Monitoring Microsoft Graph services with Wazuh
The Microsoft Graph API is a comprehensive API system that provides access to data across the full suite of Microsoft cloud services, including but not limited to Microsoft 365, Azure, Dynamics 365, and various other Microsoft cloud components. It is an endpoint for accessing structured data, insights, and rich relationships from the Microsoft Cloud ecosystem.
This section provides instructions for monitoring your organization's Microsoft Graph API resources and relationships using the Wazuh module for Microsoft Graph.
Currently, the Wazuh module for Microsoft Graph allows you to monitor the following with Wazuh:
Microsoft Entra ID Protection
Microsoft 365 Defender
Microsoft Defender for Cloud Apps
Microsoft Defender for Endpoint
Microsoft Defender for Identity
Microsoft Defender for Office 365
Microsoft Purview eDiscovery
Microsoft Purview Data Loss Prevention (DLP)
While these are fundamental to the security resource, you can monitor many additional resources using the Microsoft Graph API. See the Overview of Microsoft Graph documentation to learn more.
Note
The security resource can be considered mature, as it has been tested with pre-made rules. However, your organization can ingest logs from other resources to your Wazuh deployment.
Retrieving content
To retrieve a set of logs from Microsoft Graph, make a GET
request using the URL below:
GET https://graph.microsoft.com/{version}/{resource}/{relationship}?{query-parameters}
A description of the current production version of the Microsoft Graph API can be found in the Overview of Microsoft Graph.
Alternatively, the API can be directly experimented with through Microsoft Graph Explorer.