Microsoft Graph Activity Logs Redefine Security Monitoring

Cloud Computing

Key Takeaways:

  • Microsoft Graph activity logs feature provides organizations with comprehensive insights into HTTP requests processed within their tenant.
  • This feature extends beyond traditional sign-ins and audit logs, enabling threat hunting, security analysis, and detailed application activity tracking.
  • Administrators can access activity logs through Azure Monitor Logs integration with Microsoft Entra.

Microsoft has announced the general availability of the activity logs feature in Microsoft Graph. This capability enables organizations to gain insights into all HTTP requests that the Microsoft Graph service received and processed for a specific tenant.

Microsoft Graph is an API that collects user and organizational data from various Microsoft services, including Microsoft 365, Enterprise Mobility and Security services, Entra ID, and Windows. It lets developers to build apps that can interact with users’ data stored such as emails, calendars, contacts, tasks, and files.

Up until now, the Microsoft Graph service only allowed administrators to access data about sign-ins and audit logs. Now, Microsoft Graph activity logs enable customers to gain broader visibility. These logs facilitate threat hunting, security analysis, and tracking of application activity within a tenant.

“With Microsoft Graph activity logs, you can now investigate the complete picture of activity in your tenant – from token request in sign-in logs, to API request activity (reads, writes, and deletes) in Microsoft Graph activity logs, to ultimate resource changes in audit logs,” Microsoft explained.

image 15
Microsoft Graph activity logs in Log Analytics (Image Credits: Microsoft)

What are the common use cases for Microsoft Graph activity logs?

Microsoft Graph activity logs allow administrators to track activities conducted by a compromised user account within an organization. Moreover, it also helps to investigate suspicious privileged assignments of application permissions. The feature also makes it easier to track problematic behaviors for client applications like extreme call volumes.

Microsoft notes that administrators can access activity logs through the Azure Monitor Logs integration with Microsoft Entra. They can analyze the logs in Azure Log Analytics Workspace, or archive them in Azure Storage Accounts. It’s also possible to use the logs with third-party security information and event management (SIEM) tools via Azure Event Hubs.

Keep in mind that the Microsoft Graph activity logs feature doesn’t let organizations monitor the activities of a multitenant application in another organization. Moreover, it doesn’t support filtering activity logs via diagnostic settings in Azure Monitor.