Merge pull request #4295 from batamig/graph-api

MDA Graph API

Author: v-dirichards

CloudAppSecurityDocs/discovered-apps-api-graph.md

@@ -0,0 +1,91 @@
+---
+title: Work with discovered apps via Graph API | Microsoft Defender for Cloud Apps
+description: Learn how to work with apps discovered by Microsoft Defender for Cloud Apps via Graph API.
+ms.topic: how-to #Don't change
+ms.date: 06/24/2024
+
+#customer intent: As a security engineer, I want to work with discovered apps via API so that I can customize and automate the Microsoft Defender for Cloud Apps **Discovered apps** page functionality.
+
+---
+
+# Work with discovered apps via Graph API (Preview)
+
+Microsoft Defender for Cloud Apps supports a Microsoft Graph API that you can use to work with discovered cloud apps, to customize and automate the **Discovered apps** page functionality in the Microsoft Defender portal.
+
+This article provides sample procedures for using the [uploadedStreams API](/graph/api/security-datadiscoveryreport-list-uploadedstreams?view=graph-rest-beta) for common purposes.
+
+## Prerequisites
+
+Before you start using the Graph API, make sure to create an app and get an access token to use the application. Then, use the token to access the Defender for Cloud Apps API.
+
+- Make sure to give the app permissions to access Defender for Cloud Apps, by granting it with `CloudApp-Discovery.Read.All` permissions and admin consent.
+
+- Take note of your app secret and copy its value to use later on in your scripts.
+
+You'll also need cloud app data streaming into Microsoft Defender for Cloud Apps.
+
+For more information, see:
+
+- [Manage admin access](manage-admins.md)
+- [Graph API authentication and authorization basics](/graph/auth/auth-concepts)
+- [Use the Microsoft Graph API](/graph/use-the-api)
+- [Set up Cloud Discovery](set-up-cloud-discovery.md)
+
+## Get data about discovered apps
+
+To get a high level summary of all the data available on your **Discovered apps** page, run the following GET command:
+
+```http
+GET https://graph.microsoft.com/beta/dataDiscovery/cloudAppDiscovery/uploadedStreams
+```
+
+To drill down to data for a specific stream:
+
+1. Copy the relevant `<streamID>` value from the previous command's output.
+1. Run the following GET command using the `<streamID>` value:
+
+    ```http
+    GET https://graph.microsoft.com/beta/security/dataDiscovery/cloudAppDiscovery/uploadedStreams/<streamId>/aggregatedAppsDetails(period=duration'P90D')
+    ```
+
+## Filter for a specific time period and risk score
+
+Filter your API commands using `$select` and `$filter` to get data for a specific time period and risk score. For example, to view the names of all apps discovered in the last 30 days with a risk score lower or equal to 4, run:
+
+```http
+GET https://graph.microsoft.com/beta/security/dataDiscovery/cloudAppDiscovery/uploadedStreams/<streamId>/aggregatedAppsDetails (period=duration'P30D')?$filter=riskRating  le 4 &$select=displayName
+```
+
+## Get the userIdentifier of all users, devices, or IP addresses using a specific app
+
+Identify the users, devices, or IP addresses that are currently using a specific app, run one of the following commands:
+
+- **To return users**:
+
+    ```http
+    GET  https://graph.microsoft.com/beta/security/dataDiscovery/cloudAppDiscovery/uploadedStreams/<streamId>/aggregatedAppsDetails (period=duration'P30D')/ <id>/users  
+    ```
+
+- **To return IP addresses**:
+
+    ```http
+    GET  https://graph.microsoft.com/beta/security/dataDiscovery/cloudAppDiscovery/uploadedStreams/<streamId>/aggregatedAppsDetails (period=duration'P30D')/ <id>/ipAddress  
+    ```
+
+- **To return devices**:
+
+    ```http
+    GET  https://graph.microsoft.com/beta/security/dataDiscovery/cloudAppDiscovery/uploadedStreams/<streamId>/aggregatedAppsDetails (period=duration'P30D')/ <id>/name  
+    ```
+
+## Use filters to see apps by category
+
+Use filters to see apps of a specific category, such as apps that are categorized as *Marketing*, and are also not HIPPA compliant. For example, run:
+
+```http
+GET  https://graph.microsoft.com/beta/security/dataDiscovery/cloudAppDiscovery/uploadedStreams/<MDEstreamId>/aggregatedAppsDetails (period=duration 'P30D')?$filter= (appInfo/Hippa eq 'false') and category eq 'Marketing'  
+```
+
+## Related content
+
+For more information, see [Working with discovered apps](discovered-apps.md) and the [Microsoft Graph API reference](/graph/api/resources/security-cloudappdiscovery-overview?view=graph-rest-beta).

CloudAppSecurityDocs/release-notes.md

@@ -1,7 +1,7 @@
 ---
 title: What's new | Microsoft Defender for Cloud Apps
 description: This article is updated frequently to let you know what's new in the latest release of Microsoft Defender for Cloud Apps.
-ms.date: 06/16/2024
+ms.date: 11/19/2024
 ms.topic: overview
 ---
 
@@ -21,11 +21,21 @@ For news about earlier releases, see [Archive of past updates for Microsoft Defe
 
 ## November 2024
 
-### SaaS Security initative in Exposure Management
-[Microsoft Security Exposure Management](https://learn.microsoft.com/security-exposure-management/) offers a focused, metric-driven way of tracking exposure in specific security areas using security [initiatives](https://learn.microsoft.com/security-exposure-management/initiatives). The "SaaS security initiative" provides a centralized location for all best practices related to SaaS security, categorized into 12 measurable metrics. These metrics are designed to assist in effectively managing and prioritizing the large number of security recommendations.
+### Defender for Cloud Apps support for Graph API (preview)
+
+Defender for Cloud Apps customers can now query data about discovered apps via the Graph API. Use the Graph API to customize views and automate flows on the **Discovered apps** page, such as applying filters to view specific data. The API supports [GET](/graph/use-the-api) capabilities only.
+
+For more information, see:
+
+- [Work with discovered apps via Graph API](discovered-apps-api-graph.md)
+- [Microsoft Graph API reference for Microsoft Defender for Cloud Apps](/graph/api/resources/security-cloudappdiscovery-overview?view=graph-rest-beta)
+
+### SaaS Security initiative in Exposure Management
+
+[Microsoft Security Exposure Management](/security-exposure-management/) offers a focused, metric-driven way of tracking exposure in specific security areas using security [initiatives](/security-exposure-management/initiatives). The "SaaS security initiative" provides a centralized location for all best practices related to SaaS security, categorized into 12 measurable metrics. These metrics are designed to assist in effectively managing and prioritizing the large number of security recommendations.
 This capability is General Availability (Worldwide) - Note Microsoft Security Exposure Management data and capabilities are currently unavailable in U.S Government clouds - GCC, GCC High and DoD
 
-For more information, see [SaaS security initiative](https://learn.microsoft.com/defender-cloud-apps/saas-security-initiative)![image](https://github.com/user-attachments/assets/356178e5-7b93-40e7-8210-e6d2e84d33b7)
+For more information, see [SaaS security initiative](saas-security-initiative.md).
 
 ### Visibility into app origin (Preview)
 
@@ -52,12 +62,13 @@ Defender for Cloud Apps users who use app governance can now get granular insigh
 For more information, see [OAuth app data usage insights on app governance](/defender-cloud-apps/app-governance-visibility-insights-view-apps#getting-detailed-information-on-an-app).
 
 ## October 2024
+
 ### Internal Session Controls application notice
  The Enterprise application “Microsoft Defender for Cloud Apps – Session Controls” is used internally by the Conditional Access App Control service.  
 Please ensure there is no CA policy restricting access to this application. 
 For policies that restrict all or certain applications, please ensure this application is listed as an exception or confirm that the blocking policy is deliberate.  
 
-For more information, see [Sample: Create Microsoft Entra ID Conditional Access policies for use with Defender for Cloud Apps](https://learn.microsoft.com/defender-cloud-apps/session-policy-aad#sample-create-microsoft-entra-id-conditional-access-policies-for-use-with-defender-for-cloud-apps).
+For more information, see [Sample: Create Microsoft Entra ID Conditional Access policies for use with Defender for Cloud Apps](session-policy-aad.md#sample-create-microsoft-entra-id-conditional-access-policies-for-use-with-defender-for-cloud-apps).
 
 ### New anomaly data in advanced hunting CloudAppEvents table
 
@@ -81,9 +92,8 @@ Using _OAuthAppId_ allows the queries that consider specific OAuth applications,
 
 For more information, see [Advanced Hunting "CloudAppEvents" Data schema](/microsoft-365/security/defender/advanced-hunting-cloudappevents-table).
 
-## September 2024
-
 ### Enforce Edge in-browser when accessing business apps
+
 Administrators who understand the power of Edge in-browser protection, can now require their users to use Edge when accessing corporate resources. 
 
 A primary reason is security, since the barrier to circumventing session controls using Edge is much higher than with reverse proxy technology.
@@ -101,6 +111,7 @@ For more information, see:
 - [Connect apps to get visibility and control with Microsoft Defender for Cloud Apps](enable-instant-visibility-protection-and-governance-actions-for-your-apps.md)
 - [Mural Help Center](https://support.mural.co/s/)
 
+
 ### Removing the ability to email end users about blocked actions
 
 Effective October 1st, 2024, we will discontinue the feature that notifies end users via email when their action is blocked by session policies.
@@ -113,7 +124,7 @@ Existing session policies with this setting will not trigger email notifications
 
 End users will continue to receive the block message directly through the browser and will stop receiving block notification via email.
 
-Screenshot of the notify end user by email option:
+For example:
 
 ![Screenshot of how to block notifying end user by email.](media/release-notes/notify-end-user-by-email.png)
 
@@ -146,9 +157,11 @@ For more information, see  [Configure custom URL for MDA block pages](mde-govern
 
 
 ### In-browser protection for macOS users and newly supported policies (Preview)
-Edge browser users from macOS, scoped to session policies, are now protected with in-browser protection.
+
+Edge browser users from macOS who are scoped to session policies are now protected with in-browser protection.
 
 The following session policies are now supported:
+
 - Block and Monitor upload of sensitive files
 - Block and Monitor paste
 - Block and Monitor of malware upload

CloudAppSecurityDocs/toc.yml

@@ -194,6 +194,8 @@ items:
       href: discovered-app-queries.md
     - name: Discover and manage shadow IT
       href: tutorial-shadow-it.md
+    - name: Work with discovered apps via API
+      href: discovered-apps-api-graph.md
 - name: Posture management (SSPM)
   items:
     - name: Overview
@@ -434,98 +436,102 @@ items:
     href: ops-guide/ops-guide-monthly.md
   - name: Ad-hoc activities
     href: ops-guide/ops-guide-ad-hoc.md
-- name: REST API
+- name: Reference
   items:
-  - name: Introduction
-    href: api-introduction.md
-  - name: Authentication
+  - name: Microsoft Graph API reference
+    href: /graph/api/resources/security-cloudappdiscovery-overview?view=graph-rest-beta
+  - name: REST API reference
     items:
-    - name: Managing API tokens
-      href: api-authentication.md
-    - name: Application context
-      href: api-authentication-application.md
-    - name: User context
-      href: api-authentication-user.md
-    - name: Legacy method
-      href: api-tokens-legacy.md
-  - name: Activities
-    items:
-    - name: Overview
-      href: api-activities.md
-    - name: Investigate activities with APIs
-      href: api-activities-investigate-script.md
-    - name: List activities
-      href: api-activities-list.md
-    - name: Fetch activity
-      href: api-activities-fetch.md
-    - name: Feedback on activity
-      href: api-activities-feedback.md
-    - name: Alerts
-      items:
-      - name: Overview
-        href: api-alerts.md
-      - name: List alerts
-        href: api-alerts-list.md
-      - name: Close benign
-        href: api-alerts-close-benign.md
-      - name: Close false positive
-        href: api-alerts-close-false-positive.md
-      - name: Close true positive
-        href: api-alerts-close-true-positive.md
-      - name: Fetch alert
-        href: api-alerts-fetch.md
-      - name: Mark alert as read
-        href: api-alerts-mark-read.md
-      - name: Mark alert as unread
-        href: api-alerts-mark-unread.md
-    - name: Cloud Discovery
-      items:
-      - name: Overview
-        href: api-discovery.md
-      - name: Initiate file upload
-        href: api-discovery-initiate.md
-      - name: Perform file upload
-        href: api-discovery-perform.md
-      - name: Finalize file upload
-        href: api-discovery-finalize.md
-      - name: List continuous reports
-        href: api-discovery-list-streams.md
-      - name: List continuous report categories
-        href: api-discovery-list-categories.md
-      - name: Generate block script
-        href: api-discovery-script.md
-    - name: Data Enrichment
-      items:
-      - name: Overview
-        href: api-data-enrichment.md
-      - name: Manage IP address ranges using the API
-        href: api-data-enrichment-manage-script.md
-      - name: List IP ranges
-        href: api-data-enrichment-list.md
-      - name: Create IP address range
-        href: api-data-enrichment-create.md
-      - name: Update IP address range
-        href: api-data-enrichment-update.md
-      - name: Delete IP address range
-        href: api-data-enrichment-delete.md
-    - name: Entities
+    - name: Introduction
+      href: api-introduction.md
+    - name: Authentication
       items:
-      - name: Overview
-        href: api-entities.md
-      - name: List entities
-        href: api-entities-list.md
-      - name: Fetch entity
-        href: api-entities-fetch.md
-      - name: Fetch entity tree
-        href: api-entities-fetch-tree.md
-    - name: Files
+      - name: Managing API tokens
+        href: api-authentication.md
+      - name: Application context
+        href: api-authentication-application.md
+      - name: User context
+        href: api-authentication-user.md
+      - name: Legacy method
+        href: api-tokens-legacy.md
+    - name: Activities
       items:
       - name: Overview
-        href: api-files.md
-      - name: List Files
-        href: api-files-list.md
-      - name: Fetch File
-        href: api-files-fetch.md
+        href: api-activities.md
+      - name: Investigate activities with APIs
+        href: api-activities-investigate-script.md
+      - name: List activities
+        href: api-activities-list.md
+      - name: Fetch activity
+        href: api-activities-fetch.md
+      - name: Feedback on activity
+        href: api-activities-feedback.md
+      - name: Alerts
+        items:
+        - name: Overview
+          href: api-alerts.md
+        - name: List alerts
+          href: api-alerts-list.md
+        - name: Close benign
+          href: api-alerts-close-benign.md
+        - name: Close false positive
+          href: api-alerts-close-false-positive.md
+        - name: Close true positive
+          href: api-alerts-close-true-positive.md
+        - name: Fetch alert
+          href: api-alerts-fetch.md
+        - name: Mark alert as read
+          href: api-alerts-mark-read.md
+        - name: Mark alert as unread
+          href: api-alerts-mark-unread.md
+      - name: Cloud Discovery
+        items:
+        - name: Overview
+          href: api-discovery.md
+        - name: Initiate file upload
+          href: api-discovery-initiate.md
+        - name: Perform file upload
+          href: api-discovery-perform.md
+        - name: Finalize file upload
+          href: api-discovery-finalize.md
+        - name: List continuous reports
+          href: api-discovery-list-streams.md
+        - name: List continuous report categories
+          href: api-discovery-list-categories.md
+        - name: Generate block script
+          href: api-discovery-script.md
+      - name: Data Enrichment
+        items:
+        - name: Overview
+          href: api-data-enrichment.md
+        - name: Manage IP address ranges using the API
+          href: api-data-enrichment-manage-script.md
+        - name: List IP ranges
+          href: api-data-enrichment-list.md
+        - name: Create IP address range
+          href: api-data-enrichment-create.md
+        - name: Update IP address range
+          href: api-data-enrichment-update.md
+        - name: Delete IP address range
+          href: api-data-enrichment-delete.md
+      - name: Entities
+        items:
+        - name: Overview
+          href: api-entities.md
+        - name: List entities
+          href: api-entities-list.md
+        - name: Fetch entity
+          href: api-entities-fetch.md
+        - name: Fetch entity tree
+          href: api-entities-fetch-tree.md
+      - name: Files
+        items:
+        - name: Overview
+          href: api-files.md
+        - name: List Files
+          href: api-files-list.md
+        - name: Fetch File
+          href: api-files-fetch.md
 - name: Resources
   items:
   - name: Licensing datasheet