Apr 01 2019
03:25 PM
- last edited on
Apr 07 2022
05:44 PM
by
TechCommunityAP
Apr 01 2019
03:25 PM
- last edited on
Apr 07 2022
05:44 PM
by
TechCommunityAP
Hey - i have built up a collection of saved searches in Azure log analytics, mainly searching the SecurityAlerts, SignInLogs and OfficeActivity tables. When i get a security alert notification from Microsoft, I run my searches then export to CSV to search for indicators of compromise bla bla. This is great, somewhat quick and easy..
But is there a programmatic way of doing this?
Using the Security Graph API i can see the signIn resource type, so thats great, but i do not see exchange mailbox audit log resource, so i cannot see how to retrieve audit logs via an API..
Can i query the Log Analytics data directly through an API or is there another way to access this data programatically?
I looked at using the Azure Cloud Console, but even this didn't seem to be able to access the data..
Apr 02 2019 03:34 AM
Solution
There is the Log Analytocs API https://docs.microsoft.com/en-us/rest/api/loganalytics/ and the https://docs.microsoft.com/en-us/azure/azure-monitor/platform/data-collector-api
When you get a Security Alert you could call a playbook (Logic App) to work with that data, even if its only to create that CSV file.
Azure Sentinel has a new connector to O365 (not look too closely myself at this particular connector and data, but Exchange is mentioned).
Thanks
Apr 02 2019 03:34 AM
Solution
There is the Log Analytocs API https://docs.microsoft.com/en-us/rest/api/loganalytics/ and the https://docs.microsoft.com/en-us/azure/azure-monitor/platform/data-collector-api
When you get a Security Alert you could call a playbook (Logic App) to work with that data, even if its only to create that CSV file.
Azure Sentinel has a new connector to O365 (not look too closely myself at this particular connector and data, but Exchange is mentioned).
Thanks