Detect threats using Microsoft Graph Logs - Part 1

When working with Microsoft Entra there are many log sources you can use to detect usage and changes to the environment and the assets within it. Most of them can be forwarded using the diagnostic settings to different targets for better analysis capabilities or long term storage.

Microsoft Graph is a powerful tool for data analysis that can be used to identify trends, uncover patterns, and make predictions. It can also be used to create custom visualizations of data and create reports and dashboards. Microsoft recently announced new logging capabilities, which allow for the detection of reconnaissance tools such as AzureHound and Purple Knight. These tools can be used to dump all tenant information and can be tracked using the MicrosoftGraphActivityLogs table in Sentinel. AzureHound can be detected using the user agent azurehound/v2.1.0, as well as a confidence score based on the number of Graph endpoints called. Purple Knight can be detected using a similar technique, but with more normalization of the endpoints. Microsoft Sentinel Analytics rules have been developed to detect the usage of such tooling in the environment.

When using Graph, it is important to test it in a lab environment first. This is because all Graph calls are logged, which can result in large ingestion costs. It is also important to consider the cost of using Graph, as it can be expensive. Part two of the article will go into more depth on how to use the available information and how to correlate it with other datasets to gain deeper insights.

Overall, Microsoft Graph is a powerful tool for data analysis that can be used to identify trends, uncover patterns, and make predictions. It can also be used to create custom visualizations of data and create reports and dashboards. Microsoft recently announced new logging capabilities, which allow for the detection of reconnaissance tools such as AzureHound and Purple Knight. Microsoft Sentinel Analytics rules have been developed to detect the usage of such tooling in the environment. Part two of the article will provide more information on how to use the available information and how to correlate it with other datasets.

It is important to test Graph in a lab environment first and consider the cost of using Graph. With the new logging capabilities, it is now possible to detect reconnaissance tools such as AzureHound and Purple Knight, as well as develop Microsoft Sentinel Analytics rules to detect their usage. Part two of the article will go into more depth on how to use the available information and how to correlate it with other datasets to gain deeper insights.

Overall, Microsoft Graph Logs are a powerful tool for detecting threats and changes to the environment and assets within it. With the new logging capabilities, it is now possible to detect reconnaissance tools such as AzureHound and Purple Knight, as well as develop Microsoft Sentinel Analytics

📓 Detect threats using Microsoft Graph Logs - Part 1

👉🏽 When working with Microsoft Entra there are many log sources you can use to detect usage and changes to the environment and the assets within it. Most of them can be forwarded using the diagnostic settings to different targets for better analysis capabilities or long term storage. rules to detect their usage. It is important to test Graph in a lab environment first and consider the cost of using it. Part two of the article will provide more information on how to use the available information and gain deeper insights by correlating it with other datasets.

🔗 source link: https://cloudbrothers.info/en/detect-threats-microsoft-graph-logs-part-1/

🔗 summarized content: https://hut.threathunterz.com/battlefield-intel/articles-and-reports/detect-threats-using-microsoft-graph-logs-part-1

#MicrosoftGraph #DataAnalysis #ReconnaissanceDetection #LoggingCapabilities #CostConsideration