Collect Microsoft Graph activity logs
Supported in:
Overview
This parser extracts fields from Microsoft Graph activity logs, transforming them into the Unified Data Model (UDM). It initializes UDM fields, parses the payload, extracts timestamps, maps various properties to UDM fields, handles IP addresses and ports, and categorizes the event type based on the presence of principal and network information.
Before you begin
Ensure that you have the following prerequisites:
- Google SecOps instance.
- Privileged access to Microsoft Entra ID and Azure storage accounts.
Configure Azure storage account
- In the Azure console, search for storage accounts.
- Click Create.
- Specify values for the following input parameters:
- Subscription: select the subscription.
- Resource Group: select the resource group.
- Region: select the region.
- Performance: select the performance level that you want (standard is recommended).
- Redundancy: select the redundancy level that you want (GRS or LRS is recommended).
- Storage account name: enter a name for the new storage account.
- Click Review + create.
- Review the overview of the account and click Create.
- From the Storage Account Overviewpage, select submenu Access keysin Security + networking.
- Click Shownext to key1or key2
- Click Copy to clipboardto copy the key.
- Save the key in a secure location for future reference.
- From the Storage Account Overviewpage, select submenu Endpointsin Settings.
- Click Copy to clipboardto copy the Blob serviceendpoint URL (for example, https://.blob.core.windows.net).
- Save the endpoint URL in a secure location for future reference.
Configure Microsoft Graph activity logs export to storage account
- In the Azure console, search for Entra ID.
- Select Monitoring > Diagnostic settings.
- Click + Add diagnostic setting.
- Give the setting a unique name (for example, ms-graph-activity).
- Select the MicrosoftGraphActivityLogcategory you want to export to Google SecOps.
- Under Destination details, select Archive to a storage account.
- Select your subscription and the storage account you created in the previous step.
- Click Save.
How to set up the Microsoft Graph Activity logs
- Go to SIEM Settings > Feeds.
- Click Add New Feed.
- On the next page, click Configure a single feed.
- In the Feed namefield, enter a name for the feed; for example, Microsoft Graph Activity Logs.
- Select Microsoft Azure Blob Storage V2as the Source type.
- Select Microsoft Graph Activity Logsas the Log type.
- Click Next.
-
Specify values for the following input parameters:
-
Azure uri: the blob endpoint URL.
ENDPOINT_URL/BLOB_NAMEReplace the following:
-
ENDPOINT_URL: the blob endpoint URL (https://<storageaccountname>.blob.core.windows.net) -
BLOB_NAME: the name of the blob (for example, insights-logs-)
-
-
Source deletion options: select deletion option according to your preference.
- Maximum File Age: Files modified in the last number of days. Default is 180 days.
- Shared key: the access key to the Azure Blob Storage.
-
-
Click Next.
-
Review your new feed configuration in the Finalizescreen, and then click Submit.
UDM Mapping Table
| Log Field | UDM Mapping | Logic |
|---|---|---|
callerIpAddress
|
principal.asset.ip
|
The raw log field callerIpAddress
is copied to the UDM field. |
callerIpAddress
|
principal.ip
|
The raw log field callerIpAddress
is copied to the UDM field. |
category
|
security_result.category_details
|
The raw log field category
is copied to the UDM field. |
correlationId
|
security_result.detection_fields.value
|
The raw log field correlationId
is copied to the UDM field, where key is correlationId
. |
Level
|
security_result.detection_fields.value
|
The raw log field Level
is converted to string and copied to the UDM field, where key is Level
. |
operationName
|
metadata.product_event_type
|
The raw log field operationName
is copied to the UDM field. |
operationVersion
|
additional.fields.value.string_value
|
The raw log field operationVersion
is copied to the UDM field, where key is operationVersion
. |
properties.apiVersion
|
metadata.product_version
|
The raw log field properties.apiVersion
is copied to the UDM field. |
properties.appId
|
target.resource.product_object_id
|
The raw log field properties.appId
is copied to the UDM field. |
properties.atContent
|
additional.fields.value.string_value
|
The raw log field properties.atContent
is copied to the UDM field, where key is atContent
. |
properties.clientAuthMethod
|
extensions.auth.auth_details
|
Based on the value of properties.clientAuthMethod
, the UDM field is set to "Public Client" (0), "Client ID/Client Secret" (1), or "Client Certificate" (2). |
properties.clientRequestId
|
additional.fields.value.string_value
|
The raw log field properties.clientRequestId
is copied to the UDM field, where key is clientRequestId
. |
properties.durationMs
|
network.session_duration.seconds
|
The raw log field properties.durationMs
is converted from milliseconds to seconds and copied to the UDM field. |
properties.identityProvider
|
security_result.detection_fields.value
|
The raw log field properties.identityProvider
is copied to the UDM field, where key is identityProvider
. |
properties.ipAddress
|
principal.asset.ip
|
The IP address from the raw log field properties.ipAddress
is extracted and copied to the UDM field. |
properties.ipAddress
|
principal.ip
|
The IP address from the raw log field properties.ipAddress
is extracted and copied to the UDM field. |
properties.location
|
principal.location.name
|
The raw log field properties.location
is copied to the UDM field. |
properties.operationId
|
security_result.detection_fields.value
|
The raw log field properties.operationId
is copied to the UDM field, where key is operationId
. |
properties.requestMethod
|
network.http.method
|
The raw log field properties.requestMethod
is copied to the UDM field. |
properties.requestId
|
metadata.product_log_id
|
The raw log field properties.requestId
is copied to the UDM field. |
properties.responseSizeBytes
|
network.received_bytes
|
The raw log field properties.responseSizeBytes
is converted to an unsigned integer and copied to the UDM field. |
properties.responseStatusCode
|
network.http.response_code
|
The raw log field properties.responseStatusCode
is converted to an integer and copied to the UDM field. |
properties.roles
|
additional.fields.value.string_value
|
The raw log field properties.roles
is copied to the UDM field, where key is roles
. |
properties.scopes
|
additional.fields.value.string_value
|
The raw log field properties.scopes
is copied to the UDM field, where key is Scopes
. |
properties.servicePrincipalId
|
principal.user.userid
|
The raw log field properties.servicePrincipalId
is copied to the UDM field if properties.userId
is empty. |
properties.signInActivityId
|
network.session_id
|
The raw log field properties.signInActivityId
is copied to the UDM field. |
properties.tenantId
|
metadata.product_deployment_id
|
The raw log field properties.tenantId
is copied to the UDM field. |
properties.tokenIssuedAt
|
additional.fields.value.string_value
|
The raw log field properties.tokenIssuedAt
is copied to the UDM field, where key is tokenIssuedAt
. |
properties.userAgent
|
network.http.user_agent
|
The raw log field properties.userAgent
is copied to the UDM field. |
properties.userId
|
principal.user.userid
|
The raw log field properties.userId
is copied to the UDM field. |
properties.wids
|
security_result.detection_fields.value
|
The raw log field properties.wids
is copied to the UDM field, where key is wids
. |
resourceId
|
target.resource.attribute.labels.value
|
The raw log field resourceId
is copied to the UDM field, where key is Resource ID
. |
resultSignature
|
additional.fields.value.string_value
|
The raw log field resultSignature
is copied to the UDM field, where key is resultSignature
. |
time
|
metadata.event_timestamp
|
The raw log field time
is parsed and converted to a timestamp and copied to the UDM field. The UDM field event.idm.read_only_udm.metadata.event_type
is set to "NETWORK_HTTP" if has_principal
is true and network.http
is not empty, "STATUS_UPDATE" if has_principal
is true and network.http
is empty, or "GENERIC_EVENT" otherwise. The UDM field is set to "Microsoft Graph". The UDM field is set to "Microsoft". |
Need more help? Get answers from Community members and Google SecOps professionals.
