Microsoft Graph is a Microsoft developer platform that enables integration with multiple services in Microsoft cloud. It provides a unified programmability model that you can use to access the tremendous amount of data in Microsoft 365, Windows 10, and Enterprise Mobility + Security. Microsoft Graph API is a RESTful web API that enables you to access Microsoft Cloud service resources.
In RSA NetWitness 11.5 or higher versions, we integrated the Microsoft Graph API through the Plugin collection type. This integration helps our customers to collect various event types or alerts from Microsoft cloud services through Microsoft Graph API.
Event types currently supported by RSA NetWitness msazuregraph plugin are as given below. The latest azure log parser needs to be enabled in NetWitness Log decoder to parse these events. Please refer official RSA document for more information on configurations
Microsoft Event types Supported via NetWitness msazuregraph Plugin
In addition to the above event types, customers can collect any other event types which are supported through Microsoft Graph API and route them to a custom parser created in NetWitness or get in touch with RSA NetWitness customer support to add official support for fine parsing.
Note: Microsoft Azure: Admin Logs, Azure AD Audit/Sign-in (via native API) and Microsoft Azure Security Alerts Plugins will be deprecated soon because native APIs used in former plugin were already deprecated from Microsoft. Also security alerts are supported in this plugin using the same API. It is recommended that customers start using Microsoft Graph API Plugin instead.
RSA Netwitness MS Azure Graph API Plugin Configuration Guide
Is this also used when I want to ingest things like logs from Azure VPN gateway for logon session information
currently a lot of detail missing when we using Microsoft Graph to collect logs we moved to collect logs through Security Analytics which will give more details and amount of data that we can use/help in RSA for Threat hunting. wish if more enhancement can be done on the Security Analytics collection.
@DinoCherian why are the plugins being deprecated since it appears that there is a lot of necessary data that ISN'T available in Microsoft Graph.
For example, my question about Azure VPN Gateway session logs above that hasn't been answered? Are those available in the Graph API.
I'm curious to understand what the thinking is here?
Are you currently collecting Azure VPN Gateway session logs from any of the older plugins?
We're currently using the 'azuremonitor' plugin to collect Azure AD logs.
I need to start collecting the Azure VPN Gateway logs within the next week or so and was intending to continue to use the 'azuremonitor' plugin as I thought that would give me what I need. This Azure Graph stuff doesn't look like it gives the same level of detail that the monitor plugin does so I want to know why Netwitness would deprecate something that gives MORE features that what the alternative is.
I need to collect the VPN logs and have the same visibility that I would get from collecting Cisco AnyConnect VPN logs.
'azuremonitor' plugin is not getting deprecated. You can continue to use 'azuremonitor' plugin.
Can you provide us with more information as to what detail is missing. We will look into it. We definitely do not want to deprecate a plugin that provides customers with additional information.
Hi @AhteshamPatel thanks. Looks like I misunderstood I thought this one was being deprecated Azure Monitor Event Source Configuration Guide - NetWitness Community - 570256
Sorry for the late response, currently in Microsoft defender and azure Cloud services, have important security analytics tables that give us great visibility within RSA netwitness, these tables are collected through the azure monitor (event hub)
when we initially used the Microsoft Graph to collect logs, the vendor support confirmed that not all details (IP Address, Domain name,.....etc) will be sent through Graph and it is better for the event hub to collect the logs.
based on this we start using it, but unfortunately a lot of parsing issues we issue we are facing on this but will have great value once it is done.
Thank you @AbdelrahmanMoha for your reply.
Azure monitor plugin will not be deprecated. Regarding parsing issues please get in touch with customer support team and we will enhance the parsing.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.