The Microsoft Graph managed log source allows you to collect various audit, reporting, and other logs from Microsoft 365 directly into Matano
To get started with the Microsoft Graph managed log source, follow these steps:
- Create an Azure Active Directory application to be able to access the Microsoft Graph API.
- Grant admin consent to the application so that the credentials can be accessed programmatically.
- Grant relevant permissions to the application. These will depend on the tables you want to use, but at a minimum
Directory.Read.Allpermissions are required.
- Create an application secret for the application. Matano will use these credentials to access the Microsoft Graph API.
- Make note of your Tenant ID, Client ID, and Client secret.
Use the Microsoft Graph managed log source by specifying the
managed.type property in your
For the tables you would like to enable for this managed log source, under a
tables/ subdirectory in your log source directory, create a file with the name
<table_name>.yml>. For example:
For a complete reference on configuring log sources, including extending the table schema, see Log source configuration.
To finish onboarding the log source, populate the
client_secret key in the secret generated by Matano in AWS Secrets Manager, with the value of the Azure Active Directory application secret.
The Microsoft Graph managed log source supports the following tables:
|Sign-in Logs||Review errors and patterns in Azure Active Directory (Azure AD) sign in activity.|
|Audit Logs||Every logged event in Azure AD, including changes to applications, groups, users, and licenses.|
Matano integrates with Microsoft Graph to automatically pull relevant logs on a regular basis (every 1 min).
Microsoft Graph event data is normalized to ECS fields. Custom fields are normalized into the
azure field. You can view the complete mappings to see the full schema.