Collect Microsoft Graph security API alert logs

This document describes how you can collect Microsoft Graph security API alerts logs by setting up a Google Security Operations feed.

For more information, see Data ingestion to Google Security Operations.

An ingestion label identifies the parser which normalizes raw log data to structured UDM format. The information in this document applies to the parser with the MICROSOFT_GRAPH_ALERT ingestion label.

Configure Microsoft Graph security API alerts

  1. Sign in to the Azure portal.
  2. Click Azure Active Directory.
  3. Click App Registrations.
  4. Click New registrations and create an application.
  5. Copy Client ID and Tenant ID, which are required when you configure the Google Security Operations feed.
  6. Click API permissions.
  7. Click Add a permission and then select Microsoft Graph in the new pane.
  8. Click Application Permissions.
  9. Expand the SecurityActions and SecurityEvents sections, and select Read.All permissions.
  10. Click Add permissions.
  11. Click Grant Admin consent for Default Directory.
  12. In the Manage menu, click Certificates & secrets.
  13. Click New Client secret, and create a new key.
  14. Copy the secret key from the Value field. The secret key is displayed only at the time of creation and is required when you configure the Google Security Operations feed.

Configure a Google Security Operations feed to ingest Microsoft Graph Security API alert logs

  1. From the Google Security Operations menu, select Settings, and then click Feeds.
  2. Click Add New.
  3. Select Third party API as the Source Type.
  4. To create a feed for Microsoft Graph security API alerts, select Microsoft Graph API Alerts as the Log Type.
  5. Click Next.
  6. Configure the following input parameters:
    • OAuth Client ID: specify the client ID that you obtained previously.
    • OAuth Client Secret: specify the client secret that you obtained previously.
    • TenantId: specify the tenant ID that you obtained previously.
    • API Full Path: specify the following path: graph.microsoft.com/v1.0/security/alerts.
    • API Authentication Endpoint: specify the following endpoint: https://login.microsoftonline.com/{tenantId}/oauth2/token
  7. Click Next and then click Submit.

For more information about Google Security Operations feeds, see Google Security Operations feeds documentation. For information about requirements for each feed type, see Feed configuration by type.

If you encounter issues when you create feeds, contact Google Security Operations support.

What's next