Securing Modern Networks Through a Single Pane of Glass with DFLabs and Microsoft Security Graph

Back to all articles

Securing Modern Networks with DFLabs and Microsoft Security Graph

Security Operations Centers (SOCs) are facing an uphill battle when trying to protect their organizations and its assets. Infrastructures are evolving into hybrid environments which require different tools and policies to keep them running efficiently and securely. Unfortunately, this is only adding to the complexity of the security program needed to protect it.

The Problem

Today’s networked environments are more complex than ever before. With the addition of mobile devices and cloud computing technologies, environments now stretch far beyond the traditional bounds of a company’s on-premise presence. The complexity of these environments has dictated the need for greater security controls which are handled by an even greater number of network and security products.

The increase in the tools and products needed to secure today’s environments have unfortunately begun to hinder the ability of security teams to efficiently and effectively carry out their job duties. Security Operations Centers are inundated with security alerts, and security professionals are experiencing burn out at alarming rates.

With an increasing number of cyberattacks and alerts now impacting SOCs on a daily basis, managers are now more than ever before trying to overcome these common challenges.

  • How can our organization ensure it is closely monitoring all areas of our networks?

  • How can we effectively utilize our network and security tools to keep our assets protected?

  • How can we overcome alert fatigue and protect our security teams from becoming burnt out?

The DFLabs and Microsoft Security Graph Solution

The DFLabs and Microsoft Graph Security solution provides organizations with a streamlined response to securing today’s most complex environments. Microsoft Graph Security provides organizations with a single tool to monitor the numerous services and areas which make up a modern network. These services and areas can sometimes go unchecked giving an attacker the perfect foothold into an organization’s environment.

By combining Microsoft Graph Security with DFLabs’ IncMan SOAR platform, organizations can take their security one step further by automating response activities through utilization of their entire security and network stack. This provides security teams with the ability to have boots on the ground immediately following a potential incident, and removes the chance an adversary has to remain persistent within a network.

About Microsoft Security Graph

Microsoft Graph Security is an API used to connect Microsoft security products, services, and partners to streamline security operations and improve threat protection, detection, and response capabilities. The Microsoft Graph Security API is an intermediary service (or broker) that provides a single programmatic interface to connect multiple Microsoft Graph Security providers (also called security providers or providers). Requests to the Microsoft Graph Security API are federated to all applicable security providers.

Use Case

Now let’s look at a simple use case in action.

An alert is received from Microsoft Defender Advanced Threat Protection (ATP) indicating that a suspicious file had been downloaded to a machine in the marketing department. IncMan SOAR receives the alert and automatically executes its R3 Rapid Response Runbook for suspicious file downloads from Microsoft Graph Security.

Alert information such as source, destination, and file hash are gathered from Graph Security. The file hash is checked against a reputation service to determine whether the file is malicious. If it is found by the first service to be benign, it is checked again against another service to ensure verification. If found to be benign by both services, the R3 Rapid Response Runbook will update the alert in Graph Security indicating that it was found to be false positive and exit without notification to the security team.

However, if either reputation service finds that the file is malicious in nature, IncMan will issue a query to Microsoft Graph Security to gather any additional hosts which may have interacted with the suspicious file in the last 30 days. If additional hosts were observed, the R3 Rapid Response Runbook will parse out these additional host and add them to the incident as artifacts and upgrade the priority to high. Once the incident is updated, a new ticket will be opened for the security team in the organization’s ticketing system and the alert will be updated in Graph Security indicating that the incident was on target.

If no additional host are found to have interacted with the suspicious file, the affected host information will be pulled from the Graph Security alert and passed to the organization’s Endpoint Detection system to quarantine the host. Once the host is quarantined, a new ticket will be created in the organization’s ticketing system for the security team and the alert is updated in Graph Security before the runbook exits.


The integration between DFLabs and Microsoft Graph Security works to ease the complexity by streamlining security operations to improve threat protection, detection, and response capabilities. Through combining Microsoft’s security products, services, and partners with IncMan SOAR’s pure automation and orchestration power, organizations have a single pane of glass to monitor and manage their entire infrastructure. This can alleviate some of the most pressing matters facing today’s security teams and provides a single solution to allow organizations to readily realize and enrich the value of their deployed solutions.

Get Started with a One-to-One Personalized Demo

Dramatically reduce the mean time to detection, response and remediation of all potential security incidents, ensuring no alert goes untouched.

See IncMan SOAR in Action.

Request a demo