Microsoft Graph is a Microsoft developer platform that enables integration with multiple services in Microsoft cloud. It provides a unified programmability model that you can use to access the tremendous amount of data in Microsoft 365, Windows 10, and Enterprise Mobility + Security. Microsoft Graph API is a RESTful web API that enables you to access Microsoft Cloud service resources.
In RSA NetWitness 11.5 or higher versions, we integrated the Microsoft Graph API through the Plugin collection type. This integration helps our customers to collect various event types or alerts from Microsoft cloud services through Microsoft Graph API.
Event types currently supported by RSA NetWitness msazuregraph plugin are as given below. The latest azure log parser needs to be enabled in NetWitness Log decoder to parse these events. Please refer official RSA document for more information on configurations
Microsoft Event types Supported via NetWitness msazuregraph Plugin
- Directory Audit Logs
- SignIn Logs
- Security Alerts
- Risk Detection Logs
In addition to the above event types, customers can collect any other event types which are supported through Microsoft Graph API and route them to a custom parser created in NetWitness or get in touch with RSA NetWitness customer support to add official support for fine parsing.
Note: Microsoft Azure: Admin Logs, Azure AD Audit/Sign-in (via native API) and Microsoft Azure Security Alerts Plugins will be deprecated soon because native APIs used in former plugin were already deprecated from Microsoft. Also security alerts are supported in this plugin using the same API. It is recommended that customers start using Microsoft Graph API Plugin instead.
RSA Netwitness MS Azure Graph API Plugin Configuration Guide
Microsoft Graph Documentation
Microsoft Graph API Guide