Microsoft Graph API Audit and Compliance

the microsoft graph api audit and compliance connector provides streamlined access to security and compliance data from microsoft services, enabling automated processes for monitoring and enhancing organizational security microsoft graph api audit and compliance connector enables swimlane turbine users to automate the retrieval and analysis of sign in and audit logs, as well as security compliance data from microsoft entra and microsoft graph security api this integration facilitates proactive security monitoring, simplifies compliance checks, and enhances organizational security posture by leveraging microsoft's comprehensive audit trails and secure score metrics users can customize queries, filter results, and manage security scores directly within swimlane turbine, streamlining security operations and compliance management configuration prerequisites to utilize the microsoft graph api audit and compliance connector, ensure you have the following prerequisites client credentials and tenant id authentication with these parameters url endpoint for microsoft graph api client id application (client) id registered in azure ad client secret confidential string used to authenticate the application tenant id unique identifier of your azure ad tenant scope permissions the app requires oauth 2 0 client credentials with these parameters url endpoint for microsoft graph api client id application (client) id registered in azure ad client secret confidential string used to authenticate the application token url url to obtain the oauth 2 0 token scope permissions the app requires delegated flow authentication with these parameters url endpoint for microsoft graph api tenant id unique identifier of your azure ad tenant and so on authentication methods oauth 2 0 client credentials authentication with these parameters url endpoint for microsoft graph api client id application (client) id registered in azure ad client secret client secret (key) generated for the application in azure ad token url url to retrieve the oauth token scope permissions the app requires password grant (delegated authentication) for acting on behalf of a user url endpoint for microsoft graph api tenant id directory id of the azure ad tenant oauth un user's username to authenticate oauth pwd user's password to authenticate oauth cl id application (client) id registered in azure ad oauth cl secret client secret (key) generated for the application in azure ad login url login url default value is https //login microsoftonline com (optional) scope permissions the app requires optional field (optional) asset credentials specific to your organization (microsoft graph api asset tenant id) url endpoint for microsoft graph api client id application (client) id registered in azure ad client secret client secret (key) generated for the application in azure ad tenant id directory id of the azure ad tenant scope permissions the app requires authentication for oauth2 refresh token grant credentials for microsoft graph api authentication url endpoint for microsoft graph api client id application (client) id registered in azure ad client secret client secret (key) generated for the application in azure ad refresh token refresh token scope permissions the app requires capabilities the microsoft graph api connector gives the ability to get and update security alerts, and modify user licenses and sessions audit logs get signin audit logs list signins get secure control profiles get secure scores list get secure score asset setup client credential flow authentication authentication uses azure application oauth2 you will need an admin account in azure to create the application recommended application permissions (feel free use custom permissions if you only use certain actions) user readwrite all directory readwrite all auditlog read all securityevents readwrite all in order to set up the asset, you need the following azure application client id azure application client secret azure tenant id steps to create the azure app go to the https //portal azure com/#blade/microsoft aad registeredapps/applicationslistblade in the azure portal click new registration enter a name for your new application and choose accounts in this organizational directory only , then click register at the bottom navigate to the api permissions tab on the left navigation menu select add a permission select microsoft graph select application permissions , then mark all the permissions you need for the actions you are using (see suggested permissions at the top of the asset setup section) click the add permissions button at the bottom of the page select grant admin consent for your organization, then your permissions should look as below navigate to the certificates & secrets tab and select new client secret fill out the description and expiration, then click the add button at the bottom the value of the secret you just created is the client secret needed for the swimlane asset navigate to the overview tab on the left menu the client id and tenant id needed in the asset are shown on this page the client id , tenant id , and client secret described in the steps above are the credentials you need for the asset password flow (delegated auth) use delegated permissions, instead of application permissions, and generate client id , tenant id , and client secret as described in the above client credential flow authentication we also need an username and a password for this authentication authentication flow for oauth2 refresh token oauth 2 0 refresh token grant, which requires a refresh token , tenant id , client id and client secret use this auth with accounts which have mfa enabled to generate a refresh token please follow the instructions below in step 3 of the above mentioned setup instructions, please provide a redirect uri and select the platform as 'web', before clicking on register at the the bottom proceed with the remaining steps to generate 'client id', tenant id and client secret add the permissions in delegated permissions the swimlane team will provide a python script and instructions on how to use the script to generate the refresh token limit access to specific mailboxes administrators who want to limit app access to specific mailboxes can create an application access policy by using the new applicationaccesspolicy powershell cmdlet for more information please see the article https //docs microsoft com/en us/graph/auth limit mailbox access action setup odata filters information on the filter input formatting can be found https //docs microsoft com/en us/graph/query parameters#filter parameter keep in mind that not specifying a folder as an input will result in the query affecting all possible folders example if we want to ingest only unread emails, and we don't set the input "folder", we will ingest all unread emails from all folders, including "deleted items", "junk", etc well known folders well known folders can be used instead of folder ids for email actions all well known folder names can be found https //docs microsoft com/en us/graph/api/resources/mailfolder?view=graph rest 1 0 sites get site all the sites actions require the site id to be executed the site id can be obtained using the action sites get site, in order to run the action the site hostname and site name are needed this two values can be found in a site url https //{site hostname} sharepoint com/sites/{site name} for example if our site url is https //swimlaneintegrations sharepoint com/sites/integrationssite we should use site hostname swimlaneintegrations site name integrationssite after the action execution you can find the site id on the id output field sites create list in order to create a list with its columns, use the input columns you can find all the possible values with its configuration on the following table property name type description boolean https //docs microsoft com/en us/graph/api/resources/booleancolumn?view=graph rest 1 0 this column stores boolean values calculated https //docs microsoft com/en us/graph/api/resources/calculatedcolumn?view=graph rest 1 0 this column's data is calculated based on other columns choice https //docs microsoft com/en us/graph/api/resources/choicecolumn?view=graph rest 1 0 this column stores data from a list of choices currency https //docs microsoft com/en us/graph/api/resources/currencycolumn?view=graph rest 1 0 this column stores currency values datetime https //docs microsoft com/en us/graph/api/resources/datetimecolumn?view=graph rest 1 0 this column stores datetime values geolocation https //docs microsoft com/en us/graph/api/resources/geolocationcolumn?view=graph rest 1 0 this column stores a geolocation lookup https //docs microsoft com/en us/graph/api/resources/lookupcolumn?view=graph rest 1 0 this column's data is looked up from another source in the site number https //docs microsoft com/en us/graph/api/resources/numbercolumn?view=graph rest 1 0 this column stores number values personorgroup https //docs microsoft com/en us/graph/api/resources/personorgroupcolumn?view=graph rest 1 0 this column stores person or group values text https //docs microsoft com/en us/graph/api/resources/textcolumn?view=graph rest 1 0 this column stores text values validation https //docs microsoft com/en us/graph/api/resources/columnvalidation?view=graph rest 1 0 this column stores validation formula and message for the column hyperlinkorpicture https //docs microsoft com/en us/graph/api/resources/hyperlinkorpicturecolumn?view=graph rest 1 0 this column stores hyperlink or picture values term https //docs microsoft com/en us/graph/api/resources/termcolumn?view=graph rest 1 0 this column stores taxonomy terms thumbnail https //docs microsoft com/en us/graph/api/resources/thumbnailcolumn?view=graph rest 1 0 this column stores thumbnail values contentapprovalstatus https //docs microsoft com/en us/graph/api/resources/contentapprovalstatuscolumn?view=graph rest 1 0 this column stores content approval status for a complete version of this table please see https //docs microsoft com/en us/graph/api/resources/columndefinition?view=graph rest 1 0#properties create list column refer to the above table to get the type properties and column type input the type properties are documented within the links in the type column get list items in order to use the filter input please refer to the docid\ tuhtge1o7qpsswg3x3mpg section the column used to filter the output must be indexed, see the https //support microsoft com/en us/office/add an index to a list or library column f3f00554 b7dc 44d1 a2ed d477eac463b0?ui=en us\&rs=en us\&ad=us to add an index to a list limitations when using $filter and $orderby in the same query to get messages, make sure to specify properties in the following ways properties that appear in $orderby must also appear in $filter properties that appear in $orderby are in the same order as in $filter properties that are present in $orderby appear in $filter before any properties that aren't failing to do this results in the following error error code inefficientfilter error message the restriction or sort order is too complex for this operation the assign/remove user license requires either the disabled plans and accompanying sku ids to assign licenses or the sku id of the license you want to remove the get security alert has additional information it can return there are a large number of fields that don't relate to many alerts, so they are not mapped; you can add them if desired notes https //social technet microsoft com/wiki/contents/articles/33525 an introduction to microsoft graph api aspx https //www microsoft com/en us/security/intelligence security api https //docs microsoft com/en us/graph/api/overview?view=graph rest 1 0 https //docs microsoft com/en us/graph/query parameters https //docs microsoft com/en us/azure/active directory/develop/v1 protocols oauth code https //requests oauthlib readthedocs io/en/latest/oauth2 workflow\ html#legacy application flow , this is sort of a hack to bypass manual login (typically required) https //learn microsoft com/en us/graph/api/resources/azure ad auditlog overview?view=graph rest 1 0 configurations microsoft graph api asset tenant id authenticates using client credentials and tenant id configuration parameters parameter description type required url a url to the target host string required tenant id the tenant id string required client id the client id string required client secret the client secret string required scope list of permission scopes for this action array required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional password grant (delegated authentication) authenticates on behalf of a user using oauth 2 0 credentials configuration parameters parameter description type required url a url to the target host string required login url string optional tenant id string required oauth un the username for authentication string required oauth pwd the password for authentication string required oauth cl id the client id string required oauth cl secret the client secret string required scope permission scopes for this action array optional verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional oauth 2 0 client credentials authenticates using oauth 2 0 client credentials configuration parameters parameter description type required url a url to the target host string required token url must start with https //login microsoftonline com/ and then continue with the tenant id, and then be prepended with /oauth2/v2 0/token string required client id the client id string required client secret the client secret string required scope list of permission scopes for this action array required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional ms graph openid connect refresh token grant authenticates using refresh token configuration parameters parameter description type required url a url to the target host string required cl id the client id string required cl secret the client secret string required refresh token refresh token string optional verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions audit logs get signin retrieve details for a specific sign in event in microsoft entra using the provided tenant's unique id endpoint url /v1 0/auditlogs/signins/{{id}} method get input argument name type required description path parameters id string required parameters for the audit logs get signin action input example {"path parameters" {"id" "66ea54eb 6301 4ee5 be62 ff5a759b0100"}} output parameter type description status code number http status code of the response reason string response reason phrase @odata context string response data value array value for the parameter value id string unique identifier value createddatetime string value for the parameter value userdisplayname string name of the resource value userprincipalname string name of the resource value userid string unique identifier value appid string unique identifier value appdisplayname string name of the resource value ipaddress string value for the parameter value clientappused string value for the parameter value correlationid string unique identifier value conditionalaccessstatus string status value value isinteractive boolean value for the parameter value riskdetail string value for the parameter value risklevelaggregated string value for the parameter value risklevelduringsignin string value for the parameter value riskstate string value for the parameter value riskeventtypes array type of the resource value riskeventtypes file name string name of the resource value riskeventtypes file string type of the resource value resourcedisplayname string name of the resource value resourceid string unique identifier output example {"@odata context" "https //graph microsoft com/v1 0/$metadata#auditlogs/signins","value" \[{"id" "66ea54eb 6301 4ee5 be62 ff5a759b0100","createddatetime" "2023 12 01t16 03 24z","userdisplayname" "test contoso","userprincipalname" "testaccount1\@contoso com","userid" "26be570a ae82 4189 b4e2 a37c6808512d","appid" "de8bc8b5 d9f9 48b1 a8ad b748da725064","appdisplayname" "graph explorer","ipaddress" "131 107 159 37","clientappused" "browser","correlationid" "d79f5bee 5860 4832 928f 3133e22ae912","cond audit logs list signins retrieve microsoft entra user sign in logs to analyze access patterns and trends for a specified tenant endpoint url /v1 0/auditlogs/signins method get input argument name type required description parameters $top number optional sets the page size of results parameters $skiptoken string optional retrieves the next page of results from result sets that span multiple pages parameters $filter string optional filters results (rows) input example {"parameters" {"$top" 2,"$skiptoken" "9177f2e3532fcd4c4d225f68f7b9bdf7 1","$filter" "createddatetime ge 2024 07 01t00 00 00z and createddatetime le 2024 07 14t23 59 59z"}} output parameter type description status code number http status code of the response reason string response reason phrase @odata context string response data @odata nextlink string response data value array value for the parameter value id string unique identifier value createddatetime string value for the parameter value userdisplayname string name of the resource value userprincipalname string name of the resource value userid string unique identifier value appid string unique identifier value appdisplayname string name of the resource value ipaddress string value for the parameter value clientappused string value for the parameter value correlationid string unique identifier value conditionalaccessstatus string status value value isinteractive boolean value for the parameter value riskdetail string value for the parameter value risklevelaggregated string value for the parameter value risklevelduringsignin string value for the parameter value riskstate string value for the parameter value riskeventtypes array type of the resource value riskeventtypes file name string name of the resource value riskeventtypes file string type of the resource value resourcedisplayname string name of the resource output example {"@odata context" "string","@odata nextlink" "string","value" \[{"id" "12345678 1234 1234 1234 123456789abc","createddatetime" "string","userdisplayname" "example name","userprincipalname" "example name","userid" "string","appid" "string","appdisplayname" "example name","ipaddress" "string","clientappused" "string","correlationid" "string","conditionalaccessstatus" "active","isinteractive"\ true,"riskdetail" "string","risklevelaggregated" "string","risklevelduringsignin" "string"}]} get secure scores list retrieve a list of secure scores from the microsoft graph security api to assess your organization's security posture endpoint url /v1 0/security/securescores method get input argument name type required description parameters filter string optional use the filter query parameter to retrieve just a subset of a collection for guidance on using filter , see https //learn microsoft com/en us/graph/filter query parameter parameters orderby string optional use the orderby query parameter to specify the sort order of the items returned from microsoft graph parameters top number optional sets the page size of results input example {"parameters" {"filter" "string","orderby" "string","top" 123}} output parameter type description status code number http status code of the response reason string response reason phrase @odata context string response data @odata nextlink string response data value array value for the parameter value id string unique identifier value azuretenantid string unique identifier value activeusercount number value for the parameter value createddatetime string value for the parameter value currentscore number value for the parameter value enabledservices array value for the parameter value licensedusercount number value for the parameter value maxscore number value for the parameter value vendorinformation object value for the parameter value vendorinformation provider string unique identifier value vendorinformation providerversion object unique identifier value vendorinformation subprovider object unique identifier value vendorinformation vendor string value for the parameter value averagecomparativescores array value for the parameter value averagecomparativescores file name string name of the resource value averagecomparativescores file string value for the parameter value controlscores array value for the parameter value controlscores controlcategory string value for the parameter value controlscores controlname string name of the resource value controlscores description object value for the parameter output example {"@odata context" "string","@odata nextlink" "string","value" \[{"id" "12345678 1234 1234 1234 123456789abc","azuretenantid" "string","activeusercount" 123,"createddatetime" "string","currentscore" 123,"enabledservices" \[],"licensedusercount" 123,"maxscore" 123,"vendorinformation" {},"averagecomparativescores" \[],"controlscores" \[]}]} get secure control profiles retrieve a list of secure control profiles to enhance your organization's security posture via the microsoft graph security api endpoint url /v1 0/security/securescorecontrolprofiles method get input argument name type required description parameters filter string optional use the filter query parameter to retrieve just a subset of a collection for guidance on using filter , see https //learn microsoft com/en us/graph/filter query parameter parameters orderby string optional use the orderby query parameter to specify the sort order of the items returned from microsoft graph parameters top number optional sets the page size of results input example {"parameters" {"filter" "string","orderby" "string","top" 123}} output parameter type description status code number http status code of the response reason string response reason phrase @odata context string response data @odata nextlink string response data value array value for the parameter value id string unique identifier value azuretenantid string unique identifier value actiontype string type of the resource value actionurl string url endpoint for the request value controlcategory string value for the parameter value title string value for the parameter value deprecated boolean value for the parameter value implementationcost string value for the parameter value lastmodifieddatetime object value for the parameter value maxscore number value for the parameter value rank number value for the parameter value remediation string value for the parameter value remediationimpact string value for the parameter value service string value for the parameter value threats array value for the parameter value threats file name string name of the resource value threats file string value for the parameter value tier string value for the parameter value userimpact string value for the parameter value vendorinformation object value for the parameter output example {"@odata context" "string","@odata nextlink" "string","value" \[{"id" "12345678 1234 1234 1234 123456789abc","azuretenantid" "string","actiontype" "string","actionurl" "string","controlcategory" "string","title" "string","deprecated"\ true,"implementationcost" "string","lastmodifieddatetime" {},"maxscore" 123,"rank" 123,"remediation" "string","remediationimpact" "string","service" "string","threats" \[]}]} get secure score retrieves a specified secure score from the microsoft graph security api using the provided 'id' endpoint url /v1 0/security/securescores/{{id}} method get input argument name type required description path parameters id string required secure score id input example {"path parameters" {"id" "12345678 1234 1234 1234 123456789abc"}} output parameter type description status code number http status code of the response reason string response reason phrase @odata context string response data id string unique identifier azuretenantid string unique identifier activeusercount number count value createddatetime string time value currentscore number score value enabledservices array output field enabledservices licensedusercount number count value maxscore number score value vendorinformation object output field vendorinformation vendorinformation provider string unique identifier vendorinformation providerversion object unique identifier vendorinformation subprovider object unique identifier vendorinformation vendor string output field vendorinformation vendor averagecomparativescores array output field averagecomparativescores averagecomparativescores file name string name of the resource averagecomparativescores file string output field averagecomparativescores file controlscores array output field controlscores controlscores controlcategory string output field controlscores controlcategory controlscores controlname string name of the resource controlscores description string output field controlscores description controlscores score number score value controlscores isapplicable string output field controlscores isapplicable output example {"@odata context" "string","id" "12345678 1234 1234 1234 123456789abc","azuretenantid" "string","activeusercount" 123,"createddatetime" "string","currentscore" 123,"enabledservices" \["string"],"licensedusercount" 123,"maxscore" 123,"vendorinformation" {"provider" "string","providerversion" {},"subprovider" {},"vendor" "string"},"averagecomparativescores" \[{"file name" "example name","file" "string"}],"controlscores" \[{"controlcategory" "string","controlname" "example name","description" "string" response headers header description example cache control directives for caching mechanisms client request id http response header client request id content encoding http response header content encoding content type the media type of the resource application/json date the date and time at which the message was originated thu, 01 jan 2024 00 00 00 gmt odata version http response header odata version request id http response header request id strict transport security http response header strict transport security transfer encoding http response header transfer encoding vary http response header vary x ms ags diagnostic http response header x ms ags diagnostic