Data source | Description | API endpoint | Collector service name | Devo table | Available from release |
Alerts | Represents potential security issues within a customer’s tenant that Microsoft or partner security solutions have identified. Refer to Microsoft documentation about Alert Resource Type for more information. | https://graph.microsoft.com/v1.0/security/alerts?$count=true&$filter=eventDateTime+ge+{start_time}+AND+vendorInformation/provider+eq+'{provider}'&$orderby=eventDateTime+asc&$top={items_per_vendor_request}
| alerts
| Starting from v1.2.0, the destination table depends on the tag_version configuration parameter: | v1.0.0
|
Secure scores | Represents a tenant's secure score per day of scoring data, at the tenant and control level. By default, 90 days of data is held. Refer to the Microsoft documentation for more information about Secure scores resources types. | https://graph.microsoft.com/v1.0/security/secureScores?$count=true&$filter=createdDateTime+ge+{start_time}+AND+vendorInformation/provider+eq+'{provider}'&$orderby=createdDateTime+asc,vendorInformation/provider+asc&$top={items_per_vendor_request}
| secure_scores
| Starting from v1.2.0, the destination table depends on the tag_version configuration parameter: | v1.0.0
|
Secure score control profiles | Represents a tenant's secure score per control data. Refer to the Microsoft documentation for more information about Secure score control profiles. | https://graph.microsoft.com/v1.0/security/secureScoreControlProfiles?$count=true
| secure_score_control_profiles
| Starting from v1.2.0, the destination table depends on the tag_version configuration parameter: | v1.0.0
|
Directory audit | Represents the directory audit items and its collection. Refer to the Microsoft documentation for more information about Directory audit. | https://graph.microsoft.com/v1.0/auditLogs/directoryAudits?$filter=activityDateTime ge {start_time}&$orderby=activityDateTime+asc&$top={items_per_main_request}
| audit
| cloud.azure.ad.audit
| v1.2.0
|
Provisioning | Represents an action performed by the Azure AD Provisioning service and its associated properties. Refer to the Microsoft documentation for more information about Provisioning. | https://graph.microsoft.com/beta/auditLogs/provisioning?$filter=activityDateTime ge {start_time}&$orderby=activityDateTime+asc&$top={items_per_main_request}
| provisioning
| cloud.azure.ad.audit
| v1.2.0
|
Sign-in | Details user and application sign-in activity for a tenant (directory). Refer to the Microsoft documentation for more information about Sign-in. Note |
---|
These services return a huge volume of data. If the oldest available data is not especially relevant, it is recommended to set a close start time for the collector, to get the up-to-date state as soon as possible. |
| signIn : https://graph.microsoft.com/v1.0/auditLogs/signIns?$orderby=createdDateTime+asc&$top={items_per_main_request}
signIn_nonInteractive : https://graph.microsoft.com/beta/auditLogs/signIns?&$filter=signInEventTypes/any(x:x eq 'nonInteractiveUser')&$orderby=createdDateTime+asc&$top={items_per_main_request}
signIn_servicePrincipal : https://graph.microsoft.com/beta/auditLogs/signIns?&$filter=signInEventTypes/any(x:x eq 'servicePrincipal')&$orderby=createdDateTime+asc&$top={items_per_main_request}
signIn_managedIdentity : https://graph.microsoft.com/beta/auditLogs/signIns?&$filter=signInEventTypes/any(x:x eq 'managedIdentity')&$orderby=createdDateTime+asc&$top={items_per_main_request}
| signIn
signIn_nonInteractive
signIn_servicePrincipal
signIn_managedIdentity
| signIn : cloud.azure.ad.signin
signIn_nonInteractive : cloud.azure.ad.noninteractive_user_signin
signIn_servicePrincipal : cloud.azure.ad.service_principal_signin
signIn_managedIdentity : cloud.azure.ad.managed_identity_signin
| v1.2.0
|
Alerts_v2 | Standard alerts (not legacy alerts) | https://graph.microsoft.com/v1.0/security/alerts_v2?$filter=createdDateTime%20ge%{start_time}&$orderby=createdDateTime+asc
| alerts_v2
| cloud.msgraph.security.alerts_v2
| v1.7.0
|