Guide to understanding, ingesting, and leveraging Microsoft Graph API Activity logs for security operations and detection engineering
Introduction #
In this series I will be documenting my research on Microsoft Graph API OpenAPI schema, how to parse its 10,000+ available endpoints and how to determine opportunities for noise reduction as well as detection engineering. If you also felt overwhelmed by this log source, I hope you will find it useful.
In this introductory post, I will briefly explain what Graph API is and how to ingest it. I will also touch on common challenges that security teams might face when looking to ingest this source.
Why it matters #
Microsoft Graph API serves as the unified gateway to Microsoft 365, Azure Active Directory, and countless other Microsoft services. It is a powerful tool that allows administrators and attackers alike to create/delete users, spin up resources, modify network settings and much more.
With a multitude of documented endpoints and growing, Graph API also generates massive volumes of telemetry that can be both a goldmine and a headache. Let’s explore it together.
What Gets Logged? #
Microsoft Graph API activity generates several types of logs across different services:
- Microsoft Graph Activity Logs: Direct API calls to graph.microsoft.com endpoints
- Azure AD Audit Logs: Directory changes, administrative actions, and configuration modifications
- Azure AD Sign-in Logs: User and application authentication attempts
- Office 365 Audit Logs: Service-specific activities (SharePoint, Exchange, Teams)
Log Ingestion Strategies #
Enabling Microsoft Graph Activity Logs #
Microsoft Graph Activity logs must be explicitly configured through diagnostic settings to capture API calls. While you can browse Azure AD Audit Logs via the web portal, this log source cannot be seen through GUI. This caveat is the reason why enabling them is crucial for monitoring calls made to Graph API.
Diagnostic Settings Configuration:
- Navigate to Azure AD > Diagnostic settings
- Enable
MicrosoftGraphActivityLogscategory - Configure destinations: Log Analytics workspace, Event Hubs or archival in a storage account
Log Analytics vs Event Hubs vs Storage Account #
| Destination | Pros | Cons | Best For |
|---|---|---|---|
| Log Analytics Workspace | Native KQL querying, built-in retention policies, seamless Sentinel integration | Higher cost for large volumes, limited real-time processing capabilities | Organizations prioritizing ease of use and native Microsoft tooling |
| Event Hubs | Real-time streaming, cost-effective for high volumes, flexible downstream processing | Requires additional infrastructure, more complex setup and partitioning | Organizations with existing streaming infrastructure or custom processing needs |
| Storage Account | Best option for long term storage, cheapest solution | No real-time monitoring, cannot build detections, increased complexity during incident response because of retrieval process | Organizations on a budget that want to keep a record for analysis in case of an incident |
Once you set up the diagnostic setting, you are ready to send the logs to the SIEM or storage solution of your choice like Splunk, Elastic Stack or Sentinel.
Volume Optimization and Log Processing #
With the rising popularity of log processing tools like Cribl, Splunk Edge Processor, and Onum (acquired by CrowdStrike), organizations are increasingly focused on both detection engineering and volume reduction opportunities.
Consider:
- Endpoint Criticality Assessment: Not all Graph API endpoints carry equal security risk
- Baseline Establishment: Understanding normal API usage patterns before implementing filtering
- Volume vs. Visibility Trade-offs: Balancing cost optimization with security coverage
Examples of Critical Endpoints to Monitor #
Certain Graph API endpoints pose higher security risks, we will dive into this topic more later in the series but here are a few to consider:
High-Risk Administrative Endpoints
| Endpoint Category | API Paths | Risk | Volume | Detection Strategy |
|---|---|---|---|---|
| Application Management | /applications, /servicePrincipals |
Privilege escalation, persistent access | Low-medium (typically admin-only) | Monitor non-admin access, bulk operations |
| Directory Objects | /directoryObjects, /users, /groups |
Enumeration, lateral movement | High (frequent legitimate use) | Focus on enumeration patterns, unusual access times |
| Permissions and Roles | /oauth2PermissionGrants, /appRoleAssignments |
Permission escalation | Low (infrequent changes) | Any modification should trigger alerts |
Data Access Endpoints
| Endpoint Category | API Paths | Risk | Volume | Detection Strategy |
|---|---|---|---|---|
| Mail and Calendar | /me/messages, /me/events |
Data exfiltration, privacy violations | Very high (constant user activity) | Bulk downloads |
| Files and SharePoint | /me/drive, /sites |
Intellectual property theft, ransomware | Very high | Mass file access, unusual download patterns |
Managing Log Volume and Noise #
The Volume Challenge #
Microsoft Graph API logs can easily generate hundreds of GBs of data daily in large organizations:
- High-frequency endpoints:
/me/messages,/me/presence(every few seconds) - Batch operations: Single requests affecting hundreds of objects
- Automated systems: Service accounts generating constant API traffic
- Native Microsoft Apps: Teams, Sharepoint, Planner and other MS apps query Graph API for their regular operations.
Noise Reduction Strategies #
-
Baseline Normal Activity
// Establish baseline for each user/application MicrosoftGraphActivityLogs | where TimeGenerated > ago(30d) | summarize avg_requests_per_hour = avg(RequestCount), common_endpoints = make_set(RequestUri) by UserId, AppId -
Focus on High-Risk Operations
- Prioritize POST, PATCH, DELETE operations over GET
- Monitor administrative endpoints more closely
- Filter out known automated systems (with caution)
-
Log Enrichment
Raw Graph API logs contain service principal IDs and application IDs that provide limited context for security analysis. Enriching these logs with additional metadata significantly improves detection capabilities and reduces investigation time.
Service Principal Enrichment:
- Maitain a list of all your current Service Principals and their names for better readability and baselining
- Use lookup files in your SIEM to enrich your queries with this information
Permission Level Mapping:
- High Privilege: Applications with Directory.ReadWrite.All, Application.ReadWrite.All
- Medium Privilege: Applications with User.ReadWrite.All, Group.ReadWrite.All
- Low Privilege: Applications with read-only permissions or user-delegated access
Enrichment Data Sources:
- Azure AD application registrations for app names and owners
- Historical usage patterns to establish risk baselines
- Business context (department, purpose, criticality)
Conclusion #
Microsoft Graph API is a rich source of security telemetry. While the volume and complexity can be overwhelming, a structured approach to ingestion, analysis, and monitoring can provide great visibility and detection engineering opportunities for this log source.
Key takeaways:
- Start with high-risk endpoints and expand coverage gradually
- Implement noise reduction early to prevent alert fatigue
- Automate where possible but maintain human oversight for complex decisions
- Continuously tune detection rules based on your environment
- Don’t rely solely on Graph API logs and correlate with
- Azure AD sign-in logs for authentication context
- Office 365 audit logs for service-specific activities
- Network logs for additional attribution
The investment in proper Graph API log monitoring pays dividends in early threat detection, compliance reporting, and operational visibility. As Microsoft continues to expand Graph API capabilities, security teams should become familiar with these logs to be better positioned in defending cloud-based attacks.
Tools and Resources #
Tools #
- Microsoft Graph Explorer : Interactive API testing
- Microsoft Graph PowerShell SDK : PowerShell module for Graph API
- Kibali : Tooling for managing Microsoft Graph Permissions
Community #
- Microsoft Security Experts Blog: