Microsoft Graph collector
- Former user (Deleted)
- Laszlo Frazer
- Former user (Deleted)
Purpose
An analyst wants to detect exfiltration of contracts and financial data. With the Microsoft Graph collector, alerts about Microsoft 365 Copilot activity (including Word and Excel) are imported to Devo. As a result, the analyst can set up an alert that triggers when Microsoft identifies a compromised user. When the alert fires, the analyst can check Devo to see if the compromised user has moved laterally into non-Microsoft systems.
The Graph collector can also send Entra ID data to Devo. Due to Graph’s low rate limits, Devo recommends using the Azure Event Hub collector to send Entra ID authentication data.
Example tables
Table | Description |
|---|---|
Data from Graph, Event Hubs, VM Metrics, Entra ID, and other sources. | |
cloud.[brand].[type].alerts_v2 | Alerts from Graph relating to Microsoft services. |
Entra ID identity and access management logs. | |
cloud.azure.ad.signin_all | This union table combines all the different Entra ID authentication logs. |
Authentication logs, including Entra ID. |
Authorize It
It will take several hours to configure the Graph collector. Administrator permissions are required. Microsoft credentials are confusing. Before beginning, be aware of the different credential fields.
Go to Azure Portal and search for App registration. Then click on App registrations.
Open New registration.
On the Register and Application page:
Name the application.
Select Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox) in Supported Accounts type.
Click Register.
App registration will open. Click on your app to configure it and give it permissions.
Search for Authentication on the left-menu side, then choose Add a platform and select Mobile and desktop application.
Select the redirect URI https://login.microsoftonline.com/common/oauth2/nativeclient and click Configure.
Open API permissions and add
SecurityEvents.Read.All.AuditLog.Read.AllDirectory.Read.AllUser.Read.AllSecurityAlert.Read.All
Select Grant admin consent. After consent, the five application permissions will have green check marks.
Go to Certificates & Secrets and select New client secret.
Add the secret.
Data loss warning: At the secret expiration time, the collector will stop working until the secret is replaced.
Copy the secret value.
In the App registration’s overview, copy the Application (client) ID and the Directory (tenant) ID.
Run It
In the Cloud Collector App, create a Microsoft Graph Collector instance. Remove the default collector parameters and insert this parameters template, replacing the values enclosed in < >.
{
"inputs": {
"microsoft_graph_audit": {
"credentials": {
"client_id": "<CLIENT_ID>",
"client_secret": "<CLIENT_SECRET>",
"tenant_id": "<TENANT_ID>"
},
"enabled": true,
"id": "<UNIQUE ID>",
"services": {
"directory_audits": {},
"provisioning_audits": {},
"signIns": {},
"signIns_v2": {}
}
},
"microsoft_graph_security": {
"credentials": {
"client_id": "<CLIENT_ID>",
"client_secret": "<CLIENT_SECRET>",
"tenant_id": "<TENANT_ID>"
},
"enabled": true,
"id": "<DIFFERENT UNIQUE ID>",
"services": {
"alerts": {},
"alerts_v2": {},
"secure_score_control_profiles": {},
"secure_scores": {}
}
}
}
}The secret must be a secret value containing a tilde.
Due to Graph’s low rate limits, Devo recommends using the Azure Event Hub collector to send Entra ID authentication data. To select this option, remove the two signIns services after creating the Event Hub collector.
Secure It
Graph Alerts tables have a evidence column. In the evidence column, right click the cell and select Pretty print to get a nice view of the evidence of an attack.
Malicious files
An analyst wants to identify user accounts associated with malicious files. If the files identified by Graph are malware, the malware should be removed or isolated. If the files are data exfiltration, the account should be disabled before more data can be exfiltrated.
from cloud.office365.cloud_apps.alerts_v2
//In most cases, there is only one user in the evidence.
group by str(jqeval(jqcompile(".[0].userAccount.userPrincipalName"),jsonparse(evidence))) as user,
description
//Count the files in the alerts.
//There may be files in the evidence which are not in the description.
select sum(length(split(evidence,"fileName"))-1) as files
//Exclude alerts with no files.
where files>0
select first(eventdate) as infection_report_timeMalicious network activity
An analyst wants to block attacks using a firewall. If a user is connecting from two countries simultaneously or an application has engaged in phishing, blocking the IP may delay the attack.
from cloud.office365.cloud_apps.alerts_v2
//In most cases, there is only one user in the evidence.
group by description
//Count the IP addresses in the alerts.
//There may be addresses in the evidence which are not in the description.
select sum(length(split(evidence,"ipAddress"))-1) as ip_addresses
//Exclude alerts with no addresses.
where ip_addresses>0
select first(eventdate) as incident_report_timeSuspicious authentication in Entra ID
An analyst wants to use Microsoft’s models to identify accounts with suspicious authentication behavior. The evidence associated with the alerts can be used to determine if the accounts should be deactivated.
from cloud.azure.ad.alerts_v2
group by description,
str(jqeval(jqcompile(".[0].userAccount.userPrincipalName"),jsonparse(evidence))) as userSQL injection
A security researcher wants to identify SQL injection attacks to determine if web apps are protected. Graph provides a list of attacks which can be correlated with the database audit log (such as cloud.azure.sql.securityauditevents) to determine the malicious SQL queries.
from cloud.msgraph.security.alerts_v2
where weakhas(description,"SQL Injection")Penetration testing
A CISO who has purchased penetration testing wishes to identify the testing methods (hardware and software) used by the service provider and determine the effectiveness of Graph at identifying penetration testing.
from cloud.msgraph.security.alerts_v2
where weakhas(description,"penetration") Monitor It
In normal operation, Graph alerts are infrequent. Create an inactivity alert to detect periods when the API does not report that no new alerts are available.
from devo.collectors.out
where toktains(collector_image,"ms-graph-collector-if:"), toktains(msg,"Number of events received: 0;"),
has(service_name,"alerts") or has(service_name,"signIns")
select split(hostname,"-",1) as collector_idSet the inactivity alert to keep track of the collector_id and service_name. The alert may trigger if the Graph API fails or if there is an unusual amount of data arriving at Graph.
Legacy Graph APIs
Microsoft will remove the legacy alerts API from Graph “by April 2026.” To avoid impact on your queries, use the tables named alerts_v2.
Permissions
Devo service | Graph Resource | Required permissions | Microsoft documentation |
|---|---|---|---|
|
|
| |
|
|
| |
|
|
| |
|
|
| |
|
|
| |
|
|
| |
|
|
| |
Required for all services |
|
| |
Required for all services |
|
|