Actionist·Microsoft Graph Security

Microsoft Graph Security

· #312 most-used

Unified security intelligence across every Microsoft product

ProductivityAnalyticsDeveloperSecurityAutomation

Microsoft Graph Security is the single API surface that connects alerts, incidents, threat intelligence, and Secure Score data from Microsoft Defender, Sentinel, Entra, Purview, and Intune into one coherent picture. Once connected, your agent monitors your tenant's security posture in real time — triaging alerts, updating incident records, running Advanced Hunting queries, and tracking Secure Score control progress without a human touching the portal. Every security event becomes an automated workflow trigger instead of a manual queue.

Try Microsoft Graph Security with ActionistVisit Microsoft Graph Security
Average time saved
11 hours
per person · per month
≈ 1 workdays back

Eliminates manual work. Eliminates the manual cycle of logging into the Defender and Sentinel portals, cross-referencing alerts, updating incident records, and assembling posture reports — tasks that consume security team hours every week.

Schedule

What your Microsoft Graph Security agent runs on autopilot

A week of scheduled jobs your Actionist agent will execute on your behalf.

28Scheduled jobs
7Agents at work
24/7Always on
Agents
WedFri
Wed
Thu
Fri
7a
8a
9a
10a
11a
12p
1p
2p
3p
4p
5p
6p
Multi-app workflows

Microsoft Graph Security × every other app you use

End-to-end automations that span multiple apps — each one a real business outcome.

6Workflows
9Apps spanned
~32 hrsSaved / week
6Personas served
For customer success
Featured4 apps

Alert to resolution in under 60 seconds

When a customer security report arrives by email, your agent reads the alert details from Microsoft Graph Security, immediately updates the alert status and assigns it to the right analyst — then posts a structured incident thread in Slack and books the response call on Google Calendar. The entire triage chain that used to take a CSM 45 minutes of portal-hopping is done before the customer finishes their coffee.

~9 hrs

Time saved for your team — every week, on autopilot

The flow
Trigger·When a customer emails a suspected security breach or phishing report
Trigger
Step 1
Gmail
Receive customer security report email
read
Step 2
Microsoft Graph Security
Get security alert by ID linked in report
write
Step 3
Microsoft Graph Security
Update security alert — assign analyst and set status to InProgress
write
Step 4
Slack
Post structured incident thread with alert detail and analyst assignment
write
Step 5
Google Calendar
Book response call between analyst and customer contact
Result
Update security alert — assign analyst and set status to InProgressPost structured incident thread with alert detail and analyst assignmentBook response call between analyst and customer contact
The win
Saved per run
45 min
Runs / week
~12×
Customer sees action in under a minute
Driven byCustomer Support Agent
ROI

Savings

What your team gets back — two angles: what you stop doing manually, and what that's worth.

Without Actionist

What you do manually today

With Actionist

What your agent runs for you

  • Sales
    19 min / week
    Manual posture PDF prep

    AE pulls Secure Score screenshots and drafts a security summary PDF before every enterprise security review call.

    Sales Agent
    0 min
    Auto-generate posture brief

    Agent fetches live Secure Score and open alerts, then generates a structured trust brief posted to Slack before the call.

  • Marketing
    14 min / week
    Manual trust centre update

    Marketing manager manually updates the public trust centre page with the latest Secure Score after each quarterly review.

    Marketing Agent
    0 min
    Auto-refresh trust badge

    Agent reads live Secure Score and updates the trust centre page automatically whenever the score changes by more than 3 points.

  • Customer Support
    19 min / week
    Portal alert triage

    CSM checks the Defender portal after every security-related customer email to find and read the relevant alert.

    Customer Support Agent
    0 min
    Instant alert briefing on email

    Agent detects the customer email, fetches the matching alert, and posts a structured triage card in Slack before the CSM has finished reading the email.

  • Human Resources
    8 min / week
    Manual access review log

    HR analyst manually logs which employee accounts had security alerts in the past 30 days for quarterly access reviews.

    Human Resources Agent
    0 min
    Auto-compile access alert log

    Agent runs an Advanced Hunting query for employee accounts with recent alerts and writes the results to the access review spreadsheet automatically.

  • Finance
    14 min / week
    Quarterly posture export

    Finance analyst logs into the Defender portal and exports Secure Score history manually before every compliance report.

    Finance Agent
    0 min
    Auto-generate compliance export

    Agent pulls the full 90-day Secure Score series and exports a formatted compliance table to the board report document automatically.

  • Operations
    30 min / week
    Manual incident status sync

    Ops engineer manually reads open incidents in Defender and copies status updates into the operations tracking sheet each morning.

    Operations Agent
    0 min
    Auto-sync incident status

    Agent lists all active incidents each morning, updates their status in the ops sheet, and highlights any SLA breaches in the daily standup post.

  • Legal
    6 min / week
    Breach notification timeline

    Legal counsel manually checks incident creation timestamps and calculates regulatory notification deadlines for each new incident.

    Legal Agent
    0 min
    Auto-calculate breach deadlines

    Agent reads new incident creation time, calculates the regulatory notification deadline, and adds a calendar reminder for legal counsel automatically.

+ 100s of other Microsoft Graph Security automations
Average monthly
11 hrs / person / month
Average monthly
11 hrs / person / month
Calculator

Calculate what your team saves

Team size
10 people
Hourly rate
$20 / hr
Hours saved / week
28
Hours saved / year
1,400
Annual ROI
$28,000

Based on Microsoft Graph Security's typical team usage — the visible tasks plus a few other automations the agent runs: ~2.8 hrs / person / week of admin work automated.

Connect

How to plug Microsoft Graph Security into Actionist

Pick the connection method that suits your environment.

The Microsoft Graph Security MCP server gives your agent direct access to alerts, incidents, Secure Score, and Advanced Hunting through a single authorised connection — no API plumbing needed on your side.

1
Open the Apps tab

Find Microsoft Graph Security in the Apps library and click Connect. MCP is selected by default.

2
Authorise in Microsoft Graph Security

Sign in with your Microsoft 365 organisational account. Actionist requests the minimum required Graph Security API permissions (SecurityAlert.Read.All, SecurityIncident.ReadWrite.All, SecureScore.Read.All) — you'll see the exact scopes listed before you approve.

3
Test the connection

Actionist runs a read-only call to verify the handshake. You're ready.

Actions

15 actions your agent can call

Read and write operations available to your Actionist agent.

Triggers

7 events your agent can react to

Events your agent watches for, and the actions it kicks off in response.

Skills

Skills that pair with Microsoft Graph Security

Reusable agent skills that work well alongside this app.

LinkedIn

LinkedIn API integration with managed OAuth. Share posts, manage profile, run ads, and access LinkedIn features. Use this skill when users want to share cont...

Microsoft Excel

Microsoft Excel API integration with managed OAuth. Read and write Excel workbooks, worksheets, ranges, tables, and charts stored in OneDrive. Use this skill when users want to read or modify Excel spreadsheets, manage worksheet data, work with tables, or access cell values. For other third party apps, use the api-gateway skill (https://clawhub.ai/byungkyu/api-gateway).

Microsoft To Do

Microsoft To Do API integration with managed OAuth. Manage task lists, tasks, checklist items, and linked resources. Use this skill when users want to create, read, update, or delete tasks and task lists in Microsoft To Do. For other third party apps, use the api-gateway skill (https://clawhub.ai/byungkyu/api-gateway). Requires network access and valid Maton API key.

MCP servers

MCP servers that work with Microsoft Graph Security

Connect Actionist to MCP servers built for or around this app.

Microsoft Learn MCP
Official

Official Microsoft Learn MCP Server – real-time, trusted docs & code samples for AI and LLMs.

FAQs

Questions about Microsoft Graph Security + Actionist

How do I connect Microsoft Graph Security to Actionist?
Open the Apps tab, find Microsoft Graph Security, and click Connect. Select MCP (recommended) to authenticate with your Microsoft 365 organisational account. Actionist requests exactly the Graph Security API permissions it needs — SecurityAlert.Read.All, SecurityIncident.ReadWrite.All, SecureScore.Read.All — and you approve the scopes in the Microsoft consent screen. The connection is live in under two minutes.
What Microsoft 365 permissions does Actionist need?
For read-only security monitoring your agent needs SecurityAlert.Read.All, SecurityIncident.Read.All, and SecureScore.Read.All. Add SecurityAlert.ReadWrite.All and SecurityIncident.ReadWrite.All to let the agent update alert status, assign analysts, and close incidents. Advanced Hunting requires ThreatHunting.Read.All. Actionist requests only the scopes you approve — you can grant read-only first and expand later.
Which Microsoft security products does this connection cover?
Microsoft Graph Security is a unified API layer, so your agent gains visibility across Microsoft Defender for Endpoint, Defender for Office 365, Microsoft Sentinel, Microsoft Entra (Azure AD) Identity Protection, Microsoft Purview, and Microsoft Intune — all through the same connection. You don't need separate credentials for each product; the Graph Security API aggregates alerts and incidents from every connected Microsoft security service in your tenant.
Can my agent update alert and incident records, or only read them?
Yes — with write permissions granted, your agent can update alert status (Active, InProgress, Resolved), assign alerts and incidents to specific analysts, set classification and determination (TruePositive, FalsePositive, BenignPositive), add custom tags, and modify incident severity. Update permissions are separate from read permissions, so you can start read-only and add write access when you're ready to automate response actions.
How does Advanced Hunting work with my agent?
Your agent can execute KQL queries against Microsoft Defender's Advanced Hunting dataset, which covers up to 30 days of raw telemetry including device events, network connections, file activity, and sign-in records. Write the KQL in your workflow, pass it to the Run advanced hunting query action, and the agent returns matching rows as structured JSON your workflow can act on — for example, creating incidents for every hit or posting results to Slack.
How often can my agent poll for new alerts or incidents?
Microsoft Graph Security API rate limits are generous for automation use cases — up to 150 requests per minute per app. For near-real-time monitoring, your agent can poll for new alerts every minute without hitting limits. For Advanced Hunting queries, which are more resource-intensive, Microsoft recommends no more than 10 concurrent queries per tenant. Actionist manages retries with exponential backoff automatically if a transient rate limit is hit.
Does this work with both Microsoft 365 E5 and lower-tier licences?
Core alert and incident APIs are available with Microsoft 365 E3 or Microsoft Defender Plan 1 licensing. Secure Score and Secure Score control profiles require Microsoft 365 E3 or higher. Advanced Hunting (KQL queries) requires Microsoft Defender for Endpoint Plan 2 or Microsoft 365 E5. Your agent will surface only the data your tenant licence grants access to — any out-of-scope calls return a permission error rather than silently failing.
Can I disconnect or revoke Actionist's access to Microsoft Graph Security?
Yes. Open the Apps tab, find Microsoft Graph Security, and click Disconnect. Your agent immediately loses API access. You can also revoke consent directly in the Microsoft Entra admin centre under Enterprise Applications — find the Actionist app registration and delete the granted permissions. Either method fully revokes access; no data is retained by Actionist after disconnection.