Microsoft Graph Activity Logs¶
About¶
Microsoft Graph activity logs are an audit trail of all HTTP requests that the Microsoft Graph service received and processed for a tenant.
Product Details¶
Vendor URL: Microsoft Graph Activity Logs
Product Type: Audit
Product Tier: Tier III
Integration Method: At the time of the creation of this document, an existing integration method does not exist.
Integration URL: n/a
Log Guide: Microsoft Graph Activity Logs overview
Parser Details¶
Log Format: JSON
Expected Normalization Rate: near 100%
Data Label: MICROSOFT_GRAPH_ACTIVITY_LOGS
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| "Microsoft" | metadata.vendor_name |
| "Graph Activity" | metadata.product_name |
| NETWORK_HTTP | metadata.event_type |
| TimeGenerated | metadata.event_timestamp |
| AadTenantId | metadata.product_deployment_id |
| Type | metadata.product_event_type |
| UniqueRecordId | metadata.product_log_id |
| ApiVersion | metadata.product_version |
| ClientAuthMethod | extensions.auth.auth_details |
| ClientRequestId | principal.process.pid |
| IPAddress | principal.ip |
| UserId | principal.user.userid |
| ServicePrincipalId | principal.user.userid |
| Wids | principal.user.attribute.roles |
| TenantId | principal.resource.product_object_id |
| "CLOUD_ORGANIZATION" | principal.resource.resource_type |
| Internal_WorkspaceResourceId | principal.asset.attribute.cloud.project.product_object_id |
| Location | principal.location.country_or_region |
| AppId | target.application |
| RequestUri | target.url |
| RequestMethod | network.http.method |
| ResponseStatusCode | network.http.response_code |
| RequestId | network.session_id |
| UserAgent | network.http.user_agent |
| ResponseSizeBytes | network.received_bytes |
| DurationMs | security_result.detection_fields |
| Roles | security_result.detection_fields |
| Scopes | security_result.detection_fields |
| SignInActivityId | security_result.detection_fields |
| tokenIssuedAt | security_result.detection_fields |
Product Event Types¶
| Product Event | Description | UDM Event |
|---|---|---|
| All | All events | NETWORK_HTTP |
Log Sample¶
{"TimeGenerated":"2024-02-06T15:53:30.6677512Z","Location":"West Central US","RequestId":"requestId","OperationId":"operationId","ClientRequestId":"clientRequestId","ApiVersion":"v1.0","RequestMethod":"GET","ResponseStatusCode":200,"AadTenantId":"aadTenantId","IPAddress":"0000:0000:306:1838::5","RequestUri":"https://graph.microsoft.com/v1.0/users/","DurationMs":1412690,"ResponseSizeBytes":4872,"SignInActivityId":"signinId","Roles":"GroupMember.Read.All User.Read.All","TokenIssuedAt":"2024-02-06T15:47:59.0000000Z","AppId":"appId","ServicePrincipalId":"principalId","IdentityProvider":"https://sts.windows.net/","ClientAuthMethod":2,"Wids":"wids","_UniqueRecordId":"uniqueId","_Internal_WorkspaceResourceId":"/subscriptions/id/resourcegroups/","Type":"MicrosoftGraphActivityLogs","TenantId":"tenantId"}
Sample Parsing¶
metadata.product_log_id = "uniqueId"
metadata.event_type = "NETWORK_HTTP"
metadata.vendor_name = "Microsoft"
metadata.product_name = "Graph Activity"
metadata.product_event_type = "MicrosoftGraphActivityLogs"
metadata.product_deployment_id = "aadTenantId"
principal.user.userid = "principalId"
principal.user.attribute.roles.name = "wids"
principal.process.pid = "clientRequestId"
principal.asset.attribute.cloud.project.product_object_id = "/subscriptions/id/resourcegroups/"
principal.ip = "0000:0000:306:1838::5"
principal.location.country_or_region = "West Central US"
principal.resource.resource_type = CLOUD_ORGANIZATION
principal.product_object_id = "tenantId"
target.url = "https://graph.microsoft.com/v1.0/users/"
target.application = "appId"
security_result.detection_fields.key = "roles"
security_result.detection_fields.value = "GroupMember.Read.All"
security_result.detection_fields.detection_fields.key = "roles"
security_result.detection_fields.value = "User.Read.All"
security_result.detection_fields.key = "signInActivityId"
security_result.detection_fields.value = "signinId"
security_result.detection_fields.key = "tokenIssuedAt"
security_result.detection_fields.value = "2024-02-06T15:47:59.0000000Z"
network.received_bytes = 4872
network.session_id = "requestId"
network.http.method = "GET"
network.http.response_code = 200
extensions.auth.type = SSO
extensions.auth.mechanism = NETWORK
extension.auth_details = "2 - certificate"