Table of Contents | ||||
---|---|---|---|---|
|
...
Data source | Description | API endpoint | Collector service name | Devo table |
---|---|---|---|---|
Audit logs - provisioning | Represents an action performed by the Microsoft Entra provisioning service and its associated properties. |
|
|
|
Audit logs - directory | Represents the directory audit items and its collection. |
|
|
|
Audit logs - sign-ins | Details user and application sign-in activity for a tenant (directory). You must have a Microsoft Entra ID P1 or P2 license to download sign-in logs using the Microsoft Graph API. |
|
|
|
Audit logs - sign-ins (v2) | Details user and application sign-in activity for a tenant (directory). You must have a Microsoft Entra ID P1 or P2 license to download sign-in logs using the Microsoft Graph API. |
|
|
|
Legacy Alerts | This resource corresponds to the first generation of alerts in the Microsoft Graph security API, representing potential security issues within a customer's tenant that Microsoft or a partner security solution has identified. This type of alerts federates calling of supported Azure and Microsoft 365 Defender security providers listed in Use the Microsoft Graph security API. It aggregates common alert data among the different domains to allow applications to unify and streamline management of security issues across all integrated solutions. |
|
|
|
Alerts (v2) | This resource corresponds to the latest generation of alerts in the Microsoft Graph security API, representing potential security issues within a customer's tenant that Microsoft 365 Defender, or a security provider integrated with Microsoft 365 Defender, has identified. When detecting a threat, a security provider creates an alert in the system. Microsoft 365 Defender pulls this alert data from the security provider, and consumes the alert data to return valuable clues in an alert resource about any related attack, impacted assets, and associated evidence. It automatically correlates other alerts with the same attack techniques or the same attacker into an incident to provide a broader context of an attack. Aggregating alerts in this manner makes it easy for analysts to collectively investigate and respond to threats. |
|
|
|
Secure Scores | Represents a tenant's secure score per day of scoring data, at the tenant and control level. By default, 90 days of data is held. This data is sorted by createdDateTime, from latest to earliest. This will allow you to page responses by using $top=n, where n = the number of days of data that you want to retrieve. |
|
|
|
Secure Scores Control Profiles | Represents a tenant's secure score per control data. By default, this resource returns all controls for a tenant and can explicitly pull individual controls. |
|
|
|
API limits, delays and known issues
Microsoft SLAs can be anywhere from 3 minutes to 6 hours in most cases. Check more information here.
Vendor setup
Anchor | ||||
---|---|---|---|---|
|
...
Note |
---|
You need the Admin level permissions on the Azure portal as the subscription setup will require admin consent API permissions, authentications, and audits. |
Action | Steps | |||
1 | Register and configure the application |
| ||
2 | Grant the required permissions |
| ||
3 | Obtain the requires credentials for the collector |
|
...