FlowRunner
Pricing
Theme

Microsoft Graph Security

Identity & Security

Connect AI agents to the Microsoft Graph Security API across Microsoft Defender and Sentinel. Agents triage alerts and incidents, track Microsoft Secure Score posture, and manage threat intelligence indicators.

14 actions available
A scheduled poll runs List Incidents for high-severity active incidents
Agent reads the incident's grouped alerts and evidence
Agent correlates the alerts and gathers context from related systems
Update Alert to set status and assign an owner for each grouped alert
Agent confirms the incident state reflects the triage
The security operations channel receives the incident summary
Analyst records the classification and determination that closes or escalates it

What This Integration Enables

Agents triage security alerts and incidents automatically by setting status, assigning an owner, and recording classification and determination, correlate and resolve incidents that group related alerts into a single case, track the tenant's Microsoft Secure Score over time and manage the review state of individual controls, and push threat intelligence indicators (URLs, domains, IPs, file hashes) into Microsoft security products for allow, block, or alert actions. Alerts use the alerts_v2 collection with a legacy alerts collection available separately; incidents can expand their related alerts inline; and Secure Score exposes daily posture snapshots plus the per-control definitions whose review state can be updated. The connector covers the alert, incident, Secure Score, and threat-intelligence surface; the surrounding flow decides which triage steps run automatically and where an analyst records the determination that carries consequence.

Without FlowRunner

Alert noise Alerts pile up across Defender and Sentinel with no consistent first-pass triage
Manual assignment Setting status and assigning an owner is done one alert at a time in the portal
Posture blind spots Secure Score is checked occasionally, so posture regressions go unnoticed

With FlowRunner

Pre-triaged alerts Update Alert sets status, owner, classification, and determination as a flow step
Incident correlation Incidents that group related alerts are read and updated as a single case
Tracked posture List Secure Scores records the current and maximum score on a routine to show the trend

Use Case Scenarios

Incident triage and alerting

On a schedule, the agent calls List Incidents to find high-severity active incidents, reads the grouped alerts, and updates each alert's status and owner. It posts the incident summary to the security operations channel with [Slack](/integrations/slack) so the on-call analyst sees a correlated case instead of a stream of individual alerts. The determination that resolves the incident stays with the analyst.

Owner notification after triage

After the agent triages an alert with Update Alert, it notifies the assigned owner with the alert details through [Outlook](/integrations/outlook). The owner gets the context they need to act without digging through the portal, and the handoff is recorded as a flow step.

Secure Score posture tracking

On a routine, the agent calls List Secure Scores to read the current and maximum score, then records the numbers to a tracking destination so the team can watch the posture trend over time. A regression, like a control that slipped after a configuration change, surfaces as a movement in the trend rather than a surprise at the next assessment.

Human-in-Loop Highlight

Recording an alert's classification and determination, and pushing a block indicator, are the decisions that carry weight and belong to an analyst. The agent does the first pass on its own: it correlates the incident's alerts, sets provisional status, and assigns an owner. Before it records a final determination or creates a blocking threat-intelligence indicator, it pauses and asks the analyst through Slack: "Incident [id] groups [count] alerts, severity [level]. Proposed determination [value]. Confirm the classification and determination, or reassign for deeper review?" The analyst decides. The agent handles the correlation and assignment; the person owns the determination that closes the case or blocks the indicator.

Agent processes routinely
Detects exception requiring judgment
Clear match Continues automatically
Ambiguous Routes to human via Slack
Human decides
Agent resumes with decision

Agent Capabilities

14 actions

Alerts

4
  • List Alerts Lists security alerts (alerts_v2) detected across Microsoft Defender and Sentinel.
  • Get Alert Reads a single alert with its evidence collection.
  • Update Alert Triages an alert by setting status, assigning an owner, and recording classification and determination.
  • List Legacy Alerts Lists alerts from the legacy alerts collection for older integrations.

Incidents

3
  • List Incidents Lists incidents that group related alerts into a single case.
  • Get Incident Reads an incident, optionally expanding its related alerts inline.
  • Update Incident Updates an incident's status, assignment, classification, determination, or tags.

Secure Score

4
  • List Secure Scores Lists daily snapshots of the tenant's Microsoft Secure Score posture.
  • Get Secure Score Reads a single Secure Score snapshot.
  • List Secure Score Control Profiles Lists the per-control definitions behind the Secure Score.
  • Update Secure Score Control Profile Updates the review state of a Secure Score control.

Threat Intelligence

3
  • List Threat Intelligence Indicators Lists threat intelligence indicators submitted to Microsoft security products.
  • Create Threat Intelligence Indicator Submits an observable (URL, domain, IP, or file hash) to drive allow, block, or alert actions. Blocking indicators are typically human-gated.
  • Delete Threat Intelligence Indicator Removes a threat intelligence indicator.

Start building with Microsoft Graph Security

$100 in credits. No card required. Connect in minutes.