Collect Microsoft Graph activity logs

Overview

This parser extracts fields from Microsoft Graph activity logs, transforming them into the Unified Data Model (UDM). It initializes UDM fields, parses the payload, extracts timestamps, maps various properties to UDM fields, handles IP addresses and ports, and categorizes the event type based on the presence of principal and network information.

Before you begin

• Ensure that you have a Google SecOps instance.
• Ensure that you have privileged access to Microsoft Entra ID and Azure storage accounts.

Configure Azure storage account

1. In the Azure console, search for storage accounts.
2. Click Create.
3. Specify values for the following input parameters:
   • Subscription: select the subscription.
   • Resource Group: select the resource group.
   • Region: select the region.
   • Performance: select the performance level that you want (standard is recommended).
   • Redundancy: select the redundancy level that you want (GRS or LRS is recommended).
   • Storage account name: enter a name for the new storage account.
4. Click Review + create.
5. Review the overview of the account and click Create.
6. From the Storage Account Overview page, select submenu Access keys in Security + networking.
7. Click Show next to key1 or key2
8. Click Copy to clipboard to copy the key.
9. Save the key in a secure location for future reference.
10. From the Storage Account Overview page, select submenu Endpoints in Settings.
11. Click Copy to clipboard to copy the Blob service endpoint URL (for example, https://.blob.core.windows.net).
12. Save the endpoint URL in a secure location for future reference.

Configure Microsoft Graph activity logs export to storage account

1. In the Azure console, search for Entra ID.
2. Select Monitoring > Diagnostic settings.
3. Click + Add diagnostic setting.
4. Give the setting a unique name (for example, ms-graph-activity).
5. Select the MicrosoftGraphActivityLog category you want to export to Google SecOps.
6. Under Destination details, select Archive to a storage account.
7. Select your subscription and the storage account you created in the previous step.
8. Click Save.

Configure a feed in Google SecOps to ingest the Microsoft Graph activity logs

1. Go to SIEM Settings > Feeds.
2. Click Add new.
3. In the Feed name field, enter a name for the feed (for example, Microsoft Graph activity logs).
4. Select Microsoft Azure Blob Storage as the Source type.
5. Select Microsoft Graph Activity Logs as the Log type.
6. Click Next.

7. Specify values for the following input parameters:

   • Azure uri: the blob endpoint URL.

     ENDPOINT_URL/BLOB_NAME

     Replace the following:

     • ENDPOINT_URL: the blob endpoint URL (https://<storageaccountname>.blob.core.windows.net)
     • BLOB_NAME: the name of the blob (for example, insights-logs-)

   • URI is a: select the URI type according to log stream configuration (Single fileS | Directory | Directory which includes subdirectories).

   • Source deletion options: select deletion option according to your preference.

   • Shared key: the access key to the Azure Blob Storage.
   • Asset namespace: the asset namespace.
   • Ingestion labels: the label to be applied to the events from this feed.

8. Click Next.

9. Review your new feed configuration in the Finalize screen, and then click Submit.

UDM Mapping Table

Changes

2024-05-27

• Set "metadata.vendor_name" as "Microsoft" and "metadata.product_name" as "Microsoft Graph".

2024-03-01

• Newly created parser.