Work with discovered apps via Graph API (Preview)
Microsoft Defender for Cloud Apps supports a Microsoft Graph API that you can use to work with discovered cloud apps, to customize and automate the Discovered apps page functionality in the Microsoft Defender portal.
This article provides sample procedures for using the uploadedStreams API for common purposes.
Prerequisites
Before you start using the Graph API, make sure to create an app and get an access token to use the application. Then, use the token to access the Defender for Cloud Apps API.
Make sure to give the app permissions to access Defender for Cloud Apps, by granting it with
CloudApp-Discovery.Read.All
permissions and admin consent.Take note of your app secret and copy its value to use later on in your scripts.
You'll also need cloud app data streaming into Microsoft Defender for Cloud Apps.
For more information, see:
- Manage admin access
- Graph API authentication and authorization basics
- Use the Microsoft Graph API
- Set up Cloud Discovery
Get data about discovered apps
To get a high level summary of all the data available on your Discovered apps page, run the following GET command:
GET https://graph.microsoft.com/beta/dataDiscovery/cloudAppDiscovery/uploadedStreams
To drill down to data for a specific stream:
Copy the relevant
<streamID>
value from the previous command's output.Run the following GET command using the
<streamID>
value:GET https://graph.microsoft.com/beta/security/dataDiscovery/cloudAppDiscovery/uploadedStreams/<streamId>/aggregatedAppsDetails(period=duration'P90D')
Filter for a specific time period and risk score
Filter your API commands using $select
and $filter
to get data for a specific time period and risk score. For example, to view the names of all apps discovered in the last 30 days with a risk score lower or equal to 4, run:
GET https://graph.microsoft.com/beta/security/dataDiscovery/cloudAppDiscovery/uploadedStreams/<streamId>/aggregatedAppsDetails (period=duration'P30D')?$filter=riskRating le 4 &$select=displayName
Get the userIdentifier of all users, devices, or IP addresses using a specific app
Identify the users, devices, or IP addresses that are currently using a specific app, run one of the following commands:
To return users:
GET https://graph.microsoft.com/beta/security/dataDiscovery/cloudAppDiscovery/uploadedStreams/<streamId>/aggregatedAppsDetails (period=duration'P30D')/ <id>/users
To return IP addresses:
GET https://graph.microsoft.com/beta/security/dataDiscovery/cloudAppDiscovery/uploadedStreams/<streamId>/aggregatedAppsDetails (period=duration'P30D')/ <id>/ipAddress
To return devices:
GET https://graph.microsoft.com/beta/security/dataDiscovery/cloudAppDiscovery/uploadedStreams/<streamId>/aggregatedAppsDetails (period=duration'P30D')/ <id>/name
Use filters to see apps by category
Use filters to see apps of a specific category, such as apps that are categorized as Marketing, and are also not HIPPA compliant. For example, run:
GET https://graph.microsoft.com/beta/security/dataDiscovery/cloudAppDiscovery/uploadedStreams/<MDEstreamId>/aggregatedAppsDetails (period=duration 'P30D')?$filter= (appInfo/Hippa eq 'false') and category eq 'Marketing'
Related content
For more information, see Working with discovered apps and the Microsoft Graph API reference.