Skip to main content

Microsoft Graph

The Microsoft Graph managed log source allows you to collect various audit, reporting, and other logs from Microsoft 365 directly into Matano

Prerequisites

To get started with the Microsoft Graph managed log source, follow these steps:

Usage

Use the Microsoft Graph managed log source by specifying the managed.type property in your log_source as MSFT.

# log_source.yml
name: msft

managed:
type: MSFT
properties:
client_id: "a6a67fa7-5859-4049-810c-56064b625571"
tenant_id: "91615f41-f094-4894-acfa-feef044fb180"

For the tables you would like to enable for this managed log source, under a tables/ subdirectory in your log source directory, create a file with the name <table_name>.yml>. For example:

my-matano-dir/
└── log_sources/
└── msft/
└── log_source.yml
└── tables/
└── aad_signinlogs.yml

For a complete reference on configuring log sources, including extending the table schema, see Log source configuration.

Secret

To finish onboarding the log source, populate the client_secret key in the secret generated by Matano in AWS Secrets Manager, with the value of the Azure Active Directory application secret.

Tables

The Microsoft Graph managed log source supports the following tables:

TableIdentifierDescription
Sign-in Logsaad_signinlogsReview errors and patterns in Azure Active Directory (Azure AD) sign in activity.
Audit Logsaad_auditlogsEvery logged event in Azure AD, including changes to applications, groups, users, and licenses.

Ingest

Pull (default)

Matano integrates with Microsoft Graph to automatically pull relevant logs on a regular basis (every 1 min).

Schema

Microsoft Graph event data is normalized to ECS fields. Custom fields are normalized into the azure field. You can view the complete mappings to see the full schema.