Hi everyone, I would like to know if there is a possibility to log the events of the calls made through the API to query information. The goal is to know if they are making many calls that triggers an alert in Sentinel to see if an attacker is doing an enumeration. For example, if I run get-EntraUser -All with my user I would like to know where it is logged or if it can be logged, how would that be done? Thanks in advance.

It depends on the calls done. Most workloads do not log "read" operations in the audit log, so you will not be able to address scenarios such as enumerating users and groups. You can however audit logins to the default apps used by the Graph module or Graph explorer, or even block them altogether for end users. It will not stop custom apps, but it's a good option. https://office365itpros.com/2023/10/12/block-powershell-m365/

How to monitor calls to Azure CLI, Powershell, Microsoft Graph... from a user?

Accepted answer

Vasil Michev 106.6K Reputation points MVP

2024-09-13T07:09:47.23+00:00

It depends on the calls done. Most workloads do not log "read" operations in the audit log, so you will not be able to address scenarios such as enumerating users and groups. You can however audit logins to the default apps used by the Graph module or Graph explorer, or even block them altogether for end users. It will not stop custom apps, but it's a good option. https://office365itpros.com/2023/10/12/block-powershell-m365/
Please sign in to rate this answer.
Steven Joseph Paredes Baquerizo 20 Reputation points

2024-09-15T08:28:19.0333333+00:00

Thank you very much, Vasil.

What I have in mind is not to block, but to record the events so that, depending on a threshold, an alert is triggered or at least there is a record that the user xxxx is performing a query, modification or any action, as I think it is important to know what privileged users do.

As you say, maybe it can't be done in all of them, but do you know where (log analytics, for example) to check that information?

Thanks in advance.

Vasil Michev 106.6K Reputation points MVP

2024-09-15T17:32:24.02+00:00

The Unified audit log is where most of these operations are logged: https://learn.microsoft.com/en-us/purview/audit-solutions-overview

You can also access this data programmatically via the Management activities API or PowerShell, and most log aggregators/SIEMs out there have integration with it. Here's the Sentinel solution for example: https://azuremarketplace.microsoft.com/en-us/marketplace/apps/azuresentinel.azure-sentinel-solution-office365?tab=Overview

Steven Joseph Paredes Baquerizo 20 Reputation points

2024-09-19T09:50:31.71+00:00

I will investigate what logs are recorded in the link you pass me.

For the moment and in case it solves someone else's doubt, for the Microsoft Graph part I have found that you have to activate MicrosoftGraphActivityLogs to collect that information in Entra ID.

https://techcommunity.microsoft.com/t5/microsoft-security-experts-blog/hunting-with-microsoft-graph-activity-logs/ba-p/4234632

Thank you.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

How to monitor calls to Azure CLI, Powershell, Microsoft Graph... from a user?

0 additional answers

Your answer