Microsoft
Microsoft
Microsoftmpras2135 - Thanks, for your feedback and questions. I'll respond to each of your questions across multiple comments in this one.
1. The Microsoft Graph Security API add-on uses the API to stream alerts across different sources into Splunk. Microsoft Graph Security API does not stream logs or traces as these are pretty verbose to be schematized across various products. For streaming alerts in a unified format and make those available in Splunk use the Microsoft Graph Security API add-on for Splunk. Based on alert correlations and need to pull in additional logs and traces, use the Azure Monitor add-on. Hope this clarifies.
2. The activity logs can be made available via Azure Monitor add-on for Splunk as mentioned in point #1 above. The Microsoft Graph Security alerts have alert specific information associated with users (logon location, IP, risk score etc.), devices (IP, FQDN, domain etc.), and more - refer to the Microsoft Graph Security alert schema for more details. We are looking into building contextual information about the specific alert entities that we can expose through the Microsoft Graph Security API, but we most likely won't plan to expose complete logs or traces as those can't be really schematized across different products.
Feel free to reach out to me with specific details on your scenarios at graphsecfeedback_at_microsoft_dot_com and happy to help.