CWN 14 - 2023 Week #40
Microsoft recently announced the public preview of Microsoft Graph activity logs. This provides organizations with full visibility into HTTP requests made through the Microsoft Graph API.
Microsoft recently announced the public preview of Microsoft Graph activity logs ! This will finally provide everyone with full visibility into HTTP requests made through their Microsoft Graph API. The feature has already been enabled and the Public Preview will be fully rolled-out on the 27th of October.
Why Are These Logs Important?
They capture detailed information on all requests user/apps/... make to access tenant resources through the Graph API, including:
- Authentication requests.
- Read, write, and delete operations.
- Changes to users, groups, apps, policies, and more.
With the logs, you can:
- Investigate compromised users by analyzing logs for malicious activities after a compromise, like persistence with a newly registered third party app.
- Identify misconfigurations, over-privileged apps or users.
- Build real-time detections for high volume API calls, failed requests, and more.
Example Queries
Microsoft provided examples of KQL queries you can run:
- Summarize apps and users that changed or deleted groups in the past day
- View recent failed requests due to authorization
- Get top 20 app instances by request count
How to Access the Logs
Admins can enable log collection in the Azure portal directly. Logs can be streamed to:
- Azure Monitor Logs - For querying, alerting, and analysis in Log Analytics.
- Azure Storage - For archival and manual inspection.
- Azure Event Hubs - To integrate with SIEMs and security tools.
The logs contain 30 fields like timestamp, user ID, app ID, HTTP method, status code, resource accessed ...
See the full documentation for details.
Overall this public preview finally provides visibility into Graph API activity for everyone. Hopefully with these logs, we can better detect attackers lurking around.