Version:

Microsoft Graph

Microsoft Graph is a Universal Rest API based log source template that enables you to fetch and analyze logs from Microsoft Graph. Microsoft Graph is a unified API that provides access to data and intelligence from various Microsoft cloud services, including Entra ID (formerly Azure Active Directory), Microsoft 365, and other Microsoft cloud services. The integration ensures consistency in collecting, processing, and analyzing Microsoft Graph logs for precise security event analysis and reporting.

Currently, our integration supports collecting logs from the following Microsoft Graph endpoints:

Microsoft Graph API Endpoints

Endpoint

Description

Log Source

Microsoft Service

security/alerts_v2

Provides access to security alerts generated by services that are either part of or integrated with Microsoft 365 Defender.

Various services within Microsoft 365 Defender

Microsoft 365 Defender services, integrated via Microsoft Graph

security/incidents

Provides access to security incidents, which are collections of related alerts that indicate a broader threat.

Microsoft Defender for Endpoint, Microsoft Defender for Identity, and other integrated security services.

Microsoft 365 security services, integrated via Microsoft Graph

identityProtection/riskDetections

Provides access to risk detections related to user identities, such as suspicious sign-ins and other risky activities.

Microsoft Entra ID (Azure AD Identity Protection).

Microsoft Entra ID

auditLogs/directoryaudits

Provides access to directory audit logs, which record changes made to the directory (such as user and group management activities).

Microsoft Entra ID.

Microsoft Entra ID

auditLogs/signIns

Provides access to sign-in logs, which record user sign-ins and related details such as IP address, device, and application.

Microsoft Entra ID.

Microsoft Entra ID

Microsoft Graph Components

  1. Universal REST API Fetcher

    • MicrosoftGraphFetcher

  2. Compiled Normalizer

    • MicrosoftGraphCompiledNormalizer

  3. Search Templates

    • Entra ID Identity Protection

    • Defender XDR Security

  4. Dashboards

    • LP_DEFENDER XDR ALERTS

    • LP_DEFENDER XDR INCIDENTS

    • LP_ENTRA ID IDENTITY PROTECTION

  5. Alerts

    • LP_Microsoft Defender XDR - High Severity Alert

    • LP_Microsoft Defender XDR - Host Generating Multiple Alerts

    • LP_Microsoft Defender XDR - Multiple Alerts Involving Same User

    • LP_Microsoft EntraID - User at Risk

    • LP_Potentially Unwanted Software Detected

  6. Report Template

    • Entra ID Audit Activity Monitoring

Helpful?

We are glad this guide helped.


Please don't include any personal information in your comment

Contact Support