

Download

2.2.41 - 5902470 (November 17, 2025)

Integrations

Microsoft Graph Security

Added a new parameter Azure Cloud to support all of the following environments: Public, GCC, GCC-High, DoD, Germany, and China.

Related pull requests:
- 41656

Download

2.2.40 - 5698874 (November 2, 2025)

Integrations

Microsoft Graph Security

Documentation and metadata improvements.

Related pull requests:
- 41740

Download

2.2.39 - 5689147 (November 2, 2025)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 41690

Download

2.2.38 - 5636304 (October 29, 2025)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 41629

Download

2.2.37 - 5538136 (October 23, 2025)

Integrations

Microsoft Graph Security

Fixed an issue where the msg-create-ediscovery-search command did not support the content_query argument.

Related pull requests:
- 41637

Download

2.2.36 - R5469292 (October 20, 2025)

Integrations

Microsoft Graph Security

Updated the Microsoft Graph integration to include the include-unknown-enum-members header when fetching incidents, ensuring that unknown enum values are correctly mapped to their respective service resources. The unknown enums can be mapped to the next service resources: microsoftDefenderForCloud, microsoftSentinel, and microsoftThreatIntelligence.

Related pull requests:
- 41527

Download

2.2.35 - R5326509 (October 9, 2025)

Integrations

Microsoft Graph Security

Fixed an issue where supplying multiple serviceSource values caused the query filter to break. The fix now uses the $in operator instead of combining $eq with AND.
Updated the Docker image to: demisto/crypto:1.0.0.4834757.

Related pull requests:
- 41257

Download

2.2.34 - 4512458 (August 13, 2025)

Integrations

Microsoft Graph Security

Added automatic retry mechanism for HTTP 503 (Service Unavailable) errors to enhance reliability when Microsoft Graph services are temporarily unavailable.

Related pull requests:
- 40846

Download

2.2.33 - 4431069 (August 5, 2025)

Integrations

Microsoft Graph Security

Fixed a bug in the request retry logic that caused all requests to fail with a type error.

Related pull requests:
- 40838

Download

2.2.32 - 4419577 (August 4, 2025)

Integrations

Microsoft Graph Security

Added automatic retry mechanism for HTTP 503 (Service Unavailable) errors to enhance reliability when Microsoft Graph services are temporarily unavailable.
Improved error messages to include specific Microsoft error codes when available, providing better visibility into the root cause of failures.

Related pull requests:
- 40769

Download

2.2.31 - 4121830 (July 10, 2025)

Incident Fields

Microsoft Graph Security Alert Determination
Documentation and metadata improvements.
Microsoft Graph Security Service Source
Documentation and metadata improvements.
Microsoft Graph Security Id
Documentation and metadata improvements.
Microsoft Graph Security Recommended Action
Documentation and metadata improvements.
Microsoft Graph Security Alert Evidence
Documentation and metadata improvements.
Microsoft Graph Security Detector Id
Documentation and metadata improvements.
Microsoft Graph Security Comment
Documentation and metadata improvements.

Incident Types

Graph Security Alert
Documentation and metadata improvements.

Mappers

Graph Security Alert

Documentation and metadata improvements.

Related pull requests:
- 40523

Download

2.2.30 - R4077103 (July 6, 2025)

Integrations

Microsoft Graph Security

Updated the Docker image to: demisto/crypto:1.0.0.3539024.

Related pull requests:
- 40309

Download

2.5.1 - 10004541 (June 9, 2026)

Integrations

Microsoft Graph Security

Updated the error message displayed when an invalid or malformed authorization code is provided during Authorization Code flow configuration.

Related pull requests:
- 44467

Download

2.5.0 - 9705440 (June 1, 2026)

Playbooks

New: Search And Delete Emails - Microsoft Graph Security

This playbook performs the following steps:

Checks that the Microsoft Graph integration is available and active.
Lists existing eDiscovery cases and finds the specified case, or creates it if missing.
Composes the KQL content query based on the mailbox scope (recipientsOnly, allTenantMailboxes, or other).
Creates a new eDiscovery search with the composed query, or reuses an existing search based on the force input.
Runs an estimate statistics operation to count emails matching the query.
Waits for the estimate operation to complete and checks whether any emails were found.
Optionally previews the results (statistics summary or full export), based on the preview input.
Purges the matching emails (Hard delete / Soft delete / manual analyst approval).
Cleans up the eDiscovery search based on the cleanup input.

Related pull requests:
- 44461

Download

2.4.1 - 9460622 (May 27, 2026)

Modeling Rules

Microsoft Graph Security Modeling Rules

Updated the Microsoft Graph Security Modeling Rules logic, added explicit extractions for the @odata.type object from the evidence field.

Related pull requests:
- 44412

Download

2.4.0 - 8937460 (May 12, 2026)

Integrations

Microsoft Graph Security

Removed support for the deprecated Legacy Alerts API. The Legacy Alerts API stopped returning data on April 10, 2026. The integration now exclusively uses the Alerts v2 API.
Removed the MS graph security alert API Version configuration parameter.
Removed the Fetch incidents of the given providers only configuration parameter (use Fetch incidents of the given service sources only instead).
Removed the Legacy Alerts-only command arguments from msg-update-alert: closed_date_time, comments, feedback, tags, vendor_information, provider_information.
Removed the fields_to_include argument from msg-get-alert-details.

Related pull requests:
- 44030

Download

2.3.6 - 8769861 (May 5, 2026)

Integrations

Microsoft Graph Security

Updated the Docker image to: demisto/crypto:1.0.0.8187750.

Related pull requests:
- 44123

Download

2.3.5 - 8542515 (April 28, 2026)

Modeling Rules

Microsoft Graph Security Modeling Rules

Documentation and metadata improvements.

Related pull requests:
- 43940

Download

2.3.4 - 8479105 (April 26, 2026)

Parsing Rules

Microsoft Graph Security Parsing Rules

Documentation and metadata improvements.

Related pull requests:
- 43941

Download

2.3.3 - 7827247 (March 22, 2026)

Documentation and metadata improvements.

Related pull requests:
- 43566

Download

2.3.2 - 7422049 (March 3, 2026)

Integrations

Microsoft Graph Security

Added support for severity and resolving_comment arguments in the msg-update-security-incident command.

Related pull requests:
- 43312
- 43329

Download

2.3.1 - 7364401 (February 27, 2026)

Modeling Rules

Microsoft Graph Security Modeling Rules

Updated the Microsoft Graph Security Modeling Rules logic, updating the filter to support the product API changes.

Related pull requests:
- 43309

Download

2.3.0 - 6936977 (January 29, 2026)

Integrations

Microsoft Graph Security

Added support for the msg-list-ediscovery-case-hold-policy command that gets a list of the ediscovery hold policy objects and their properties.
Added support for the msg-export-result-ediscovery-data command that exports results from an estimated ediscovery search.
Added support for the msg-create-ediscovery-case-hold-policy command that creates a new ediscovery hold policy object.
Added support for the msg-delete-ediscovery-case-hold-policy command that deletes an ediscovery hold policy object.
Added support for the msg-update-ediscovery-case-hold-policy command that updates the properties of an ediscovery hold policy object.
Added support for the msg-list-case-operation command that gets a list of the case operation objects and their properties.

Related pull requests:
- 42603

Download

2.2.43 - 6476854 (December 29, 2025)

Integrations

Microsoft Graph Security

⚠️ Important: Microsoft Graph Security Legacy Alerts Deprecation According to Microsoft documentation, the Legacy Alerts option will be fully deprecated on April 10, 2026.
- Impact: After this date, configuring this integration to use the "Legacy Alerts" option will stop returning data.
- Action Required: Users currently utilizing Legacy Alerts must migrate to the new Alerts v2 API option to ensure continued data ingestion.
Updated the Docker image to: demisto/crypto:1.0.0.6308375.

Related pull requests:
- 42424

Download

2.2.42 - 5923996 (November 19, 2025)

Integrations

Microsoft Graph Security

Added support for the following commands:
- msg-run-estimate-statistics
- msg-get-last-estimate-statistics-operation
Updated documentation for the msg-purge-ediscovery-data command.
Fixed an issue where the following commands failed with an exception::
- msg-auth-test
- msg-list-threat-assessment-requests

Related pull requests:
- 41798

Download

2.2.41 - 5902470 (November 17, 2025)

Integrations

Microsoft Graph Security

Added a new parameter Azure Cloud to support all of the following environments: Public, GCC, GCC-High, DoD, Germany, and China.

Related pull requests:
- 41656

Download

2.2.40 - 5698874 (November 2, 2025)

Integrations

Microsoft Graph Security

Documentation and metadata improvements.

Related pull requests:
- 41740

Download

2.2.39 - 5689147 (November 2, 2025)

Modeling Rules

Microsoft Graph Security Modeling Rules

Implemented structure changes for backend compatibility.

Related pull requests:
- 41690

Download

2.2.38 - 5636304 (October 29, 2025)

Changes are not relevant for XSIAM marketplace.

Related pull requests:
- 41629

Download

2.2.37 - 5538136 (October 23, 2025)

Integrations

Microsoft Graph Security

Fixed an issue where the msg-create-ediscovery-search command did not support the content_query argument.

Related pull requests:
- 41637

Download

2.2.36 - R5469292 (October 20, 2025)

Integrations

Microsoft Graph Security

Updated the Microsoft Graph integration to include the include-unknown-enum-members header when fetching incidents, ensuring that unknown enum values are correctly mapped to their respective service resources. The unknown enums can be mapped to the next service resources: microsoftDefenderForCloud, microsoftSentinel, and microsoftThreatIntelligence.

Related pull requests:
- 41527

Download

2.2.35 - R5326509 (October 9, 2025)

Integrations

Microsoft Graph Security

Fixed an issue where supplying multiple serviceSource values caused the query filter to break. The fix now uses the $in operator instead of combining $eq with AND.
Updated the Docker image to: demisto/crypto:1.0.0.4834757.

Related pull requests:
- 41257

Download

2.2.34 - 4524270 (August 14, 2025)

Integrations

Microsoft Graph Security

Added automatic retry mechanism for HTTP 503 (Service Unavailable) errors to enhance reliability when Microsoft Graph services are temporarily unavailable.

Related pull requests:
- 40846

Download

2.2.33 - 4431069 (August 5, 2025)

Integrations

Microsoft Graph Security

Fixed a bug in the request retry logic that caused all requests to fail with a type error.

Related pull requests:
- 40838

Download

2.2.32 - 4419577 (August 4, 2025)

Integrations

Microsoft Graph Security

Added automatic retry mechanism for HTTP 503 (Service Unavailable) errors to enhance reliability when Microsoft Graph services are temporarily unavailable.
Improved error messages to include specific Microsoft error codes when available, providing better visibility into the root cause of failures.

Related pull requests:
- 40769

Download

2.2.31 - 4118212 (July 9, 2025)

Incident Fields

Microsoft Graph Security Alert Determination
Documentation and metadata improvements.
Microsoft Graph Security Service Source
Documentation and metadata improvements.
Microsoft Graph Security Id
Documentation and metadata improvements.
Microsoft Graph Security Recommended Action
Documentation and metadata improvements.
Microsoft Graph Security Alert Evidence
Documentation and metadata improvements.
Microsoft Graph Security Detector Id
Documentation and metadata improvements.
Microsoft Graph Security Comment
Documentation and metadata improvements.

Incident Types

Graph Security Alert
Documentation and metadata improvements.

Mappers

Graph Security Alert

Documentation and metadata improvements.

Modeling Rules

Microsoft Graph Security Modeling Rules

Documentation and metadata improvements.

Parsing Rules

Microsoft Graph Security Parsing Rules

Documentation and metadata improvements.

Related pull requests:
- 40523

Download

2.2.30 - R4077103 (July 6, 2025)

Integrations

Microsoft Graph Security

Updated the Docker image to: demisto/crypto:1.0.0.3539024.

Related pull requests:
- 40309

Download

PUBLISHER

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

Certification	Certified	Read more
Supported By	Cortex
Created	August 25, 2020
Last Release	June 9, 2026

WORKS WITH THE FOLLOWING INTEGRATIONS:

DISCLAIMER

By downloading or using Marketplace content, you agree to the applicable Terms of Use and End User License Agreement. Third-party content is provided by its publisher, and Palo Alto Networks does not warrant, endorse, support, or assume responsibility for content not expressly identified as owned by Palo Alto Networks.