The following article is part of a Microsoft Sentinel series where free or affordable investments into Microsoft Sentinel can help your primary SIEM with security alerts, curated alerts, and both Microsoft and Azure platform logs.
The focus of these articles will be on architecting Microsoft and Azure alerts and logs into your SIEM, where appropriate and with context bringing in Microsoft Sentinel for some extra value for free or a affordable cost.
The first architecture in the series is leveraging the Microsoft Graph Security API with your SIEM tool. Many SIEM tools have modules, add-ons, or extending capabilities to interact with the Microsoft Graph Security API. This allows for simple and easy authentication and configuration to your SIEM.
You will receive only alerts from Microsoft security providers listed below:
This will not bring in platform logs from AAD or Office 365 or Advanced Hunting logs from Defender for Endpoint and other Microsoft XDR related products. You will notice that Microsoft Sentinel is listed above as well. In your SIEM Architecture, for Free you can spin up Microsoft Sentinel in a Azure subscription and connect data sources like:
Azure Activity logs (AzureActivity)
Office 354 Activity Logs (EXO, SPO, OD4B, Teams) (OfficeActivity)
With the logs ingested you can turn on curated detections as well in Microsoft Sentinel and those security alerts generated from Microsoft Sentinel by way of AzureActivity and OfficeActivity logs will be available in the Microsoft Graph Security API and your SIEM. You are essentially getting additional security detections curated on the management planes of Azure and Office 365 for no cost and little setup.
I also want to point out the curated detections in Microsoft Sentinel are written by security researchers both within Microsoft and the wider community. Since the detections are curated they must go through a pull request on GitHub and go through a process with security and sentinel engineers before becoming accepted and available in Sentinel Analytic Rule Templates tab. Be sure to use the filter by data resource as well when identifying and enabling which detections to turn on.
The proposed architecture of using Microsoft Graph Security API for Alerts to your SIEM and leveraging free logs and curated detections into Microsoft Sentinel looks like this:
Architecture and solutioning is about tradeoffs, so by using the Microsoft Graph Security API integration with your SIEM the following trade offs must be noted:
Near Real Time (NRT) Sentinel alerts will not be on Microsoft Graph Security API
Advanced multistage attack detection (fusion) in Sentinel alerts will not be on Microsoft Graph Security API
Most Entity information is passed in Extended Properties field, but not all.
Defender for Identity alerts are available with Defender for Cloud App Integration
No platform logs available through API only Security Alerts
In next week’s article we will explore a slightly different approach using Sentinel and Event Hub to achieve the same alert delivery to your SIEM with some added entity context. Until then let’s secure more with less.