Work with discovered apps via Graph API (Preview)

Microsoft Defender for Cloud Apps supports a Microsoft Graph API that you can use to work with discovered cloud apps, to customize and automate the Discovered apps page functionality in the Microsoft Defender portal.

This article provides sample procedures for using the uploadedStreams API for common purposes.

Prerequisites

Before you start using the Graph API, make sure to create an app and get an access token to use the application. Then, use the token to access the Defender for Cloud Apps API.

  • Make sure to give the app permissions to access Defender for Cloud Apps, by granting it with CloudApp-Discovery.Read.All permissions and admin consent.

  • Take note of your app secret and copy its value to use later on in your scripts.

You'll also need cloud app data streaming into Microsoft Defender for Cloud Apps.

For more information, see:

Get data about discovered apps

To get a high level summary of all the data available on your Discovered apps page, run the following GET command:

GET https://graph.microsoft.com/beta/dataDiscovery/cloudAppDiscovery/uploadedStreams

To drill down to data for a specific stream:

  1. Copy the relevant <streamID> value from the previous command's output.

  2. Run the following GET command using the <streamID> value:

    GET https://graph.microsoft.com/beta/security/dataDiscovery/cloudAppDiscovery/uploadedStreams/<streamId>/aggregatedAppsDetails(period=duration'P90D')
    

Filter for a specific time period and risk score

Filter your API commands using $select and $filter to get data for a specific time period and risk score. For example, to view the names of all apps discovered in the last 30 days with a risk score lower or equal to 4, run:

GET https://graph.microsoft.com/beta/security/dataDiscovery/cloudAppDiscovery/uploadedStreams/<streamId>/aggregatedAppsDetails (period=duration'P30D')?$filter=riskRating  le 4 &$select=displayName

Get the userIdentifier of all users, devices, or IP addresses using a specific app

Identify the users, devices, or IP addresses that are currently using a specific app, run one of the following commands:

  • To return users:

    GET  https://graph.microsoft.com/beta/security/dataDiscovery/cloudAppDiscovery/uploadedStreams/<streamId>/aggregatedAppsDetails (period=duration'P30D')/ <id>/users  
    
  • To return IP addresses:

    GET  https://graph.microsoft.com/beta/security/dataDiscovery/cloudAppDiscovery/uploadedStreams/<streamId>/aggregatedAppsDetails (period=duration'P30D')/ <id>/ipAddress  
    
  • To return devices:

    GET  https://graph.microsoft.com/beta/security/dataDiscovery/cloudAppDiscovery/uploadedStreams/<streamId>/aggregatedAppsDetails (period=duration'P30D')/ <id>/name  
    

Use filters to see apps by category

Use filters to see apps of a specific category, such as apps that are categorized as Marketing, and are also not HIPPA compliant. For example, run:

GET  https://graph.microsoft.com/beta/security/dataDiscovery/cloudAppDiscovery/uploadedStreams/<MDEstreamId>/aggregatedAppsDetails (period=duration 'P30D')?$filter= (appInfo/Hippa eq 'false') and category eq 'Marketing'  

For more information, see Working with discovered apps and the Microsoft Graph API reference.