Skip to main content

Microsoft Graph

The Microsoft Graph managed log source allows you to collect various audit, reporting, and other logs from Microsoft 365 directly into Matano


To get started with the Microsoft Graph managed log source, follow these steps:


Use the Microsoft Graph managed log source by specifying the managed.type property in your log_source as MSFT.

# log_source.yml
name: msft

type: MSFT
client_id: "a6a67fa7-5859-4049-810c-56064b625571"
tenant_id: "91615f41-f094-4894-acfa-feef044fb180"

For the tables you would like to enable for this managed log source, under a tables/ subdirectory in your log source directory, create a file with the name <table_name>.yml>. For example:

└── log_sources/
└── msft/
└── log_source.yml
└── tables/
└── aad_signinlogs.yml

For a complete reference on configuring log sources, including extending the table schema, see Log source configuration.


To finish onboarding the log source, populate the client_secret key in the secret generated by Matano in AWS Secrets Manager, with the value of the Azure Active Directory application secret.


The Microsoft Graph managed log source supports the following tables:

Sign-in Logsaad_signinlogsReview errors and patterns in Azure Active Directory (Azure AD) sign in activity.
Audit Logsaad_auditlogsEvery logged event in Azure AD, including changes to applications, groups, users, and licenses.


Pull (default)

Matano integrates with Microsoft Graph to automatically pull relevant logs on a regular basis (every 1 min).


Microsoft Graph event data is normalized to ECS fields. Custom fields are normalized into the azure field. You can view the complete mappings to see the full schema.