[Meta] Explore Microsoft Graph Activity Logs for Detections #3645
Labels
Comments
terrancedejesus
added
Integration: Azure
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Parent Epic (If Applicable)
Meta Summary
Adversaries continue to leverage Microsoft Graph for command and control operations for malicious binaries. However, it is also a target for adversaries as it serves a RESTful API for access to Azure resources such as Entra ID. For this meta, we will setup the integration, ingest activity logs, emulate adversary TTPs and determine plausible detections.
Microsoft Graph Activity Logs provide an audit trail of all HTTP requests that the Microsoft Graph service has received and processed for a tenant. Microsoft Graph Activity Logs gives full visibility into all transactions made by applications and other API clients that you have consented to in the tenant. Refer to Microsoft Graph Activity Common Usecases for more use cases.
Tenant administrators can configure the collection and storage destinations of Microsoft Graph Activity Logs through Diagnostic Setting in the Entra Portal. This integration uses Azure Event Hubs destination to stream Microsoft Graph Activity Logs to Elastic.
Estimated Time to Complete
4 weeks (2 weeks for lab setup and exploration, 2 weeks for detections)
Tasklist
This tasklist will grow as we explore, emulate and test.
Meta Tasks
Resources / References
We should also sync with https://github.com/elastic/infosec/issues/15196 on findings.
The text was updated successfully, but these errors were encountered: