💡Before you start
To complete these steps you’ll need an Azure admin user.
Overview
The Microsoft Graph API provides a single endpoint to access data and interact with Microsoft 365 services like Azure Active Directory, Teams, Outlook, and OneDrive. It uses RESTful calls to manage resources such as users, groups, messages, and files. The API simplifies integration with Microsoft services, enabling developers to build applications that work across the Microsoft ecosystem.
Supported data types
Activity Logs
Table name: microsoft_graph_activity_logs
Microsoft Graph Activity Logs provide a centralized, programmatic means to access activity data across Microsoft 365 services, including Azure Active Directory, Microsoft Teams, SharePoint, and other key applications. By leveraging the Microsoft Graph API, organizations can integrate these logs into their security and monitoring systems, enabling comprehensive insights into system activities and user interactions.
By integrating Microsoft Graph Activity Logs, organizations can gain deeper visibility into their Microsoft 365 environments, enhancing security incident detection, streamlining compliance reporting, and ensuring a comprehensive view of activity across services.
Send data to Hunters
Hunters supports the ingestion of Microsoft Graph Activity logs via an Event Hub or via an intermediary AWS S3 bucket.
Event Hub connection
STEP 1: Set up Azure Event Hub
Before setting up the connection on the Hunters platform, you'll need to set up and create an Azure Event Hub.
Follow this guide to complete the set up.
STEP 2: Route logs to the Event Hub
From the Azure portal home screen, open the side menu and click Monitor.
Now click Activity log.
Click Export Activity Logs.
The Diagnostic Settings page opens.Click Add Diagnostic setting.
Under Logs, check all of the boxes.
Under Destination details, check the Stream to an Event Hub option.
Fill in the requested details and give the diagnostic setting a name.
Click Save.
STEP 3: Set up the connection on Hunters
💡Before you start
To complete this process you will need the information gathered when following this guide.
To connect logs to Hunters:
Open the Hunters platform and navigate to Data > Data Sources.
Click ADD DATA SOURCES.
Locate the Microsoft panel and click Connect.
The Add Data Flows window opens.Fill in the required Azure application details, as gathered here under STEP 2.
Under the Data Types section, activate the data types you want to connect.
For each activated data type, fill in the required information, as gathered here:
Under STEP 1 - Subscription ID
Under STEP 3 - Resource group name and Event Hub namespace and
Under STEP 4 - Event Hub name.
OPTIONAL: Under the Consumer group field you can specify a specific Azure Event Hub consumer group, or leave this field empty to use the default consumer group.
Click Test Connection to make sure everything was set up correctly.
Once the connection is established, click Submit.
AWS S3 connection
STEP 1: Route logs to Azure Blob Storage
Before setting up the connection on the Hunters platform, you'll need to make sure your Azure logs are routed to your Azure Storage and then to an AWS S3 bucket.
💡Note
You’ll need to create an Azure Storage Account before starting this process.
Follow this guide to configure the receiving of Microsoft Graph activity logs. This process consists of the following steps:
Set up routing your logs to the storage account using diagnostic settings
⚠️Attention
When setting up diagnostic settings, under Destination details, select Archive to a storage account, and provide the details of your Azure Storage account.
STEP 2: Route logs from Azure Blob Storage to AWS S3
Use AWS DataSync, or any other tool at your disposal, to route logs from your Azure Blob storage to an AWS S3 bucket.
STEP 3: Finalize the connection on Hunters
Once the export is completed and the logs are collected to S3, follow the steps in this section.
Log samples
Logs are expected in JSON format.
{
"time": "2024-11-05T02:00:49.4487014Z",
"resourceId": "/TENANTS/asd-as-das-dasdasdasd/PROVIDERS/MICROSOFT.AADIAM",
"operationName": "Microsoft Graph Activity",
"operationVersion": "beta",
"category": "MicrosoftGraphActivityLogs",
"resultSignature": "200",
"durationMs": "531549",
"callerIpAddress": "1.2.3.4",
"correlationId": "12412412-412412gaweg2354-23g523-g523g",
"level": "Informational",
"location": "East US",
"properties": {
"__UDI_RequiredFields_TenantId": "asd-as-das-dasdasdasd",
"__UDI_RequiredFields_UniqueId": "123123-123123-12312312-231",
"__UDI_RequiredFields_EventTime": 638663688490000000,
"__UDI_RequiredFields_RegionScope": "NA",
"timeGenerated": "2024-11-05T02:00:49.4487014Z",
"location": "East US",
"requestId": "12412412-412412gaweg2354-23g523-g523g",
"operationId": "12412412-412412gaweg2354-23g523-g523g",
"clientRequestId": "12412412-412412gaweg2354-23g523-g523g",
"apiVersion": "beta",
"requestMethod": "GET",
"responseStatusCode": 200,
"tenantId": "asd-as-das-dasdasdasd",
"durationMs": 531549,
"responseSizeBytes": 3059,
"signInActivityId": "8bs8tv1gYU-d3tXQjaw_AA",
"roles": "roles",
"appId": "g124g124g12-412g412g412h3456h-54j6745j7-45j7",
"UserPrincipalObjectID": "f3g24g5-23h5h3476h45-jdre7j5-7j4",
"scopes": "",
"identityProvider": "https://sts.windows.net/asd-as-das-dasdasdasd/",
"clientAuthMethod": "2",
"wids": "12412g-1234h456j45j7-45j745j745",
"C_Idtyp": "app",
"C_Iat": "1730689475",
"ipAddress": "1.2.3.4",
"userAgent": "",
"requestUri": "https://graph.microsoft.com/beta/users/kfr89348awjf90a28fgjw34fg",
"atContentP": "",
"atContentH": "",
"servicePrincipalId": "f3g24g5-23h5h3476h45-jdre7j5-7j4",
"tokenIssuedAt": "2024-11-04T03:04:35.0000000Z"
},
"tenantId": "asd-as-das-dasdasdasd"
}