This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Community Blog
Subscribe to the official NetWitness Community blog for information about new product features, industry insights, best practices, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

MSAzureGraph Universal Plugin for Microsoft Graph API

DinoCherian
Occasional Contributor Occasional Contributor
Occasional Contributor
‎2021-11-11 04:53 AM

Microsoft Graph is a Microsoft developer platform that enables integration with multiple services in Microsoft cloud. It provides a unified programmability model that you can use to access the tremendous amount of data in Microsoft 365, Windows 10, and Enterprise Mobility + Security. Microsoft Graph API is a RESTful web API that enables you to access Microsoft Cloud service resources.

In RSA NetWitness 11.5 or higher versions, we integrated the Microsoft Graph API through the Plugin collection type. This integration helps our customers to collect various event types or alerts from Microsoft cloud services through Microsoft Graph API.

DinoCherian_0-1635409549434.png

Event types currently supported by RSA NetWitness msazuregraph plugin are as given below. The latest azure log parser needs to be enabled in NetWitness Log decoder to parse these events.  Please refer official RSA document for more information on configurations

Microsoft Event types Supported via NetWitness msazuregraph Plugin

  • Directory Audit Logs
  • SignIn Logs
  • Security Alerts
  • Risk Detection Logs

In addition to the above event types, customers can collect any other event types which are supported through Microsoft Graph API and route them to a custom parser created in NetWitness or get in touch with RSA NetWitness customer support to add official support for fine parsing.

Note: Microsoft Azure: Admin Logs, Azure AD Audit/Sign-in (via native API)  and Microsoft Azure Security Alerts Plugins will be deprecated soon because native APIs used in former plugin were already deprecated from Microsoft. Also security alerts are supported in this plugin using the same API. It is recommended that customers start using Microsoft Graph API Plugin instead.

Additional Resources

RSA Netwitness MS Azure Graph API Plugin Configuration Guide

Microsoft Graph Documentation

Microsoft Graph API Guide

 

 

10 Comments
JeremyKerwin
Valued Contributor
Valued Contributor
‎2023-02-28 11:53 PM
‎2023-02-28 11:53 PM

Is this also used when I want to ingest things like logs from Azure VPN gateway for logon session information

AbdelrahmanMoha
Contributor
Contributor
‎2023-03-02 02:30 AM
‎2023-03-02 02:30 AM

Dear Dino,

currently a lot of detail missing when we using Microsoft Graph to collect logs we moved to collect logs through Security Analytics which will give more details and amount of data that we can use/help in RSA for Threat hunting. wish if more enhancement  can be done on the Security Analytics collection.

 

Regards

AM

 

 

JeremyKerwin
Valued Contributor
Valued Contributor
‎2023-03-05 10:56 PM
‎2023-03-05 10:56 PM

@DinoCherian why are the plugins being deprecated since it appears that there is a lot of necessary data that ISN'T available in Microsoft Graph.

For example, my question about Azure VPN Gateway session logs above that hasn't been answered? Are those available in the Graph API.

 

I'm curious to understand what the thinking is here?

AhteshamPatel
Occasional Contributor Occasional Contributor
Occasional Contributor
‎2023-03-06 06:35 AM
‎2023-03-06 06:35 AM

Hi @JeremyKerwin,
Are you currently collecting Azure VPN Gateway session logs from any of the older plugins? 

JeremyKerwin
Valued Contributor
Valued Contributor
‎2023-03-06 10:07 PM
‎2023-03-06 10:07 PM

Hi @AhteshamPatel 

We're currently using the 'azuremonitor' plugin to collect Azure AD logs.

I need to start collecting the Azure VPN Gateway logs within the next week or so and was intending to continue to use the 'azuremonitor' plugin as I thought that would give me what I need. This Azure Graph stuff doesn't look like it gives the same level of detail that the monitor plugin does so I want to know why Netwitness would deprecate something that gives MORE features that what the alternative is.

 

I need to collect the VPN logs and have the same visibility that I would get from collecting Cisco AnyConnect VPN logs.

AhteshamPatel
Occasional Contributor Occasional Contributor
Occasional Contributor
‎2023-03-07 04:00 AM
‎2023-03-07 04:00 AM

Hi @JeremyKerwin,
'azuremonitor' plugin is not getting deprecated. You can continue to use 'azuremonitor' plugin.

AhteshamPatel
Occasional Contributor Occasional Contributor
Occasional Contributor
‎2023-03-07 04:02 AM
‎2023-03-07 04:02 AM

Hi @AbdelrahmanMoha,
Can you provide us with more information as to what detail is missing. We will look into it. We definitely do not want to deprecate a plugin that provides customers with additional information.

JeremyKerwin
Valued Contributor
Valued Contributor
‎2023-03-07 05:58 PM
‎2023-03-07 05:58 PM

Hi @AhteshamPatel thanks. Looks like I misunderstood I thought this one was being deprecated Azure Monitor Event Source Configuration Guide - NetWitness Community - 570256 

AbdelrahmanMoha
Contributor
Contributor
‎2023-03-20 04:27 AM
‎2023-03-20 04:27 AM

Dear @AhteshamPatel 

Sorry for the late response, currently in Microsoft defender and azure Cloud services, have important security analytics tables that give us great visibility within RSA netwitness, these tables are collected through the azure monitor (event hub)

when we initially used the Microsoft Graph to collect logs, the vendor support confirmed that not all details (IP Address, Domain name,.....etc) will be sent through Graph and it is better for the event hub to collect the logs.

based on this we start using it, but unfortunately a lot of parsing issues we issue we are facing on this but will have great value once it is done.

 

Regards

Abdelrahman Mohammed

AhteshamPatel
Occasional Contributor Occasional Contributor
Occasional Contributor
‎2023-03-20 06:34 AM
‎2023-03-20 06:34 AM

Thank you @AbdelrahmanMoha for your reply.
Azure monitor plugin will not be deprecated. Regarding parsing issues please get in touch with customer support team and we will enhance the parsing. 

 

Regards,

Ahtesham

© 2022 RSA Security LLC or its affiliates. All rights reserved.