This is the Trace Id: 231c42fbe2e0c98a77b73204cf69d402
Skip to main content
Microsoft Security

What is a security graph?

Learn how security graphs map environments and relationships to provide advanced security insights.
Try Microsoft Sentinel
A security graph is a connected map that shows how users, devices, and activities interact. It provides AI-driven insights and visualizations that help security teams investigate threats and assess potential attack paths. Real-world examples include incident graphs, threat hunting graphs, and data risk graphs.
  • Security graphs map connections between users, devices, applications, and assets, providing AI-driven insights that enhance threat detection, investigation, and response.
  • They drive critical security workflows such as incident blast radius analysis, threat hunting, and data risk assessment by visualizing how entities interact and highlighting potential attack paths.
  • Security graphs offer enriched visualizations and scalable mapping of your environment, helping security teams assess risks and respond to threats efficiently.
  • Each component of the security graph—nodes representing users, devices, applications, and assets—contains detailed properties, offering a deeper understanding of your environment’s vulnerabilities and sensitive data.

Components of a security graph

A security graph is a connected map of your environment that promotes advanced threat detection, investigation, and response. It’s composed of three foundational elements:

Nodes
Nodes represent the entities within your environment, which include:
 
  • Users—individual accounts, identities, or roles.
  • ⁠Devices—endpoints such as laptops, servers, or mobile devices.
  • ⁠Applications—cloud services, internal apps, or third-party tools.
  • Documents and assets—files, folders, and sensitive data objects.
Each node contains properties that describe its attributes, such as user roles, device types, or document sensitivity levels.

Edges
Edges define how nodes are connected and interact. They represent:
 
  • Relationships—for example, “user is-member-of group” or “device belongs-to user.”
  • Access paths—who accessed what, when, and how.
  • ⁠Activity flows—sequences of actions, such as login events, file sharing, or email exchanges.
These connections allow security teams to trace attacker movements, such as advanced persistent threats (APTs), assess blast radius, and visualize potential attack paths.

Data sources
Cybersecurity graphs are built from rich, diverse data sources, including:
 
  • ⁠Unified audit logs—activity across Microsoft 365 services.
  • ⁠Microsoft Entra ID logs—sign-in events, risky user detections.
  • Microsoft Defender product data—alerts and telemetry from Defender for Endpoint, Identity, and Cloud.
  • ⁠Third-party connectors—integrated data from external security tools, such as security information and event management (SIEM).
  • Threat intelligence feeds—indicators of compromise and attacker tactics.
These sources feed into the graph engine, which automatically builds and updates the graph every four hours in supported scenarios in Microsoft Defender and Microsoft Purview.

Using graphs for security

Traditional cybersecurity tools rely heavily on tabular data—lists of users, logs, alerts, and events. While useful for storing facts, these tools struggle to reveal how those facts connect. This limitation makes it difficult to trace attacker movement, correlate incidents, or anticipate the impact of a breach.

Cyberattack graphs overcome these challenges by mapping relationships between entities like users, devices, documents, and activities. This connected view provides:
 
  • Contextual awareness—asset graphs show not just what happened, but how it fits into the broader environment by asking who was involved, what assets were touched, and what paths were taken.
  • Correlation across data sources—by linking disparate data points, graphs help analysts connect the dots between seemingly unrelated events.
  • Detection of hidden connections—graphs reveal privileged access paths, lateral movement, and blast radius scenarios that are nearly impossible to uncover using traditional tools.
This shift from static data to dynamic relationships transforms security frameworks, such as development, security, and operations (DevSecOps), reactive alert handling, and proactive threat discovery.

Enhanced threat detection

Security graphs transform threat detection and response (TDR) by revealing the hidden relationships and attack paths that traditional tools often miss. By visualizing how entities interact across your environment, graphs offer faster, deeper, and more proactive security insights.

Attack path analysis
Security graphs support blast radius analysis, allowing defenders to evaluate the vulnerable paths an attacker could take from a compromised entity. This helps security teams anticipate next steps and prioritize containment actions to reduce business impact.

Lateral movement detection
With graph-powered hunting, analysts can visually explore the complex web of relationships between users, devices, and other entities. This reveals privileged access paths and lateral movement tactics that attackers use to escalate their reach within the environment.

Anomaly spotting
Threat graphs unify data from audit logs, identity and access management (IAM) tools, and threat intelligence to surface unusual patterns—such as unexpected file access or risky user behavior. These insights help security teams detect anomalies early and respond before threats escalate.

Improved incident response

Security graphs empower incident response teams with deeper visibility, faster triage, and more precise remediation. Mapping relationships and activities allows defenders to move from reactive alert handling to proactive investigation and containment.

Alert correlation
Instead of manually correlating logs or running complex queries, the incident graph in Microsoft Defender automatically links related alerts and entities. This helps security operations center (SOC) teams understand the full scope of an incident and prioritize which systems to contain and remediate first—reducing response time and limiting business impact.

Root cause tracing
Security graphs allow analysts to trace the origin of an incident by visualizing the blast radius of compromised credentials or assets. This capability helps teams anticipate attacker movement and uncover the initial point of compromise, providing more effective root cause analysis.

Graph visualization
Interactive graph views in Defender and Microsoft Purview provide a unified, real-time picture of users, assets, and activities. These visualizations help investigators see not just what happened, but how it unfolded—revealing access paths, data movement, and risky behavior in a single pane of glass.

Using a graph database

Graph databases are purpose-built to store and query relationships, making them ideal for modern security operations. Unlike traditional databases that struggle with complex joins and relational mapping, graph databases offer a more intuitive and scalable way to model interconnected entities and behaviors.

Relationship-first storage
Graph databases prioritize relationships as first-class citizens. This allows security teams to:
 
  • ⁠Store entities such as users, devices, and documents as nodes.
  • ⁠Represent interactions and access paths as edges.
  • ⁠Enrich both nodes and edges with properties for deeper context.
This structure mirrors real-world environments, providing more accurate modeling of attack paths, user behavior, and data flows.

Native query languages
Graph databases support specialized query languages designed for relationship traversal:
 
  • ⁠Cypher (used in Neo4j)—offers pattern matching across nodes and edges.
  • ⁠Gremlin (used in Apache TinkerPop)—supports graph traversal and filtering.
These languages allow analysts and AI agents to ask complex questions, such as:
 
  • ⁠“Which compromised users accessed Server A and emailed file X?”
  • ⁠“What is the blast radius of a leaked document?”
Real-time analysis
Graph databases allow for fast, dynamic querying across billions of relationships. In Microsoft Sentinel, graphs are automatically built and refreshed every four hours, powering real-time experiences such as:
 
  • ⁠Incident blast radius analysis.
  • ⁠Threat hunting over graph.
  • ⁠Data risk investigation in Microsoft Purview IRM and DSI.
This real-time capability helps security teams respond faster, uncover hidden threats, and reduce business impact.

Comparing graph databases and traditional databases

Security operations often require mapping complex relationships, which is why these traditional databases struggle with this process:

Relational databases (slow joins)
  • Store data in structured tables.
  • Require multiple joins to connect related entities.
  • Performance degrades as relationships grow.
  • Not ideal for modeling dynamic security environments or attack paths.
Document or key-value databases (limited relationships)
  • ⁠Designed for storing individual records or documents.
  • ⁠Lack native support for modeling relationships.
  • ⁠Good for simple lookups, but poor at revealing connections between entities.
  • ⁠Cannot easily trace how users, devices, and files interact in a breach.
Graph databases, on the other hand, are optimized for these complex connections.

Graph databases
  • ⁠Store entities as nodes and relationships as edges.
  • ⁠Allows for fast traversal across connected data.
  • ⁠Ideal for security use cases, such as authentication, threat hunting, and data risk investigation.
  • ⁠Power advanced graph-based experiences in Microsoft Sentinel, Defender, and Purview.

Scalability and performance

Security graphs are designed to handle the scale and complexity of modern enterprise environments. Microsoft Sentinel graph, for example, powers graph-based experiences across Defender and Microsoft Purview to create a high-performance platform built for massive data volumes and real-time insights.

Handling billions of relationships
Security graphs model users, devices, assets, and activities as interconnected nodes and edges. This structure allows the graph to represent billions of relationships across an enterprise—allowing deep visibility into attack paths, access control, and risk propagation.

Distributed graph databases
The underlying graph capabilities in Microsoft Sentinel are built on distributed infrastructure. This ensures:
 
  • High availability and fault tolerance.
  • ⁠Scalable ingestion from diverse data sources such as Defender, Microsoft Purview, and Microsoft Entra.
  • ⁠Efficient graph building and enrichment across multiple security products.
Real-time querying
Graphs in Microsoft Sentinel are automatically built and refreshed every four hours, allowing near-real time analysis. Security teams can:
 
  • ⁠Instantly visualize blast radius in incident graphs.
  • ⁠Traverse access paths in hunting graphs.
  • ⁠Investigate data movement in Microsoft Purview IRM and DSI.
This real-time capability helps defenders respond faster and more effectively to evolving threats.

Real-world examples

Security graphs deliver powerful capabilities across the entire security lifecycle—including risk assessment, threat detection, and incident response. Below are key use cases where graph-based cybersecurity analytics deliver measurable value.

Identity and access risk
Security graphs help visualize relationships between users, groups, and assets. This allows organizations to:
 
  • ⁠Identify privileged access paths.
  • ⁠Detect risky user behavior.
  • ⁠Assess the blast radius of compromised identities.
These insights are foundational to Microsoft Security Exposure Management, which uses exposure graphs for attack surface management and to protect critical assets.

Threat hunting
The hunting graph in Microsoft Defender allows analysts to:
 
  • ⁠Traverse complex webs of relationships between users, devices, and activities.
  • ⁠Reveal hidden paths attackers might exploit.
  • ⁠Prioritize incidents based on access risk and proximity to sensitive assets.
This transforms threat hunting from reactive alert handling to proactive vulnerability management and discovery.

Data security
Data risk graph in Microsoft Purview IRM and DSI support similar goals by:
 
  • ⁠Mapping user activity across SharePoint and OneDrive.
  • ⁠Identifying suspicious data access and movement.
  • ⁠Visualizing potential exfiltration paths and risky behavior.
These capabilities help detect insider threats and prevent data leaks.

Cloud security
Security graphs integrate data from Microsoft Defender for Cloud and other Microsoft services to:
 
  • ⁠Visualize cloud asset relationships.
  • ⁠Detect misconfigurations and exposure risks.
  • ⁠Provide recommendations to secure cloud environments.
This supports continuous and proactive defense in hybrid and multicloud setups.

SOC efficiency
The incident graph in Defender enhances SOC workflows by:
 
  • ⁠Automatically correlating alerts and entities.
  • ⁠Visualizing blast radius scenarios.
  • ⁠Understanding how attackers operate with the MITRE ATT&CK framework.
  • ⁠Helping teams prioritize containment and remediation.
This reduces response time and improves decision-making during active incidents.

Getting started with security graphs

Security graphs represent a transformative shift in how organizations detect, investigate, and respond to threats. Whether it’s blast radius analysis, threat hunting, insider risk detection, or cloud security, graph-based analytics deliver real-time insights across the entire security lifecycle.

Security graphs aren’t just a tool—they’re a foundation for modern, intelligent security operations. Explore Microsoft Sentinel and activate graph-powered experiences for your organization.
RESOURCES

Learn more about Microsoft Security

  1.
Two colleagues collaborate at a desk, discussing information displayed on a computer monitor.
Product

Secure your multicloud, multiplatform environment with Microsoft Sentinel

Explore the AI-ready platform that delivers industry-leading SIEM and intelligent reasoning tools.
Try Sentinel
Person seated at a desk, focusing on a laptop screen.
Blog

Introducing Microsoft Sentinel graph

Learn how Microsoft is bringing relationship-aware context to Microsoft Security.
Read the story
People seated at desks review analytics dashboards on computer monitors during a team meeting.
Blog

Uncover hidden security risks with Microsoft Sentinel graph

Explore purpose-built Sentinel tools that make graph-powered insights accessible to AI agents.
Read the blog
Back to carousel navigation controls

Frequently asked questions

  • A security graph is a connected map of entities—such as users, devices, and documents—and their relationships. It provides AI-driven insights and visualizations that help security teams investigate threats, assess blast radius, and anticipate attacker actions.
  • A graph security alert is a notification generated from graph-based analysis in Microsoft Sentinel. It highlights suspicious or risky activity so security teams can quickly assess threats and their potential impact.
  • A threat graph is a type of security graph that visualizes how threats move through an environment by connecting users, devices, and activities. It uncovers attack paths, lateral movement, and vulnerabilities to help security teams detect, investigate, and respond to cyberattacks more effectively.

Follow Microsoft Security