# Microsoft Graph Logs
## Overview
Panther has the ability to fetch Microsoft Graph logs by querying the [Microsoft Graph API](https://docs.microsoft.com/en-us/graph/api/resources/security-api-overview?view=graph-rest-1.0) to obtain security alerts from the following Microsoft security products:
* Azure Active Directory Identity Protection
* Azure Information Protection
* Microsoft 365 (Default, Cloud App Security, Custom Alerts)
* Microsoft Defender for Cloud Apps
* Microsoft Defender for Endpoint
* Microsoft Defender for Identity
* Microsoft Sentinel (formerly Azure Sentinel)
## How to onboard Microsoft Graph logs to Panther
### Prerequisites
* Microsoft Defender for Endpoint and Identity alerts require additional user configuration prior to streaming alerting events to Panther. See [Microsoft's documentation](https://docs.microsoft.com/en-us/graph/api/resources/security-api-overview?view=graph-rest-1.0#alerts) for more information.
* Microsoft Defender for Endpoint requires additional user roles to those required by the Microsoft Graph Security API. Only the users in both Microsoft Defender for Endpoint and Microsoft Graph Security API roles can have access to the Microsoft Defender for Endpoint data. Because application-only authentication is not limited by this, we recommend that you use an application-only authentication token.
* Microsoft Defender for Identity alerts are available via the Microsoft Defender for Cloud Apps integration. This means you will get Microsoft Defender for Identity alerts only if you have joined Unified SecOps and connected Microsoft Defender for Identity into Microsoft Defender for Cloud Apps.
### Step 1: Create a Microsoft Entra ID application
1. Log in to [your Azure portal](https://portal.azure.com) and navigate to the **Microsoft Entra ID** service.\
2. Click **App Registrations** in the left sidebar.
3. Click **New Registration**.
4. Fill in the fields:
* Enter a descriptive name for your application.
* For **Supported account types**, select **Accounts in this organizational directory only**.
5. Click **Register**.
6. On the left sidebar, click **Certificates and Secrets**.
7. Click **New Client Secret**.
* Add a description for the secret (e.g., Panther integration).
* Set the **Expires** field to `24 Months`.
8. Click **Add**.
* The Client Secret is hidden after you navigate away from this page; copy down the **Value** field and store it in a secure location - you will use this as your **Client Secret** value in Step 2.
9. On the left sidebar, click **API Permissions** and then **Add a permission**.
10. Find and click the **Microsoft Graph APIs**.
11. Click **Delegated permissions** and select the **SecurityAlert.Read.All** permission.
12. Click **Application permissions** and select the **SecurityAlert.Read.All** permission.
13. Click **Add permissions** at the bottom of the page.
14. Click **Grant admin consent** on the API permissions page.\
15. After consent has been granted, click the **Overview** tab in the left sidebar to view your **Application (client) ID** and **Directory (tenant) ID**.
* You will need to provide these to Panther in the next steps.\
### Step 2: Create a new Microsoft Graph Source in Panther
1. In the left-hand navigation bar of your Panther Console, click **Configure** > **Log Sources**.
2. Click **Create New.**
3. Select **Microsoft Graph** from the list of available log sources.
4. Click **Start Setup**.
5. On the next screen, fill in the fields:
* **Name**: Enter a descriptive name for the source e.g., `My Microsoft Graph logs`.
* **Tenant ID**: Enter your Tenant ID.
* **Log Types**: Select at least one log type.
6. Click **Setup**.
7. On the **Credentials** page, enter your **Client ID** and **Client Secret**.
* The **Client Secret** is the **Value** field you saved in Step 1.
8. Click **Setup**.
9. You will be redirected to a success screen in Panther:\\
* You can optionally enable one or more [Detection Packs](https://docs.panther.com/detections/panther-managed/packs).
* The **Trigger an alert when no events are processed** setting defaults to **YES**. We recommend leaving this enabled, as you will be alerted if data stops flowing from the log source after a certain period of time. The timeframe is configurable, with a default of 24 hours.\\
## Supported log types
### MicrosoftGraph.SecurityAlert
Represents potential security issues within a customer's tenant that Microsoft or partner security solutions have identified.
Reference: [Microsoft Documentation on Security Alerts](https://learn.microsoft.com/en-us/graph/api/resources/security-alert?view=graph-rest-1.0).
```yaml
schema: MicrosoftGraph.SecurityAlertV2
description: Unified Microsoft 365 Defender alerts returned by the /security/alerts_v2 endpoint (microsoft.graph.security.alert).
referenceURL: https://learn.microsoft.com/en-us/graph/api/resources/security-alert?view=graph-rest-1.0
fields:
- name: actorDisplayName
description: The adversary or activity group that is associated with this alert.
type: string
- name: additionalData
description: A free-form bag of provider-specific properties (keys can include spaces; preserved verbatim).
type: json
- name: alertPolicyId
description: ID of the policy that generated the alert; populated only when a specific policy generated it.
type: string
- name: alertWebUrl
description: URL for the alert page in the Microsoft 365 Defender portal.
type: string
- name: assignedTo
description: Owner of the alert, or null if no owner is assigned.
type: string
- name: category
description: The MITRE ATT&CK-aligned attack kill-chain category that the alert belongs to.
type: string
- name: classification
description: 'Specifies whether the alert represents a true threat. Possible values: unknown, falsePositive, truePositive, informationalExpectedActivity, unknownFutureValue.'
type: string
- name: comments
description: Array of comments created by the SecOps team.
type: array
element:
type: object
fields:
- name: comment
description: The comment text.
type: string
- name: createdByDisplayName
description: Display name of the user who created the comment.
type: string
- name: createdDateTime
description: Time the comment was created.
type: timestamp
timeFormats:
- rfc3339
- name: createdDateTime
description: Time when Microsoft 365 Defender created the alert.
type: timestamp
timeFormats:
- rfc3339
- name: customDetails
description: User-defined custom fields with their values.
type: json
- name: description
description: String value describing the alert.
type: string
- name: detectionSource
description: Detection technology or sensor that identified the notable component or activity.
type: string
- name: detectorId
description: The ID of the detector that triggered the alert.
type: string
- name: determination
description: Result of the investigation. Possible values include apt, malware, securityTesting, multiStagedAttack, etc.
type: string
- name: evidence
description: Collection of evidence related to the alert. Discriminated by @odata.type.
type: array
element:
type: object
fields:
- name: at_sign_odata_type
description: 'Discriminator identifying the alertEvidence subtype (e.g. #microsoft.graph.security.deviceEvidence).'
rename:
from: '@odata.type'
type: string
- name: createdDateTime
description: Time the evidence was created and added to the alert.
type: timestamp
timeFormats:
- rfc3339
- name: verdict
description: 'Verdict of the automated investigation. Possible values: unknown, suspicious, malicious, noThreatsFound, unknownFutureValue.'
type: string
- name: remediationStatus
description: Status of the remediation action taken on the evidence.
type: string
- name: remediationStatusDetails
description: Details about the remediation status.
type: string
- name: roles
description: Roles the evidence plays in the alert (e.g. attacker, source, destination).
type: array
element:
type: string
- name: detailedRoles
description: Detailed role descriptors for the evidence.
type: array
element:
type: string
- name: tags
description: Custom tags associated with the evidence.
type: array
element:
type: string
- name: amazonAccountId
description: AWS account ID (amazonResourceEvidence).
type: string
indicators:
- aws_account_id
- name: amazonResourceId
description: AWS ARN (amazonResourceEvidence).
type: string
indicators:
- aws_arn
- name: resourceId
description: Resource ID (azureResourceEvidence).
type: string
- name: resourceName
description: Resource name (azureResourceEvidence, amazonResourceEvidence, googleCloudResourceEvidence).
type: string
- name: resourceType
description: Resource type (azureResourceEvidence, amazonResourceEvidence, googleCloudResourceEvidence).
type: string
- name: fullResourceName
description: Full resource name (googleCloudResourceEvidence).
type: string
- name: location
description: 'Location: string for googleCloudResourceEvidence; geoLocation object for ipEvidence.'
type: json
- name: locationType
description: Location type, e.g. regional / zonal (googleCloudResourceEvidence).
type: string
- name: projectId
description: GCP project ID (googleCloudResourceEvidence).
type: string
- name: projectNumber
description: GCP project number (googleCloudResourceEvidence).
type: bigint
- name: name
description: Resource name (blobContainerEvidence, blobEvidence, kubernetesClusterEvidence, kubernetesNamespaceEvidence, kubernetesPodEvidence, kubernetesServiceEvidence, malwareEvidence).
type: string
- name: url
description: URL of the resource (blobContainerEvidence, blobEvidence, urlEvidence).
type: string
indicators:
- url
- name: storageResource
description: Backing storage account reference, an azureResourceEvidence (blobContainerEvidence).
type: json
- name: blobContainer
description: Containing blob container, a blobContainerEvidence (blobEvidence).
type: json
- name: etag
description: Blob ETag (blobEvidence).
type: string
- name: fileHashes
description: Array of fileHash objects (blobEvidence).
type: json
- name: args
description: Container command arguments (containerEvidence).
type: array
element:
type: string
- name: command
description: Container command (containerEvidence).
type: array
element:
type: string
- name: containerId
description: Container ID (containerEvidence).
type: string
- name: image
description: Container image, a containerImageEvidence (containerEvidence).
type: json
- name: isPrivileged
description: Whether the container runs as privileged (containerEvidence).
type: boolean
- name: pod
description: Containing pod, a kubernetesPodEvidence (containerEvidence).
type: json
- name: digestImage
description: Digest image, a containerImageEvidence (containerImageEvidence).
type: json
- name: imageId
description: Image ID (containerImageEvidence).
type: string
- name: registry
description: Container registry reference (containerImageEvidence).
type: json
- name: azureAdDeviceId
description: Microsoft Entra device ID (deviceEvidence).
type: string
- name: defenderAvStatus
description: Defender Antivirus status (deviceEvidence).
type: string
- name: deviceDnsName
description: Device DNS name (deviceEvidence).
type: string
indicators:
- hostname
- name: dnsDomain
description: DNS domain of the device (deviceEvidence).
type: string
indicators:
- domain
- name: firstSeenDateTime
description: First time the device was observed (deviceEvidence).
type: timestamp
timeFormats:
- rfc3339
- name: healthStatus
description: Device health status (deviceEvidence).
type: string
- name: hostName
description: Host name (deviceEvidence).
type: string
indicators:
- hostname
- name: ipInterfaces
description: IP addresses on device interfaces (deviceEvidence).
type: array
element:
type: string
indicators:
- ip
- name: lastExternalIpAddress
description: Last observed external IP (deviceEvidence).
type: string
indicators:
- ip
- name: lastIpAddress
description: Last known IP (deviceEvidence).
type: string
indicators:
- ip
- name: loggedOnUsers
description: Users currently logged on the device (deviceEvidence).
type: json
- name: mdeDeviceId
description: Microsoft Defender for Endpoint device ID (deviceEvidence, fileEvidence, processEvidence).
type: string
- name: ntDomain
description: NT domain (deviceEvidence).
type: string
- name: onboardingStatus
description: MDE onboarding status (deviceEvidence).
type: string
- name: osBuild
description: OS build number (deviceEvidence).
type: bigint
- name: osPlatform
description: OS platform (deviceEvidence).
type: string
- name: rbacGroupId
description: MDE RBAC group ID (deviceEvidence).
type: int
- name: rbacGroupName
description: MDE RBAC group name (deviceEvidence).
type: string
- name: resourceAccessEvents
description: Resource access events on the device (deviceEvidence).
type: json
- name: riskScore
description: Device risk score (deviceEvidence).
type: string
- name: version
description: Version (deviceEvidence, kubernetesClusterEvidence).
type: string
- name: vmMetadata
description: VM metadata for cloud-hosted devices (deviceEvidence).
type: json
- name: dnsServerIp
description: DNS server, an ipEvidence object (dnsEvidence).
type: json
- name: domainName
description: DNS domain queried (dnsEvidence).
type: string
indicators:
- domain
- name: hostIpAddress
description: Host that issued the query, an ipEvidence object (dnsEvidence).
type: json
- name: ipAddresses
description: Resolved IP addresses, an array of ipEvidence (dnsEvidence).
type: json
- name: detectionStatus
description: Detection status (fileEvidence, processEvidence).
type: string
- name: fileDetails
description: Details of the file (fileEvidence).
type: object
fields:
- name: fileName
description: File name without path.
type: string
- name: filePath
description: Full file path.
type: string
- name: filePublisher
description: Publisher of the file.
type: string
- name: fileSize
description: File size in bytes.
type: bigint
- name: issuer
description: Issuer of the certificate the file is signed with.
type: string
- name: md5
description: MD5 hash of the file.
type: string
indicators:
- md5
- name: sha1
description: SHA1 hash of the file.
type: string
indicators:
- sha1
- name: sha256
description: SHA256 hash of the file.
type: string
indicators:
- sha256
- name: sha256Ac
description: Activation context SHA256 of the file.
type: string
- name: signer
description: Signer of the certificate the file is signed with.
type: string
- name: algorithm
description: Hash algorithm (fileHashEvidence).
type: string
- name: value
description: Hash value (fileHashEvidence).
type: string
indicators:
- md5
- sha1
- sha256
- name: countryLetterCode
description: Two-letter country code (ipEvidence).
type: string
- name: ipAddress
description: IP address (ipEvidence).
type: string
indicators:
- ip
- name: stream
description: Stream metadata (ipEvidence, userEvidence).
type: json
- name: cloudResource
description: Underlying cloud resource for the cluster, a cloud resource evidence (kubernetesClusterEvidence).
type: json
- name: distribution
description: Cluster distribution, e.g. AKS / EKS / GKE (kubernetesClusterEvidence).
type: string
- name: platform
description: Cluster platform (kubernetesClusterEvidence).
type: string
- name: cluster
description: Containing cluster, a kubernetesClusterEvidence (kubernetesNamespaceEvidence).
type: json
- name: labels
description: Resource labels (kubernetesNamespaceEvidence, kubernetesPodEvidence, kubernetesServiceEvidence).
type: json
- name: containers
description: Containers in the pod, an array of containerEvidence (kubernetesPodEvidence).
type: json
- name: controller
description: Pod controller reference (kubernetesPodEvidence).
type: json
- name: ephemeralContainers
description: Ephemeral containers in the pod (kubernetesPodEvidence).
type: json
- name: initContainers
description: Init containers in the pod (kubernetesPodEvidence).
type: json
- name: namespace
description: Containing namespace, a kubernetesNamespaceEvidence (kubernetesPodEvidence, kubernetesServiceEvidence).
type: json
- name: podIp
description: Pod IP address, an ipEvidence (kubernetesPodEvidence).
type: json
- name: serviceAccount
description: Pod service account reference (kubernetesPodEvidence).
type: json
- name: clusterIP
description: Cluster-internal service IP (kubernetesServiceEvidence).
type: string
indicators:
- ip
- name: externalIPs
description: External IPs (kubernetesServiceEvidence).
type: array
element:
type: string
indicators:
- ip
- name: selector
description: Service label selector (kubernetesServiceEvidence).
type: json
- name: servicePorts
description: Service ports (kubernetesServiceEvidence).
type: json
- name: serviceType
description: Service type, e.g. ClusterIP / NodePort / LoadBalancer (kubernetesServiceEvidence).
type: string
- name: category
description: Malware category, e.g. trojan / ransomware (malwareEvidence).
type: string
- name: files
description: Files associated with the malware, an array of fileEvidence (malwareEvidence).
type: json
- name: processes
description: Processes associated with the malware, an array of processEvidence (malwareEvidence).
type: json
- name: destinationAddress
description: Destination ipEvidence object (networkConnectionEvidence).
type: json
- name: destinationPort
description: Destination port (networkConnectionEvidence).
type: int
- name: protocol
description: Network protocol (networkConnectionEvidence).
type: string
- name: sourceAddress
description: Source ipEvidence object (networkConnectionEvidence).
type: json
- name: sourcePort
description: Source port (networkConnectionEvidence).
type: int
- name: imageFile
description: Image file of the process (processEvidence).
type: object
fields:
- name: fileName
description: File name without path.
type: string
- name: filePath
description: Full file path.
type: string
- name: filePublisher
description: Publisher of the file.
type: string
- name: fileSize
description: File size in bytes.
type: bigint
- name: issuer
description: Issuer of the certificate the file is signed with.
type: string
- name: md5
description: MD5 hash of the file.
type: string
indicators:
- md5
- name: sha1
description: SHA1 hash of the file.
type: string
indicators:
- sha1
- name: sha256
description: SHA256 hash of the file.
type: string
indicators:
- sha256
- name: sha256Ac
description: Activation context SHA256 of the file.
type: string
- name: signer
description: Signer of the certificate the file is signed with.
type: string
- name: parentProcessCreationDateTime
description: Parent process creation time (processEvidence).
type: timestamp
timeFormats:
- rfc3339
- name: parentProcessId
description: Parent process ID (processEvidence).
type: bigint
- name: parentProcessImageFile
description: Parent process image file (processEvidence).
type: object
fields:
- name: fileName
description: File name without path.
type: string
- name: filePath
description: Full file path.
type: string
- name: filePublisher
description: Publisher of the file.
type: string
- name: fileSize
description: File size in bytes.
type: bigint
- name: issuer
description: Issuer of the certificate the file is signed with.
type: string
- name: md5
description: MD5 hash of the file.
type: string
indicators:
- md5
- name: sha1
description: SHA1 hash of the file.
type: string
indicators:
- sha1
- name: sha256
description: SHA256 hash of the file.
type: string
indicators:
- sha256
- name: sha256Ac
description: Activation context SHA256 of the file.
type: string
- name: signer
description: Signer of the certificate the file is signed with.
type: string
- name: processCommandLine
description: Process command line (processEvidence).
type: string
- name: processCreationDateTime
description: Process creation time (processEvidence).
type: timestamp
timeFormats:
- rfc3339
- name: processId
description: Process ID (processEvidence).
type: bigint
- name: userAccount
description: User account associated with the evidence (processEvidence, userEvidence).
type: object
fields:
- name: accountName
description: User account name.
type: string
indicators:
- username
- name: activeDirectoryObjectGuid
description: On-prem AD object GUID.
type: string
- name: azureAdUserId
description: Microsoft Entra user object ID.
type: string
- name: displayName
description: User display name.
type: string
- name: domainName
description: User domain name.
type: string
indicators:
- domain
- name: userPrincipalName
description: User principal name (UPN).
type: string
indicators:
- email
- name: userSid
description: Security identifier (SID) of the user.
type: string
- name: resourceAccessEvents
description: Resource access events associated with the user account.
type: json
- name: firstActivityDateTime
required: true
description: The earliest activity associated with the alert. Used as p_event_time.
type: timestamp
timeFormats:
- rfc3339
isEventTime: true
- name: id
required: true
description: Unique identifier assigned to the alert.
type: string
- name: incidentId
description: Unique identifier of the incident this alert is associated with.
type: string
- name: incidentWebUrl
description: URL for the incident page in the Microsoft 365 Defender portal.
type: string
- name: investigationState
description: State of an automated investigation.
type: string
- name: lastActivityDateTime
description: The latest activity associated with the alert.
type: timestamp
timeFormats:
- rfc3339
- name: lastUpdateDateTime
description: Time when the alert was last updated. Used by the puller as the pagination filter field, not as p_event_time.
type: timestamp
timeFormats:
- rfc3339
- name: mitreTechniques
description: Attack techniques aligned with the MITRE ATT&CK framework.
type: array
element:
type: string
indicators:
- mitre_attack_technique
- name: productName
description: Product that published the alert (e.g. 'Microsoft Defender for Cloud').
type: string
- name: providerAlertId
description: ID of the alert as it appears in the security provider product that generated it.
type: string
- name: recommendedActions
description: Recommended response and remediation actions to take in the event this alert was generated.
type: string
- name: resolvedDateTime
description: Time when the alert was resolved.
type: timestamp
timeFormats:
- rfc3339
- name: serviceSource
description: Service or product that created the alert (e.g. microsoftDefenderForCloud, microsoftDefenderForEndpoint).
type: string
- name: severity
description: 'Possible impact on assets. Possible values: informational, low, medium, high, unknownFutureValue.'
type: string
- name: status
description: 'Lifecycle status of the alert. Possible values: new, inProgress, resolved, unknownFutureValue.'
type: string
- name: systemTags
description: System tags associated with the alert.
type: array
element:
type: string
- name: tenantId
required: true
description: Microsoft Entra tenant the alert was created in.
type: string
- name: threatDisplayName
description: The threat associated with this alert.
type: string
- name: threatFamilyName
description: The threat family associated with this alert.
type: string
- name: title
description: Brief identifying string describing the alert.
type: string
```
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.panther.com/data-onboarding/supported-logs/microsoftgraph.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.