Versions Compared

Old Version 42

changes.mady.by.user Juan Tomás Alonso Nieto

Saved on

compared with

New Version 43

changes.mady.by.user Juan Tomás Alonso Nieto

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents
maxLevel2
typeflat

...

Data source

Description

API endpoint

Collector service name

Devo table

Available from release

Alerts

Represents potential security issues within a customer’s tenant that Microsoft or partner security solutions have identified.

Refer to Microsoft documentation about Alert Resource Type for more information.

https://graph.microsoft.com/v1.0/security/alerts?$count=true&$filter=eventDateTime+ge+{start_time}+AND+vendorInformation/provider+eq+'{provider}'&$orderby=eventDateTime+asc&$top={items_per_vendor_request}

alerts

Starting from v1.2.0, the destination table depends on the tag_version configuration parameter:

  • v1: ºv2: the destination will be dynamic, depending on the provider:

    • IPC: cloud.azure.ad.alerts.

    • MCAS: cloud.office365.cloud_apps.alerts.

    • Microsoft Defender ATP: cloud.office365.endpoint.alerts.

    • Office 365 Security and Compliance: cloud.office365.security.alerts.

    • Azure Sentinel: cloud.azure.sentinel.alerts.

    • ASC: cloud.office365.identity.alerts.

    • Azure Advanced Threat Protection: cloud.azure.securitycenter.alerts.

    • For any other provider, it will fall back in v1's tagging.

Info

The detailed table destination will depend on the tag_version’s value v1.0.0available in the Devo categorization and destination section.

v1.0.0

Secure scores

Represents a tenant's secure score per day of scoring data, at the tenant and control level. By default, 90 days of data is held.

Refer to the Microsoft documentation for more information about Secure scores resources types.

https://graph.microsoft.com/v1.0/security/secureScores?$count=true&$filter=createdDateTime+ge+{start_time}+AND+vendorInformation/provider+eq+'{provider}'&$orderby=createdDateTime+asc,vendorInformation/provider+asc&$top={items_per_vendor_request}

secure_scores

Starting from v1.2.0, the destination table depends on the tag_version configuration parameter:

  • v1: cloud.msgraph.security.secure_scores

  • v2: cloud.office365.security.scores

Info

The detailed table destination depending on the tag_version's value is available in the Devo categorization and destination section.

v1.0.0

Secure score control profiles

Represents a tenant's secure score per control data.

Refer to the Microsoft documentation for more information about Secure score control profiles.

https://graph.microsoft.com/v1.0/security/secureScoreControlProfiles?$count=true

secure_score_control_profiles

Starting from v1.2.0, the destination table depends on the tag_version configuration parameter:

  • v1: cloud.msgraph.security.secure_score_control_profiles

  • v2: cloud.office365.security.scorecontrol

Info

The detailed table destination depending on the tag_version's value is available in the Devo categorization and destination section.

v1.0.0

Directory audit

Represents the directory audit items and its collection.

Refer to the Microsoft documentation for more information about Directory audit.

https://graph.microsoft.com/v1.0/auditLogs/directoryAudits?$filter=activityDateTime ge {start_time}&$orderby=activityDateTime+asc&$top={items_per_main_request}

audit

cloud.azure.ad.audit

v1.2.0

Provisioning

Represents an action performed by the Azure AD Provisioning service and its associated properties.

Refer to the Microsoft documentation for more information about Provisioning.

https://graph.microsoft.com/beta/auditLogs/provisioning?$filter=activityDateTime ge {start_time}&$orderby=activityDateTime+asc&$top={items_per_main_request}

provisioning

cloud.azure.ad.audit

v1.2.0

Sign-in

Details user and application sign-in activity for a tenant (directory).

Refer to the Microsoft documentation for more information about Sign-in.

Note

These services return a huge volume of data. If the oldest available data is not especially relevant, it is recommended to set a close start time for the collector, to get the up-to-date state as soon as possible.

  • signIn: https://graph.microsoft.com/v1.0/auditLogs/signIns?$orderby=createdDateTime+asc&$top={items_per_main_request}

  • signIn_nonInteractive: https://graph.microsoft.com/beta/auditLogs/signIns?&$filter=signInEventTypes/any(x:x eq 'nonInteractiveUser')&$orderby=createdDateTime+asc&$top={items_per_main_request}

  • signIn_servicePrincipal: https://graph.microsoft.com/beta/auditLogs/signIns?&$filter=signInEventTypes/any(x:x eq 'servicePrincipal')&$orderby=createdDateTime+asc&$top={items_per_main_request}

  • signIn_managedIdentity: https://graph.microsoft.com/beta/auditLogs/signIns?&$filter=signInEventTypes/any(x:x eq 'managedIdentity')&$orderby=createdDateTime+asc&$top={items_per_main_request}

  • signIn

  • signIn_nonInteractive

  • signIn_servicePrincipal

  • signIn_managedIdentity

  • signIn: cloud.azure.ad.signin

  • signIn_nonInteractive: cloud.azure.ad.noninteractive_user_signin

  • signIn_servicePrincipal: cloud.azure.ad.service_principal_signin

  • signIn_managedIdentity: cloud.azure.ad.managed_identity_signin

v1.2.0

Alerts_v2

Standard alerts (not legacy alerts)

https://graph.microsoft.com/v1.0/security/alerts_v2?$filter=createdDateTime%20ge%{start_time}&$orderby=createdDateTime+asc

alerts_v2

cloud.msgraph.security.alerts_v2

v1.7.0

Vendor setup

Anchor
vendor-setup
vendor-setup

...

Note

You need the Admin level permissions on the Azure portal as the subscription setup will require admin consent API permissions, authentications, and audits.

Action

Steps

1

Register and configure the application

  1. Go to Azure portal and click on Azure Active Directory.

  2. Click on App registration on the left-menu side. Then click on + New registration.

  3. On the Register and Application page:

    1. Name the application.

    2. Select Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox) in Supported Accounts type.

    3. In Redirect URI (optional) leave it as default (blank).

    4. Click Register.

  4. App registration page will open. Click on your app to configure it and give it permissions. You will see your app’s dashboard with information (docs, endpoints, etc.) when clicking it.

  5. Click Authentication on the left-menu side, then choose + Add a platform and select Mobile and desktop application.

  6. Select the three redirects URIs:

    • https://login.microsoftonline.com/common/oauth2/nativeclient

    • https://login.live.com/oauth20_desktop.srf

    • msale36f3a02-3eef-437b-874e-8a0aa29a2bf0://auth

  7. Click Configure.

2

Grant the required permissions

  1. Go to API permissions on the left-menu side.

  2. Click + Add permission in case you don’t have Microsoft Graph in the API/Permission list.

  3. Select Application permissions and search for Security. Check SecurityEvents.Read.All.

  4. Repeat the same step 3 for AuditLog.Read.All,Directory.Read.All and User.Read. If you did everything correctly, permissions will display.

  5. Select Grant admin consent for the applications.

Info

You do not need to activate permissions if you are not going to use its corresponding resource. Check the Permissions reference per service section for a detailed breakdown on resource and their needed permissions.

3

Obtain the requires credentials for the collector

  1. Go to Certificates & Secrets, select + New client secret . Named it and copy the token value.

  2. Go to Overview to get your Tenant ID and Client ID and copy both values.

Note

The token will display only once. You will need to create another one if you didn’t copy it the first time.

...