Investigate threats using Microsoft Graph activity logs
5 minutes
5 Questions
Microsoft Graph activity logs are a powerful tool for security operations analysts to investigate threats and suspicious activities within an organization's Microsoft 365 environment. These logs capture API calls made to Microsoft Graph, providing visibility into how applications and users interact…Microsoft Graph activity logs are a powerful tool for security operations analysts to investigate threats and suspicious activities within an organization's Microsoft 365 environment. These logs capture API calls made to Microsoft Graph, providing visibility into how applications and users interact with organizational data.
When investigating threats, analysts can leverage Microsoft Graph activity logs to track several key elements. First, they can identify which applications are accessing sensitive data by examining the app IDs and permissions used in API calls. This helps detect potentially malicious or compromised applications that may be exfiltrating data.
The logs contain valuable information including timestamps, client request IDs, user agent strings, IP addresses, and the specific Graph API endpoints accessed. Analysts can correlate these details with known indicators of compromise or unusual patterns that suggest malicious activity.
To access these logs, security teams can use Azure Monitor or stream them to a SIEM solution like Microsoft Sentinel. Once ingested, analysts can write KQL queries to search for anomalies such as unusual access times, excessive API calls, or requests from suspicious geographic locations.
Key investigation scenarios include detecting token theft where attackers use stolen authentication tokens to access Graph APIs, identifying data exfiltration attempts through bulk download patterns, and discovering unauthorized application registrations that could indicate persistence mechanisms.
Analysts should establish baselines for normal Graph API activity within their environment to better identify deviations. Cross-referencing Graph activity logs with Azure AD sign-in logs, audit logs, and other telemetry sources provides comprehensive threat context.
Best practices include configuring appropriate log retention periods, setting up alerts for high-risk API operations, and regularly reviewing application permissions. By systematically analyzing Microsoft Graph activity logs, security operations teams can uncover sophisticated attacks that leverage legitimate APIs to avoid traditional detection methods.
Investigate Threats Using Microsoft Graph Activity Logs
Why This Is Important
Microsoft Graph activity logs provide critical visibility into how applications and services interact with your Microsoft 365 environment. As a Security Operations Analyst, understanding these logs enables you to detect suspicious application behavior, identify compromised credentials, track data exfiltration attempts, and investigate security incidents involving API-based attacks. With the increasing sophistication of attacks targeting cloud services, mastering Graph activity logs is essential for comprehensive threat hunting.
What Are Microsoft Graph Activity Logs?
Microsoft Graph activity logs capture detailed information about requests made to the Microsoft Graph API. These logs record:
• Request metadata - timestamps, HTTP methods, and endpoints accessed • Identity information - user principals, service principals, and application IDs making requests • Response details - status codes and response sizes • Client information - IP addresses and client application details • Resource access patterns - which resources were queried or modified
How It Works
1. Log Collection: Graph activity logs are streamed to Azure Monitor, where they can be sent to a Log Analytics workspace, Event Hub, or Storage Account.
2. Integration with Microsoft Sentinel: Once logs are in Log Analytics, Microsoft Sentinel can query them using KQL (Kusto Query Language) for threat detection and investigation.
3. Key Tables: The primary table is MicrosoftGraphActivityLogs, which contains all API activity data.
4. Analysis Scenarios: - Detecting unusual application permissions requests - Identifying bulk data access patterns - Tracking failed authentication attempts via API - Monitoring sensitive operations like mail reading or file downloads
Common KQL Queries for Investigation
• Query for failed requests: Filter by response codes in the 400-500 range • Query for high-volume requests: Aggregate by application ID and count requests • Query for sensitive endpoints: Filter for endpoints accessing mail, files, or directory data
Exam Tips: Answering Questions on Investigate Threats Using Microsoft Graph Activity Logs
1. Know the log destination options: Remember that Graph activity logs can be sent to Log Analytics workspaces, Event Hubs, and Storage Accounts. Exam questions often test this configuration knowledge.
2. Understand the MicrosoftGraphActivityLogs table: Be familiar with key columns like RequestId, ServicePrincipalId, UserId, RequestMethod, RequestUri, and ResponseStatusCode.
3. Focus on threat scenarios: Questions may present scenarios about detecting malicious applications, compromised service principals, or data theft via API calls.
4. Remember integration points: Understand how Graph activity logs work alongside Azure AD sign-in logs and audit logs for comprehensive investigation.
5. Practice KQL fundamentals: Expect questions requiring you to identify the correct KQL query for specific investigation scenarios.
6. Know the prerequisites: An Azure AD Premium license and appropriate permissions (Security Reader or higher) are required to configure and access these logs.
7. Recognize attack patterns: Be prepared to identify indicators of compromise such as unusual geographic access, high-frequency API calls, or access to sensitive endpoints from new applications.