Microsoft Entra ID (via Graph API)
Overview
**Microsoft Entra ID (Graph API) ** is a cloud-based Identity and Rights management service. The service is developed and managed by Microsoft Corp.
- Vendor: Microsoft
- Supported environment: SaaS
- Detection based on: Telemetry
- Supported application or feature: Application logs, Authentication logs
Warning
Important note - This format is currently in beta. We highly value your feedback to improve its performance.
Scalability
This integration will collect the events through Microsoft Graph API, which is only recommended for small environments. For larger environments, it is recommended to use the Microsoft Entra ID / Azure AD integration (see Microsoft Entra ID)
Configure
How to create an app registration with proper permissions
To connect Microsoft Entra ID to Sekoia.io, you need to create an app registration with the necessary permissions to access Entra ID users and groups. Follow these steps:
-
Sign in to the Azure portal and navigate to Microsoft Entra ID.
-
Click App registrations in the left navigation pane, then click New registration.
-
Enter a name for the application (e.g.,
sekoia-logs-reader) and click Register.
-
Copy the Application (client) ID and Directory (tenant) ID to a safe location. You'll need these values to configure the connector in Sekoia.io.
How to generate a client secret
After creating the app registration, you need to generate a client secret for authentication:
-
Click Certificates & secrets in the left navigation pane.
-
Click New client secret to generate a new secret.
-
Enter a description for the secret (e.g.,
sekoia-connector-secret) and select an expiration period, then click Add.
-
Copy the Value of the client secret to a safe location. You'll need this secret to configure the connector in Sekoia.io.
Warning
- The client secret value is only shown when you create it. If you lose it, you must create a new client secret.
- Store this secret securely and never share it publicly.
- Consider rotating client secrets regularly for security best practices.
Required API permissions
The app registration must have the following permissions to successfully fetch Entra ID users and groups:
{
"permissions": [
"AuditLog.Read.All",
"Directory.Read.All"
]
}
Required Permissions:
- AuditLog.Read.All: Read the log endpoint
- Directory.Read.All: Read directory data (optional, for advanced features)
How to grant API permissions
To grant the required permissions to your app registration:
-
Click API permissions in the left navigation pane.
-
Click Add a permission to add new permissions.
-
Select Microsoft Graph as the API.
-
Select Application permissions and search for the required permissions:
AuditLog.Read.All-
Directory.Read.All
-
Click Add permissions to add the selected permissions.
-
Click Grant admin consent to grant the permissions (requires admin privileges).
Create your intake
- Go to the intake page and create a new intake from the
GraphAPI for Microsoft Entra ID / Azure AD. - To fill the form, use the table completed during the creation of the Event Hub.
Enjoy your events on the Events page
Detection section
The following section provides information for those who wish to learn more about the detection capabilities enabled by collecting this intake. It includes details about the built-in rule catalog, event categories, and ECS fields extracted from raw events. This is essential for users aiming to create custom detection rules, perform hunting activities, or pivot in the events page.
Related Built-in Rules
The following Sekoia.io built-in rules match the intake GraphAPI for Microsoft Entra ID / Azure AD [BETA]. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
SEKOIA.IO x GraphAPI for Microsoft Entra ID / Azure AD [BETA] on ATT&CK Navigator
Account Added To A Security Enabled Group
Detection in order to investigate who has added a specific Domain User in Domain Admins or Group Policy Creator Owners (Security event 4728)
- Effort: master
Account Removed From A Security Enabled Group
Detection in order to investigate who has removed a specific Domain User in Domain Admins or Group Policy Creator Owners (Security event 4729)
- Effort: master
Backup Catalog Deleted
The rule detects when the Backup Catalog has been deleted. It means the administrators will not be able to access any backups that were created earlier to perform recoveries. This is often being done using the wbadmin.exe tool.
- Effort: intermediate
Computer Account Deleted
Detects computer account deletion.
- Effort: master
Cryptomining
Detection of domain names potentially related to cryptomining activities.
- Effort: master
DHCP Server Error Failed Loading the CallOut DLL
This rule detects a DHCP server error in which a specified Callout DLL (in registry) could not be loaded.
- Effort: intermediate
DHCP Server Loaded the CallOut DLL
This rule detects a DHCP server in which a specified Callout DLL (in registry) was loaded. This would indicate a succesful attack against DHCP service allowing to disrupt the service or alter the integrity of the responses.
- Effort: intermediate
DNS Server Error Failed Loading The ServerLevelPluginDLL
This rule detects a DNS server error in which a specified plugin DLL (in registry) could not be loaded. This requires the dedicated Windows event provider Microsoft-Windows-DNS-Server-Service.
- Effort: master
Domain Trust Created Or Removed
A trust was created or removed to a domain. An attacker could perform that in order to do lateral movement easily between domains or shutdown the ability of two domains to communicate.
- Effort: advanced
Dynamic DNS Contacted
Detect communication with dynamic dns domain. This kind of domain is often used by attackers. This rule can trigger false positive in non-controlled environment because dynamic dns is not always malicious.
- Effort: master
Exfiltration Domain
Detects traffic toward a domain flagged as a possible exfiltration vector.
- Effort: master
Microsoft Defender Antivirus History Deleted
Windows Defender history has been deleted. Could be an attempt by an attacker to remove its traces.
- Effort: master
Microsoft Defender Antivirus Tampering Detected
Detection of Windows Defender Tampering, from definitions' deletion to deactivation of parts or all of Defender.
- Effort: advanced
Microsoft Defender Antivirus Threat Detected
Detection of a windows defender alert indicating the presence of potential malware
- Effort: advanced
Nimbo-C2 User Agent
Nimbo-C2 Uses an unusual User-Agent format in its implants.
- Effort: intermediate
Password Change On Directory Service Restore Mode (DSRM) Account
The Directory Service Restore Mode (DSRM) account is a local administrator account on Domain Controllers. Attackers may change the password to gain persistence.
- Effort: intermediate
Possible Replay Attack
This event can be a sign of Kerberos replay attack or, among other things, network device configuration or routing problems.
- Effort: master
Potential Bazar Loader User-Agents
Detects potential Bazar loader communications through the user-agent
- Effort: elementary
Potential Lemon Duck User-Agent
Detects LemonDuck user agent. The format used two sets of alphabetical characters separated by dashes, for example "User-Agent: Lemon-Duck-[A-Z]-[A-Z]".
- Effort: elementary
Remote Access Tool Domain
Detects traffic toward a domain flagged as a Remote Administration Tool (RAT).
- Effort: master
Remote Monitoring and Management Software - AnyDesk
Detect artifacts related to the installation or execution of the Remote Monitoring and Management tool AnyDesk.
- Effort: master
SEKOIA.IO Intelligence Feed
Detect threats based on indicators of compromise (IOCs) collected by SEKOIA's Threat and Detection Research team.
- Effort: elementary
Sekoia.io EICAR Detection
Detects observables in Sekoia.io CTI tagged as EICAR, which are fake samples meant to test detection.
- Effort: master
TOR Usage Generic Rule
Detects TOR usage globally, whether the IP is a destination or source. TOR is short for The Onion Router, and it gets its name from how it works. TOR intercepts the network traffic from one or more apps on user’s computer, usually the user web browser, and shuffles it through a number of randomly-chosen computers before passing it on to its destination. This disguises user location, and makes it harder for servers to pick him/her out on repeat visits, or to tie together separate visits to different sites, this making tracking and surveillance more difficult. Before a network packet starts its journey, user’s computer chooses a random list of relays and repeatedly encrypts the data in multiple layers, like an onion. Each relay knows only enough to strip off the outermost layer of encryption, before passing what’s left on to the next relay in the list.
- Effort: master
User Account Created
Detects user creation on windows servers, which shouldn't happen in an Active Directory environment. Apply this on your windows server logs and not on your DC logs. One default account defaultuser0 is excluded as only used during Windows set-up. This detection use Security Event ID 4720.
- Effort: master
User Account Deleted
Detects local user deletion
- Effort: master
Event Categories
The following table lists the data source offered by this integration.
| Data Source | Description |
|---|---|
Authentication logs |
None |
Transformed Events Samples after Ingestion
This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the built-in detection rules and hunting activities in the events page. Understanding these transformations is essential for analysts to create effective detection mechanisms with custom detection rules and to leverage the full potential of the collected data.
{
"message": "{\n \"id\": \"id\",\n \"category\": \"UserManagement\",\n \"correlationId\": \"da159bfb-54fa-4092-8a38-6e1fa7870e30\",\n \"result\": \"success\",\n \"resultReason\": \"Successfully added member to group\",\n \"activityDisplayName\": \"Add member to group\",\n \"activityDateTime\": \"2018-01-09T21:20:02.7215374Z\",\n \"loggedByService\": \"Core Directory\",\n \"initiatedBy\": {\n \"user\": {\n \"id\": \"728309ae-1a37-4937-9afe-e35d964db09b\",\n \"displayName\": \"Audry Oliver\",\n \"userPrincipalName\": \"bob@wingtiptoysonline.com\",\n \"ipAddress\": \"127.0.0.1\"\n },\n \"app\": null\n },\n \"targetResources\": [{\n \"id\": \"ef7e527d-6c92-4234-8c6d-cf6fdfb57f95\",\n \"displayName\": \"Example.com\",\n \"Type\": \"Group\",\n \"modifiedProperties\": [{\n \"displayName\": \"Action Client Name\",\n \"oldValue\": null,\n \"newValue\": \"DirectorySync\"}],\n \"groupType\": \"unifiedGroups\"\n }, \n {\n \"id\": \"1f0e98f5-3161-4c6b-9b50-d488572f2bb7\",\n \"displayName\": null,\n \"Type\": \"User\",\n \"modifiedProperties\": [],\n \"userPrincipalName\": \"bob@contoso.com\"\n }],\n \"additionalDetails\": [{\n \"key\": \"Additional Detail Name\",\n \"value\": \"Additional Detail Value\"\n }]\n }",
"event": {
"dataset": "UserManagement",
"provider": "Core Directory"
},
"@timestamp": "2018-01-09T21:20:02.721537Z",
"cloud": {
"provider": "Azure",
"service": {
"name": "Azure EntraId"
}
},
"related": {
"ip": [
"127.0.0.1"
],
"user": [
"Audry Oliver"
]
},
"service": {
"name": "Core Directory"
},
"source": {
"address": "127.0.0.1",
"ip": "127.0.0.1"
},
"trace": {
"id": "da159bfb-54fa-4092-8a38-6e1fa7870e30"
},
"user": {
"email": "bob@wingtiptoysonline.com",
"id": "728309ae-1a37-4937-9afe-e35d964db09b",
"name": "Audry Oliver"
}
}
{
"message": "{\n \"id\": \"66ea54eb-6301-4ee5-be62-ff5a759b0100\",\n \"createdDateTime\": \"2023-12-01T16:03:35Z\",\n \"userDisplayName\": \"Test Contoso\",\n \"userPrincipalName\": \"testaccount1@contoso.com\",\n \"userId\": \"26be570a-ae82-4189-b4e2-a37c6808512d\",\n \"appId\": \"de8bc8b5-d9f9-48b1-a8ad-b748da725064\",\n \"appDisplayName\": \"Graph explorer\",\n \"ipAddress\": \"131.107.159.37\",\n \"clientAppUsed\": \"Browser\",\n \"correlationId\": \"d79f5bee-5860-4832-928f-3133e22ae912\",\n \"conditionalAccessStatus\": \"notApplied\",\n \"isInteractive\": true,\n \"riskDetail\": \"none\",\n \"riskLevelAggregated\": \"none\",\n \"riskLevelDuringSignIn\": \"none\",\n \"riskState\": \"none\",\n \"riskEventTypes\": [],\n \"resourceDisplayName\": \"Microsoft Graph\",\n \"resourceId\": \"00000003-0000-0000-c000-000000000000\",\n \"status\": {\n \"errorCode\": 0,\n \"failureReason\": null,\n \"additionalDetails\": null\n },\n \"deviceDetail\": {\n \"deviceId\": \"\",\n \"displayName\": null,\n \"operatingSystem\": \"Windows 10\",\n \"browser\": \"Edge 80.0.361\",\n \"isCompliant\": null,\n \"isManaged\": null,\n \"trustType\": null\n },\n \"location\": {\n \"city\": \"Redmond\",\n \"state\": \"Washington\",\n \"countryOrRegion\": \"US\",\n \"geoCoordinates\": {\n \"altitude\": null,\n \"latitude\": 47.68050003051758,\n \"longitude\": -122.12094116210938\n }\n },\n \"appliedConditionalAccessPolicies\": [\n {\n \"id\": \"de7e60eb-ed89-4d73-8205-2227def6b7c9\",\n \"displayName\": \"SharePoint limited access for guest workers\",\n \"enforcedGrantControls\": [],\n \"enforcedSessionControls\": [],\n \"result\": \"notEnabled\"\n },\n {\n \"id\": \"6701123a-b4c6-48af-8565-565c8bf7cabc\",\n \"displayName\": \"Medium signin risk block\",\n \"enforcedGrantControls\": [],\n \"enforcedSessionControls\": [],\n \"result\": \"notEnabled\"\n }\n ]\n }",
"event": {
"code": "0",
"provider": "Microsoft Graph"
},
"@timestamp": "2023-12-01T16:03:35Z",
"azure": {
"entraid": {
"properties": {
"appliedConditionalAccessPolicies": [
{
"displayName": "SharePoint limited access for guest workers",
"enforcedGrantControls": [],
"enforcedSessionControls": [],
"id": "de7e60eb-ed89-4d73-8205-2227def6b7c9",
"result": "notEnabled"
},
{
"displayName": "Medium signin risk block",
"enforcedGrantControls": [],
"enforcedSessionControls": [],
"id": "6701123a-b4c6-48af-8565-565c8bf7cabc",
"result": "notEnabled"
}
],
"clientAppUsed": "Browser",
"conditionalAccessStatus": "notApplied",
"isInteractive": "true",
"resourceId": "00000003-0000-0000-c000-000000000000",
"riskDetail": "none",
"riskEventTypes": [],
"riskLevelAggregated": "none",
"riskLevelDuringSignIn": "none",
"riskState": "none"
}
}
},
"cloud": {
"provider": "Azure",
"service": {
"name": "Azure EntraId"
}
},
"host": {
"os": {
"name": "Windows 10"
}
},
"related": {
"ip": [
"131.107.159.37"
],
"user": [
"Test Contoso"
]
},
"service": {
"id": "de8bc8b5-d9f9-48b1-a8ad-b748da725064",
"name": "Graph explorer"
},
"source": {
"address": "131.107.159.37",
"geo": {
"city_name": "Redmond",
"country_iso_code": "US",
"location": {
"lat": 47.68050003051758,
"lon": -122.12094116210938
},
"region_name": "Washington"
},
"ip": "131.107.159.37"
},
"trace": {
"id": "d79f5bee-5860-4832-928f-3133e22ae912"
},
"user": {
"email": "testaccount1@contoso.com",
"id": "26be570a-ae82-4189-b4e2-a37c6808512d",
"name": "Test Contoso"
},
"user_agent": {
"device": {
"name": "Other"
},
"name": "Other",
"original": "Edge 80.0.361",
"os": {
"name": "Other"
}
}
}
Extracted Fields
The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.
| Name | Type | Description |
|---|---|---|
@timestamp |
date |
Date/time when the event originated. |
azure.entraid.properties.appliedConditionalAccessPolicies |
array |
|
azure.entraid.properties.clientAppUsed |
keyword |
|
azure.entraid.properties.conditionalAccessStatus |
keyword |
|
azure.entraid.properties.isInteractive |
keyword |
|
azure.entraid.properties.resourceId |
keyword |
|
azure.entraid.properties.riskDetail |
keyword |
|
azure.entraid.properties.riskEventTypes |
keyword |
|
azure.entraid.properties.riskLevelAggregated |
keyword |
|
azure.entraid.properties.riskLevelDuringSignIn |
keyword |
|
azure.entraid.properties.riskState |
keyword |
|
cloud.provider |
keyword |
Name of the cloud provider. |
cloud.service.name |
keyword |
The cloud service name. |
error.message |
match_only_text |
Error message. |
event.code |
keyword |
Identification code for this event. |
event.dataset |
keyword |
Name of the dataset. |
event.provider |
keyword |
Source of the event. |
event.reason |
keyword |
Reason why this event happened, according to the source |
host.id |
keyword |
Unique host id. |
host.name |
keyword |
Name of the host. |
host.os.name |
keyword |
Operating system name, without the version. |
service.id |
keyword |
Unique identifier of the running service. |
service.name |
keyword |
Name of the service. |
source.geo.city_name |
keyword |
City name. |
source.geo.country_iso_code |
keyword |
Country ISO code. |
source.geo.region_name |
keyword |
Region name. |
source.ip |
ip |
IP address of the source. |
trace.id |
keyword |
Unique identifier of the trace. |
user.email |
keyword |
User email address. |
user.id |
keyword |
Unique identifier of the user. |
user.name |
keyword |
Short name or login of the user. |
user_agent.original |
keyword |
Unparsed user_agent string. |
For more information on the Intake Format, please find the code of the Parser, Smart Descriptions, and Supported Events here.