Home
%3CLINGO-SUB%20id%3D%22lingo-sub-998400%22%20slang%3D%22en-US%22%3ERe%3A%20Ingesting%20Office%20365%20Alerts%20with%20Graph%20Security%20API%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-998400%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20link%26nbsp%3B%3CA%20href%3D%22http%3A%2F%2Fwww.bing.com%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EMicrosoft%20Security%20Products%20that%20support%20Graph%20Security%20API%3C%2FA%3E%3CSPAN%3E%26nbsp%3B%20appears%20to%20only%20take%20you%20to%20the%20Bing%20homepage.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-998503%22%20slang%3D%22en-US%22%3ERe%3A%20Ingesting%20Office%20365%20Alerts%20with%20Graph%20Security%20API%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-998503%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F46875%22%20target%3D%22_blank%22%3E%40Gary%20Bushey%3C%2FA%3E%20%2C%20the%20link%20has%20been%20fixed%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-984888%22%20slang%3D%22en-US%22%3EIngesting%20Office%20365%20Alerts%20with%20Graph%20Security%20API%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-984888%22%20slang%3D%22en-US%22%3E%3CH1%20id%3D%22toc-hId-2049014699%22%20id%3D%22toc-hId-2049014699%22%20id%3D%22toc-hId-2049014699%22%20id%3D%22toc-hId-2049014699%22%20id%3D%22toc-hId-2049014699%22%20id%3D%22toc-hId-2049014699%22%20id%3D%22toc-hId-2049014699%22%20id%3D%22toc-hId-2049014699%22%20id%3D%22toc-hId-2049014699%22%3EIngesting%20Office%20365%20Alerts%20with%20Graph%20Security%20API%3C%2FH1%3E%0A%3CP%3EDuring%20recent%20Azure%20Sentinel%20workshops%20some%20customers%20have%20asked%20for%20the%20possibility%20to%20ingest%20Office%20365%20alerts%20into%20Azure%20Sentinel.%20While%20Azure%20Sentinel%20has%20Office%20365%20Connector%2C%20this%20connector%26nbsp%3B%20ingests%20Exchange%20mailbox%20audit%20logs%20and%20SharePoint%20audit%20logs%20and%20as%20such%20it%20doesn%E2%80%99t%20include%20Office%20365%20alerts.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWith%20Office%20365%20alerts%20administrators%20can%20be%20alerted%20about%20anomalous%20or%20malicious%20activity%20in%20their%20Office%20365%20environment%2C%20for%20example%20malware%20campaign%20detection%20or%20suspicious%20email%20forwarding.%20To%20learn%20more%20about%20Office%20365%20alerts%20you%20can%20refer%20to%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Foffice-365-security%2Falerts%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EAlerts%20in%20the%20Office%20365%20Security%20%26amp%3B%20Compliance%20Center%3C%2FA%3E.%20Administrators%20can%20also%20define%20their%20custom%20alerts%20in%20Office%20365%20Security%20%26amp%3B%20Compliance%20Center.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWhile%20Office%20365%20alerts%20connector%20may%20be%20be%20released%20in%20future%2C%20in%20the%20meantime%20we%20can%20leverage%20Graph%20Security%20API%20to%20ingest%20Office%20365%20alerts%20into%20Azure%20Sentinel.%20Also%2C%20as%20this%20approach%20is%20based%20on%20Graph%20Security%20API%2C%20you%20can%20use%20it%20to%20get%20alerts%20from%20other%26nbsp%3B%3CA%20title%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fgraph%2Fapi%2Fresources%2Fsecurity-api-overview%3Fview%3Dgraph-rest-1.0%22%20href%3D%22http%3A%2F%2Fwww.bing.com%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EMicrosoft%20Security%20Products%20that%20support%20Graph%20Security%20API%3C%2FA%3E%26nbsp%3Band%20don't%20have%20Azure%20Sentinel%20alerts%20connectors%20released%20yet.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--699655767%22%20id%3D%22toc-hId--699655767%22%20id%3D%22toc-hId--699655767%22%20id%3D%22toc-hId--699655767%22%20id%3D%22toc-hId--699655767%22%20id%3D%22toc-hId--699655767%22%20id%3D%22toc-hId--699655767%22%20id%3D%22toc-hId--699655767%22%20id%3D%22toc-hId--699655767%22%3E1.%26nbsp%3B%20%26nbsp%3BUsing%20Microsoft%20Graph%20Security%20API%20to%20read%20Office%20365%20Alerts%3C%2FH2%3E%0A%3CP%3EAs%20with%20most%20Microsoft%20security%20products%2C%20you%20can%20access%20Office%20365%20alerts%20through%20Microsoft%20Graph%20Security%20API.%20This%20API%20provides%20restful%20access%20to%20Microsoft%20security%20alerts.%20To%20further%20understand%20possible%20queries%20via%20Graph%20Security%20API%20you%20can%20review%20sample%20queries%20in%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fmicrosoftgraph%2Fsecurity-api-solutions%2Ftree%2Fmaster%2FQueries%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Egithub%20repository%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3ETo%20test%20out%20Graph%20queries%20we%20will%20use%20%3CA%20href%3D%22https%3A%2F%2Fdeveloper.microsoft.com%2Fen-us%2Fgraph%2Fgraph-explorer%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EMicrosoft%20Graph%20API%20Explorer%3C%2FA%3E.%20Before%20running%20security%20alerts%20queries%2C%20please%20ensure%20you%20have%20at%20least%20minimum%20permission%20in%20the%20API%20Explorer%20to%20read%20security%20alerts.%20You%20should%20have%20SecurityEvents.ReadAll%20as%20minimum.%20To%20check%2Fadd%20your%20permissions%20click%20on%20modify%20permissions%20link%20on%20left%20side%20of%20Graph%20Explorer.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20517px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F154968iDDA4C0CBDC616BE4%2Fimage-dimensions%2F517x254%3Fv%3D1.0%22%20width%3D%22517%22%20height%3D%22254%22%20alt%3D%22clipboard_image_1.png%22%20title%3D%22clipboard_image_1.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3EOnce%20we%20have%20the%20right%20permission%2C%20we%20need%20to%20form%20a%20query%20to%20retrieve%20Office%20365%20alerts.%20Let%E2%80%99s%20start%20with%20initial%20query%20for%20all%20alerts%3A%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%2Fsecurity%2Falerts%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EAs%20we%20are%20interested%20to%20retrieve%20only%20Office%20365%20alert%2C%20we%20will%20apply%20following%20filter%20that%20we%20put%20into%20Graph%20Explorer%3A%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%2Fsecurity%2Falerts%3F%24filter%3DvendorInformation%2Fprovider%20eq%20'Office%20365%20Security%20and%20Compliance'%20and%20category%20eq%20'ThreatManagement'%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20586px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F154967iEE0E37D1F948E6A4%2Fimage-dimensions%2F586x233%3Fv%3D1.0%22%20width%3D%22586%22%20height%3D%22233%22%20alt%3D%22clipboard_image_2.png%22%20title%3D%22clipboard_image_2.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20the%20Response%20section%20please%20note%20%3CEM%3ElastModifiedDateTime%26nbsp%3B%3C%2FEM%3Efield%2C%20this%20is%20the%20datetime%20of%20when%20alert%20was%20created%2Fmodified%20in%20Office%20365.%20We%20will%20use%20this%20field%20later%20to%20retrieve%20only%20alerts%20since%20this%20datetime.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-1043154568%22%20id%3D%22toc-hId-1043154568%22%20id%3D%22toc-hId-1043154568%22%20id%3D%22toc-hId-1043154568%22%20id%3D%22toc-hId-1043154568%22%20id%3D%22toc-hId-1043154568%22%20id%3D%22toc-hId-1043154568%22%20id%3D%22toc-hId-1043154568%22%20id%3D%22toc-hId-1043154568%22%3E2.%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20Ingesting%20alerts%3C%2FH2%3E%0A%3CP%3EOnce%20we%20retrieve%20the%20list%20of%20Office%20365%20alerts%20through%20Graph%20Security%20API%2C%20we%20will%20ingest%20them%20into%20Azure%20Sentinel.%20We%20will%20be%20using%20Azure%20Sentinel%20Playbook.%20As%20we%20can%E2%80%99t%20ingest%20directly%20into%20SecurityAlerts%20table%2C%20we%20will%20be%20ingesting%20into%20custom%20logs%20%3CEM%3EOffice365Alerts_CL%3C%2FEM%3E%20table.%20Our%20playbook%20will%20be%20running%20at%20scheduled%20interval%20(e.g.%20every%205%20mins).%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20the%20playbook%20logic%20we%20will%20first%20check%20for%20the%20most%20recent%20%3CEM%3ElastModifiedDateTime%3C%2FEM%3E%20in%20the%26nbsp%3B%3CEM%3EOffice365Alerts_CL%3C%2FEM%3E%26nbsp%3Btable%20and%20then%20retrieve%20only%20new%20alerts%20since%20that%20datetime.%20If%20the%20table%20is%20empty%20or%20doesn't%20exist%2C%20we%20will%20retrieve%20all%20alerts%20from%20Office%20365%20(this%20is%20the%20initialization%20phase).%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ENow%2C%20let%E2%80%99s%20have%20a%20look%20at%20each%20step%20in%20more%20details.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--1509002393%22%20id%3D%22toc-hId--1509002393%22%20id%3D%22toc-hId--1509002393%22%20id%3D%22toc-hId--1509002393%22%20id%3D%22toc-hId--1509002393%22%20id%3D%22toc-hId--1509002393%22%20id%3D%22toc-hId--1509002393%22%20id%3D%22toc-hId--1509002393%22%20id%3D%22toc-hId--1509002393%22%3E3.%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20Creating%20Azure%20Sentinel%20Playbook%3C%2FH2%3E%0A%3CP%3EYou%20can%20create%20new%20playbook%20in%20your%20Azure%20Sentinel%20environment%2C%20in%20the%20Playbooks%20section.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20436px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F154970i94A33BE1F44F9AA2%2Fimage-dimensions%2F436x36%3Fv%3D1.0%22%20width%3D%22436%22%20height%3D%2236%22%20alt%3D%22clipboard_image_3.png%22%20title%3D%22clipboard_image_3.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3EOnce%20the%20playbook%20is%20created%2C%20add%20Recurrence%20function%20from%20the%20list%20of%20available%20functions%20and%20set%20recurrence%20to%20your%20defined%20time%2C%20e.g.%20every%205%20mins%3A%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20444px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F154969i0271F27010F94A72%2Fimage-dimensions%2F444x130%3Fv%3D1.0%22%20width%3D%22444%22%20height%3D%22130%22%20alt%3D%22clipboard_image_4.png%22%20title%3D%22clipboard_image_4.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-233807942%22%20id%3D%22toc-hId-233807942%22%20id%3D%22toc-hId-233807942%22%20id%3D%22toc-hId-233807942%22%20id%3D%22toc-hId-233807942%22%20id%3D%22toc-hId-233807942%22%20id%3D%22toc-hId-233807942%22%20id%3D%22toc-hId-233807942%22%20id%3D%22toc-hId-233807942%22%3E4.%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20Retrieving%20the%20most%20recent%20%3CEM%3ElastModifiedDateTime%3C%2FEM%3E.%3C%2FH2%3E%0A%3CP%3ENow%2C%20we%20will%20be%20looking%20for%20the%20latest%20alert%20in%20Office365Alerts_CL%20table%20and%20the%20datetime%20of%20when%20it%20was%20modified%2Fcreated.%20As%20mentioned%20earlier%2C%20this%20information%20is%20populated%20by%20Office%20365%20and%20is%20stored%20in%20%3CEM%3ElastModifiedDateTime%3C%2FEM%3E%20field.%20If%20there%20are%20no%20alerts%20in%20Office365Alerts_CL%20table%20or%20table%20doesn%E2%80%99t%20exist%2C%20we%20will%20retrieve%20all%20Office365%20alerts%20and%20initialize%20the%20table.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ELet's%20put%20together%20corresponding%20KQL%20Query.%20First%2C%20we%20need%20to%20check%2C%20if%20%3CEM%3EOffice365Alerts_CL%3C%2FEM%3E%20already%20exists.%20As%20there%E2%80%99s%20no%20built-in%20function%20in%20KQL%20to%20check%20for%20table%20existence%2C%20we%20will%20use%20%3CEM%3Eunion%3C%2FEM%3E%20and%20%3CEM%3Eisfuzzy%3Dtrue%3C%2FEM%3E%20operator.%20If%20%3CEM%3Eisfuzzy%3C%2FEM%3E%20is%20set%20to%20true%2C%20the%20set%20of%20union%20sources%20is%20reduced%20to%20the%20set%20of%20table%20references%20that%20exist%20and%20are%20accessible%20at%20the%20time.%20If%20at%20least%20one%20such%20table%20is%20found%2C%20it%20will%20produce%20warning%2C%20but%20query%20will%20still%20execute.%20The%20default%20value%20is%20false%2C%20meaning%20that%20any%20query%20against%20non-existing%20table%20will%20yield%20an%20error.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E1.%3C%2FSTRONG%3E%20We%20will%20be%20doing%20union%20with%20new%20%3CEM%3EoldDateTime%3C%2FEM%3E%20variable%20that%20will%20contain%20only%20one%20record%2C%20which%20is%20historical%20date%20(set%20to%201%3CSUP%3Est%3C%2FSUP%3E%20of%20January%201900).%20We%20don%E2%80%99t%20expect%20to%20have%20any%20alerts%20generated%20before%20this%20date.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20is%20how%20we%20define%20the%20%3CEM%3EoldDateTime%3C%2FEM%3E%20variable%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-markup%22%3E%3CCODE%3E%20let%20oldDateTime%20%3D%20view%20()%20%7B%20print%20lastModifiedDateTime_t%3Ddatetime(%221900-01-01%2000%3A00%3A00%22)%20%7D%3B%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E2%3C%2FSTRONG%3E.%20After%20we%20define%20the%20variable%2C%20we%20can%20execute%20the%20%3CEM%3Eunion%3C%2FEM%3E%20function.%20We%20will%20be%20joining%20%3CI%3EoldDateTime%26nbsp%3B%3C%2FI%3Ewith%20%3CEM%3EOffice365Alerts_CL%3C%2FEM%3E%20table.%20We%20will%20use%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fkusto%2Fquery%2Farg-max-aggfunction%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Earg_max%3C%2FA%3E%20function%20to%20get%20the%20most%20recent%20%3CEM%3ElastModifiedDateTime_t%3C%2FEM%3E%20value.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-markup%22%3E%3CCODE%3EOffice365Alerts_CL%20%7C%20%20summarize%20arg_max(lastModifiedDateTime_t%2C%20lastModifiedDateTime_t)%20%20%7C%20project%20lastModifiedDateTime_t%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAnd%20this%20is%20how%20the%20final%20query%20looks%20like%20%E2%80%93%20note%20we%20added%20one%20more%20arg_max%20function%20that%20compares%20%3CEM%3EoldDateTime%3C%2FEM%3E%20we%20defined%20earlier%20(Step%201)%20and%20the%20latest%20%3CEM%3ElastModifiedDateTime%3C%2FEM%3E%20in%20%3CEM%3EOffice%20365Alerts_CL%3C%2FEM%3E%20table.%20If%20there%20are%20no%20alerts%20in%20%3CEM%3EOffice365Alerts_CL%3C%2FEM%3E%20table%2C%20the%20query%20will%20just%20return%20%3CEM%3EoldDateTime%20%3C%2FEM%3Evalue.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-markup%22%3E%3CCODE%3Elet%20oldDateTime%20%3D%20view%20()%20%7B%20print%20lastModifiedDateTime_t%3Ddatetime(%221900-01-01%2000%3A00%3A00%22)%20%7D%3B%0Aunion%20isfuzzy%3Dtrue%0A(oldDateTime)%2C%0A(Office365Alerts_CL%20%7C%20%20summarize%20arg_max(lastModifiedDateTime_t%20%2C%20lastModifiedDateTime_t%20)%20%20%7C%20project%20lastModifiedDateTime_t%20)%0A%7C%20summarize%20arg_max(lastModifiedDateTime_t%20%2C%20lastModifiedDateTime_t%20)%0A%7C%20project%20lastModifiedDateTime_t%20%20%20%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-1976618277%22%20id%3D%22toc-hId-1976618277%22%20id%3D%22toc-hId-1976618277%22%20id%3D%22toc-hId-1976618277%22%20id%3D%22toc-hId-1976618277%22%20id%3D%22toc-hId-1976618277%22%20id%3D%22toc-hId-1976618277%22%20id%3D%22toc-hId-1976618277%22%20id%3D%22toc-hId-1976618277%22%3E5.%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20Execute%20Query%20in%20the%20Playbook%3C%2FH2%3E%0A%3CP%3ETo%20execute%20previous%20query%20in%20Playbook%20against%20Sentinel%20Log%20Analytics%20workspace%2C%20we%20will%20add%20Azure%20Log%20Analytics%20Action%20into%20the%20playbook%3A%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F154971i6E6C79420B0CBAC3%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22clipboard_image_5.png%22%20title%3D%22clipboard_image_5.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ENow%2C%20we%20can%20add%20our%20query%20into%20Azure%20Log%20Analytics%20action%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F156012i4578DD146C1C7CB7%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22snip3.jpg%22%20title%3D%22snip3.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--575538684%22%20id%3D%22toc-hId--575538684%22%20id%3D%22toc-hId--575538684%22%20id%3D%22toc-hId--575538684%22%20id%3D%22toc-hId--575538684%22%20id%3D%22toc-hId--575538684%22%20id%3D%22toc-hId--575538684%22%20id%3D%22toc-hId--575538684%22%20id%3D%22toc-hId--575538684%22%3E6.%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20Using%20Get%20alerts%20Action%3C%2FH2%3E%0A%3CP%3EOnce%20we%20have%20the%20filter%20expression%2C%20we%20can%20run%20Graph%20API%20query%20to%20get%20the%20list%20of%20Office%20365%20Alerts.%20Azure%20Sentinel%20Playbook%20comes%20with%20Microsoft%20Graph%20Security%20action%20(currently%20in%20preview)%20that%20allows%20to%20easily%20run%20Graph%20Security%20API%20queries.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFirst%2C%20let%E2%80%99s%20add%20Microsoft%20Graph%20Security%20API%20action%20into%20our%20Playbook%3A%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F154974iEAB9BE81BE2DC492%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22clipboard_image_7.png%22%20title%3D%22clipboard_image_7.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAnd%20now%20we%20will%20look%20for%20GetAlerts%20function%3A%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F154975i5025D1E6B86717F6%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22clipboard_image_8.png%22%20title%3D%22clipboard_image_8.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ENext%2C%20enable%20filtering%20on%20Get%20alerts%20action%3A%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F154977i35FBC8DA20F471C2%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22clipboard_image_9.png%22%20title%3D%22clipboard_image_9.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3ENow%2C%20add%20the%20Graph%20Security%20API%20query%20to%20retrieve%20the%20list%20of%20Office%20365%20Alerts%20that%20we%20have%20created%20in%20Step%201%20and%20include%20datetime%20filter%20as%20below.%20Please%2C%20don%E2%80%99t%20forget%20to%20add%20space%20into%20%E2%80%9CFilter%20alerts%E2%80%9D%20box%20after%20adding%20%3CEM%3ElastModifiedDateTime_t%3C%2FEM%3E%20variable%20from%20the%20list%20of%20dynamic%20variables.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20is%20the%20final%20Graph%20Security%20API%20query%3A%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F156014iA3F520FEE6BA206C%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22snip2.jpg%22%20title%3D%22snip2.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CDIV%20id%3D%22tinyMceEditorclipboard_image_3%22%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CDIV%20id%3D%22tinyMceEditorclipboard_image_4%22%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%0A%3CDIV%20id%3D%22tinyMceEditorclipboard_image_5%22%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3C%2FDIV%3E%0A%3CP%3EAnd%20now%20added%20into%20Playbook%20action%3A%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F156010iB4A40D9778DF91D7%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Snip1.png%22%20title%3D%22Snip1.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CDIV%20id%3D%22tinyMceEditorclipboard_image_0%22%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%0A%3CDIV%20id%3D%22tinyMceEditorclipboard_image_1%22%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3C%2FDIV%3E%0A%3CDIV%20id%3D%22tinyMceEditorclipboard_image_2%22%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CH2%20id%3D%22toc-hId-1167271651%22%20id%3D%22toc-hId-1167271651%22%20id%3D%22toc-hId-1167271651%22%20id%3D%22toc-hId-1167271651%22%20id%3D%22toc-hId-1167271651%22%20id%3D%22toc-hId-1167271651%22%20id%3D%22toc-hId-1167271651%22%20id%3D%22toc-hId-1167271651%22%20id%3D%22toc-hId-1167271651%22%3E7.%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20Ingest%20Office%20365%20alerts%20into%20Azure%20Sentinel%3C%2FH2%3E%0A%3CP%3EAs%20a%20final%20step%2C%20we%20will%20ingest%20Office%20365%20alerts%20that%20we%20retrieved%20in%20previous%20step%20into%20%3CEM%3EOffice365Alerts_CL%3C%2FEM%3E%20table.%20We%20will%20do%20so%20by%20adding%20Azure%20Log%20Analytics%20Send%20Data%20action%20into%20our%20playbook.%3C%2FP%3E%0A%3CP%3EBefore%20doing%20so%2C%20we%20first%20add%20For%20each%20action%20that%20will%20iterate%20through%20all%20Office%20365%20Alerts%20received%20through%20Graph%20Security%20API%20in%20the%20previous%20step%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20561px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F154979iDD646F51A1B0F577%2Fimage-dimensions%2F561x255%3Fv%3D1.0%22%20width%3D%22561%22%20height%3D%22255%22%20alt%3D%22clipboard_image_12.png%22%20title%3D%22clipboard_image_12.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ENow%20we%20add%20Send%20Data%20action%20from%20Azure%20Log%20Analytics%20Data%20Collector%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20587px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F154980i6637220AD9ACE8E5%2Fimage-dimensions%2F587x301%3Fv%3D1.0%22%20width%3D%22587%22%20height%3D%22301%22%20alt%3D%22clipboard_image_13.png%22%20title%3D%22clipboard_image_13.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAnd%20now%20we%20can%20ingest%20alerts%20into%20source%20log%20table%20which%20is%20Office365Alerts%20%E2%80%93%20note%20that%20you%20will%20have%20two%20CurrentItem%20items%20%E2%80%93%20please%20ensure%20you%20select%20the%20one%20that%20is%20associated%20to%20the%20Alerts%20iteration.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20651px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F154981iD4EC87DBF25F58EE%2Fimage-dimensions%2F651x270%3Fv%3D1.0%22%20width%3D%22651%22%20height%3D%22270%22%20alt%3D%22clipboard_image_14.png%22%20title%3D%22clipboard_image_14.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--1384885310%22%20id%3D%22toc-hId--1384885310%22%20id%3D%22toc-hId--1384885310%22%20id%3D%22toc-hId--1384885310%22%20id%3D%22toc-hId--1384885310%22%20id%3D%22toc-hId--1384885310%22%20id%3D%22toc-hId--1384885310%22%20id%3D%22toc-hId--1384885310%22%20id%3D%22toc-hId--1384885310%22%3E8.%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20Summary%3C%2FH2%3E%0A%3CP%3ETo%20test%20the%20playbook%2C%20we%20can%20execute%20it%20by%20clicking%20on%20Run%20Trigger%20and%20selecting%20Recurrence%20in%20Playbook%20page%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F154982i25A59BEDD2BB7840%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22clipboard_image_15.png%22%20title%3D%22clipboard_image_15.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3EOnce%20the%20playbook%20execution%20is%20completed%2C%20we%20can%20check%20for%20alerts%20by%20running%20query%20in%20Azure%20Sentinel%20Logs%3A%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20617px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F154985iAC511AC942457F8E%2Fimage-dimensions%2F617x248%3Fv%3D1.0%22%20width%3D%22617%22%20height%3D%22248%22%20alt%3D%22clipboard_image_0.png%22%20title%3D%22clipboard_image_0.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-357925025%22%20id%3D%22toc-hId-357925025%22%20id%3D%22toc-hId-357925025%22%20id%3D%22toc-hId-357925025%22%20id%3D%22toc-hId-357925025%22%20id%3D%22toc-hId-357925025%22%20id%3D%22toc-hId-357925025%22%20id%3D%22toc-hId-357925025%22%20id%3D%22toc-hId-357925025%22%3E%26nbsp%3B%3C%2FH2%3E%0A%3CP%3EAnd%20we%20are%20done.%20In%20this%20article%20we%20have%20demonstrated%20how%20to%20use%20Graph%20Security%20API%20to%20ingest%20Office%20365%20Alerts%20into%20custom%20table%20in%20Azure%20Sentinel.%20We%20have%20built%20Azure%20Sentinel%20playbook%20and%20leveraged%20new%20Graph%20Security%20API%20action%20to%20retrieve%20Office%20365%20alerts%20and%20ingest%20them%20into%20Azure%20Sentinel%20Custom%20Logs%20table.%20As%20a%20next%20step%20we%20can%20for%20example%20translate%20these%20alerts%20into%20Sentinel%20incidents%20through%20custom%20alert%20rules.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFor%20your%20reference%2C%20this%20is%20the%20final%20playbook%3A%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20236px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F156013i3108752E7189AEB4%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22snip4.jpg%22%20title%3D%22snip4.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CDIV%20id%3D%22tinyMceEditorclipboard_image_6%22%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-984888%22%20slang%3D%22en-US%22%3E%3CP%3EIn%20this%20article%20we%20will%20show%20how%20you%20can%20ingest%20Office%20365%20alerts%20into%20Azure%20Sentinel%20through%20Graph%20Security%20API%20and%20Sentinel%20Playbooks.%20%3CSPAN%3E%26nbsp%3BWhile%20Azure%20Sentinel%20has%20Office%20365%20Connector%2C%20this%20connector%26nbsp%3B%20doesn%E2%80%99t%20include%20Office%20365%20alerts.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-984888%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Sentinel%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EInvestigation%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1150504%22%20slang%3D%22en-US%22%3ERe%3A%20Ingesting%20Office%20365%20Alerts%20with%20Graph%20Security%20API%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1150504%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20for%20taking%20the%20time%20to%20put%20this%20together.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAs%20per%20%22Step%205%22%2C%20it%20seems%20there%20have%20been%20some%20changes%20to%20the%20%22Run%20Query%20and%20List%20Results%22%20step.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThere%20is%20now%20a%20%22Time%20Range%22%20box.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20setup%20appears%20to%20be%20ingesting%20duplicate%20alerts%20from%20365%20Sec%20and%20Compliance%20Centre%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20chance%20you're%20able%20to%20test%20on%20your%20side%20and%20confirm%20if%20any%20changes%20need%20to%20be%20made%20to%20the%20logic%20app%20please%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1169483%22%20slang%3D%22en-US%22%3ERe%3A%20Ingesting%20Office%20365%20Alerts%20with%20Graph%20Security%20API%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1169483%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F529903%22%20target%3D%22_blank%22%3E%40security_maverick%3C%2FA%3E%26nbsp%3B%2C%20yes%2C%20I've%20noticed%20these%20changes%2C%20I'm%20looking%20into%20it%20now.%20Thanks%20for%20flagging.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1178604%22%20slang%3D%22en-US%22%3ERe%3A%20Ingesting%20Office%20365%20Alerts%20with%20Graph%20Security%20API%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1178604%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3E%22Run%20Query%20and%20List%20Results%22%20for%20Azure%20Log%20Analytics%20connector%20is%20depreciated%20now.%20I%20was%20trying%20to%20create%20this%20playbook%20but%20could%20not%20find%20this.%20After%20some%20researching%2C%20I%20found%20about%20it.%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3ELooks%20like%20time%20management%20of%20alerts%20will%20need%20a%20new%20way%20now.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1179148%22%20slang%3D%22en-US%22%3ERe%3A%20Ingesting%20Office%20365%20Alerts%20with%20Graph%20Security%20API%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1179148%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F259976%22%20target%3D%22_blank%22%3E%40ihsmktier_00%3C%2FA%3E%20where%20did%20you%20find%20the%20run%20query%20has%20been%20deprecated%20please%3F%20I'm%20not%20aware%20of%20it.%20There's%20just%20been%20released%20new%20version%20of%20run%20query%20than%20now%20includes%20also%20time%20range%20for%20the%20query.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1223934%22%20slang%3D%22en-US%22%3ERe%3A%20Ingesting%20Office%20365%20Alerts%20with%20Graph%20Security%20API%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1223934%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F40452%22%20target%3D%22_blank%22%3E%40Stefan%20Simon%3C%2FA%3E%20%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBrilliant%20article!%20Very%20detailed%20and%20the%20easiest%20example%20I%20have%20seen%20to%20pull%20events%20from%20the%20ISG.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPieter%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1270142%22%20slang%3D%22en-US%22%3ERe%3A%20Ingesting%20Office%20365%20Alerts%20with%20Graph%20Security%20API%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1270142%22%20slang%3D%22en-US%22%3E%3CBLOCKQUOTE%3E%3CDIV%20class%3D%22lia-quilt-column%20lia-quilt-column-16%20lia-quilt-column-left%20lia-quilt-column-header-left%22%3E%3CDIV%20class%3D%22lia-quilt-column-alley%20lia-quilt-column-alley-left%22%3E%3CDIV%20class%3D%22lia-message-author-with-avatar%22%3E%3CSPAN%20class%3D%22UserName%20lia-user-name%20lia-user-rank-Microsoft%20lia-component-message-view-widget-author-username%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F40452%22%20target%3D%22_self%22%3E%3CSPAN%20class%3D%22%22%3EStefan%20Simon%3C%2FSPAN%3E%3C%2FA%3E%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%20class%3D%22lia-message-author-rank%20lia-component-author-rank%20lia-component-message-view-widget-author-rank%22%3EMicrosoft%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22lia-quilt-column%20lia-quilt-column-08%20lia-quilt-column-right%20lia-quilt-column-header-right%22%3E%3CDIV%20class%3D%22lia-quilt-column-alley%20lia-quilt-column-alley-right%22%3E%3CDIV%20class%3D%22lia-message-post-date%20lia-component-post-date%20lia-component-message-view-widget-post-date%22%3E%3CSPAN%20class%3D%22DateTime%22%3E%3CSPAN%20class%3D%22local-date%22%3E%E2%80%8E02-12-2020%3C%2FSPAN%3E%20%3CSPAN%20class%3D%22local-time%22%3E06%3A37%20AM%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%20class%3D%22lia-menu-navigation-wrapper%20lia-menu-action%20lia-component-message-view-widget-action-menu%22%3E%3CDIV%20class%3D%22lia-menu-navigation%22%3E%3CDIV%20class%3D%22dropdown-default-item%22%3E%26nbsp%3B%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22lia-quilt-row%20lia-quilt-row-header%22%3E%3CDIV%20class%3D%22lia-quilt-column%20lia-quilt-column-08%20lia-quilt-column-right%20lia-quilt-column-header-right%22%3E%3CDIV%20class%3D%22lia-quilt-column-alley%20lia-quilt-column-alley-right%22%3E%3CDIV%20class%3D%22lia-menu-navigation-wrapper%20lia-menu-action%20lia-component-message-view-widget-action-menu%22%3E%3CDIV%20class%3D%22lia-menu-navigation%22%3E%3CDIV%20class%3D%22dropdown-default-item%22%3E%3CDIV%20class%3D%22dropdown-positioning%22%3E%3CDIV%20class%3D%22dropdown-positioning-static%22%3E%26nbsp%3B%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22lia-quilt-row%20lia-quilt-row-main%22%3E%3CDIV%20class%3D%22lia-quilt-column%20lia-quilt-column-24%20lia-quilt-column-single%20lia-quilt-column-main%22%3E%3CDIV%20class%3D%22lia-quilt-column-alley%20lia-quilt-column-alley-single%22%3E%3CDIV%20class%3D%22lia-message-body-wrapper%20lia-component-message-view-widget-body%22%3E%3CDIV%20class%3D%22lia-message-body%22%3E%3CDIV%20class%3D%22lia-message-body-content%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F529903%22%20target%3D%22_blank%22%20rel%3D%22noopener%22%3E%40security_maverick%3C%2FA%3E%26nbsp%3B%2C%20yes%2C%20I've%20noticed%20these%20changes%2C%20I'm%20looking%20into%20it%20now.%20Thanks%20for%20flagging.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FBLOCKQUOTE%3E%3CDIV%20class%3D%22lia-quilt-row%20lia-quilt-row-main%22%3E%3CDIV%20class%3D%22lia-quilt-column%20lia-quilt-column-24%20lia-quilt-column-single%20lia-quilt-column-main%22%3E%3CDIV%20class%3D%22lia-quilt-column-alley%20lia-quilt-column-alley-single%22%3E%3CDIV%20class%3D%22lia-message-body-wrapper%20lia-component-message-view-widget-body%22%3E%3CDIV%20class%3D%22lia-message-body%22%3E%3CDIV%20class%3D%22lia-message-body-content%22%3E%3CP%3EI'm%20having%20duplicate%20data%2C%20did%20you%20find%20how%20to%20avoid%20it%3F%3C%2FP%3E%3CP%3EThank%20you%3C%2FP%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1278686%22%20slang%3D%22en-US%22%3ERe%3A%20Ingesting%20Office%20365%20Alerts%20with%20Graph%20Security%20API%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1278686%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F603845%22%20target%3D%22_blank%22%3E%40Ozzzz%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20still%20waiting%20on%20feedback%20from%20Stefan.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Microsoft

Ingesting Office 365 Alerts with Graph Security API

During recent Azure Sentinel workshops some customers have asked for the possibility to ingest Office 365 alerts into Azure Sentinel. While Azure Sentinel has Office 365 Connector, this connector  ingests Exchange mailbox audit logs and SharePoint audit logs and as such it doesn’t include Office 365 alerts.

 

With Office 365 alerts administrators can be alerted about anomalous or malicious activity in their Office 365 environment, for example malware campaign detection or suspicious email forwarding. To learn more about Office 365 alerts you can refer to Alerts in the Office 365 Security & Compliance Center. Administrators can also define their custom alerts in Office 365 Security & Compliance Center.

 

While Office 365 alerts connector may be be released in future, in the meantime we can leverage Graph Security API to ingest Office 365 alerts into Azure Sentinel. Also, as this approach is based on Graph Security API, you can use it to get alerts from other Microsoft Security Products that support Graph Security API and don't have Azure Sentinel alerts connectors released yet.

 

 

1.   Using Microsoft Graph Security API to read Office 365 Alerts

As with most Microsoft security products, you can access Office 365 alerts through Microsoft Graph Security API. This API provides restful access to Microsoft security alerts. To further understand possible queries via Graph Security API you can review sample queries in github repository.

To test out Graph queries we will use Microsoft Graph API Explorer. Before running security alerts queries, please ensure you have at least minimum permission in the API Explorer to read security alerts. You should have SecurityEvents.ReadAll as minimum. To check/add your permissions click on modify permissions link on left side of Graph Explorer.

clipboard_image_1.png

Once we have the right permission, we need to form a query to retrieve Office 365 alerts. Let’s start with initial query for all alerts:

/security/alerts

As we are interested to retrieve only Office 365 alert, we will apply following filter that we put into Graph Explorer:

/security/alerts?$filter=vendorInformation/provider eq 'Office 365 Security and Compliance' and category eq 'ThreatManagement'

clipboard_image_2.png

 

In the Response section please note lastModifiedDateTime field, this is the datetime of when alert was created/modified in Office 365. We will use this field later to retrieve only alerts since this datetime.

 

2.      Ingesting alerts

Once we retrieve the list of Office 365 alerts through Graph Security API, we will ingest them into Azure Sentinel. We will be using Azure Sentinel Playbook. As we can’t ingest directly into SecurityAlerts table, we will be ingesting into custom logs Office365Alerts_CL table. Our playbook will be running at scheduled interval (e.g. every 5 mins). 

 

In the playbook logic we will first check for the most recent lastModifiedDateTime in the Office365Alerts_CL table and then retrieve only new alerts since that datetime. If the table is empty or doesn't exist, we will retrieve all alerts from Office 365 (this is the initialization phase).

 

Now, let’s have a look at each step in more details.

 

3.      Creating Azure Sentinel Playbook

You can create new playbook in your Azure Sentinel environment, in the Playbooks section.

clipboard_image_3.png

Once the playbook is created, add Recurrence function from the list of available functions and set recurrence to your defined time, e.g. every 5 mins:

clipboard_image_4.png

 

4.      Retrieving the most recent lastModifiedDateTime.

Now, we will be looking for the latest alert in Office365Alerts_CL table and the datetime of when it was modified/created. As mentioned earlier, this information is populated by Office 365 and is stored in lastModifiedDateTime field. If there are no alerts in Office365Alerts_CL table or table doesn’t exist, we will retrieve all Office365 alerts and initialize the table.

 

Let's put together corresponding KQL Query. First, we need to check, if Office365Alerts_CL already exists. As there’s no built-in function in KQL to check for table existence, we will use union and isfuzzy=true operator. If isfuzzy is set to true, the set of union sources is reduced to the set of table references that exist and are accessible at the time. If at least one such table is found, it will produce warning, but query will still execute. The default value is false, meaning that any query against non-existing table will yield an error.

 

1. We will be doing union with new oldDateTime variable that will contain only one record, which is historical date (set to 1st of January 1900). We don’t expect to have any alerts generated before this date.

 

This is how we define the oldDateTime variable:

 

 

 let oldDateTime = view () { print lastModifiedDateTime_t=datetime("1900-01-01 00:00:00") };

 

 

 

2. After we define the variable, we can execute the union function. We will be joining oldDateTime with Office365Alerts_CL table. We will use arg_max function to get the most recent lastModifiedDateTime_t value.

 

 

 

Office365Alerts_CL |  summarize arg_max(lastModifiedDateTime_t, lastModifiedDateTime_t)  | project lastModifiedDateTime_t

 

 

 

And this is how the final query looks like – note we added one more arg_max function that compares oldDateTime we defined earlier (Step 1) and the latest lastModifiedDateTime in Office 365Alerts_CL table. If there are no alerts in Office365Alerts_CL table, the query will just return oldDateTime value.

 

 

 

let oldDateTime = view () { print lastModifiedDateTime_t=datetime("1900-01-01 00:00:00") };
union isfuzzy=true
(oldDateTime),
(Office365Alerts_CL |  summarize arg_max(lastModifiedDateTime_t , lastModifiedDateTime_t )  | project lastModifiedDateTime_t )
| summarize arg_max(lastModifiedDateTime_t , lastModifiedDateTime_t )
| project lastModifiedDateTime_t   

 

 

 

5.      Execute Query in the Playbook

To execute previous query in Playbook against Sentinel Log Analytics workspace, we will add Azure Log Analytics Action into the playbook:

clipboard_image_5.png

 

Now, we can add our query into Azure Log Analytics action:

 

snip3.jpg

 

6.      Using Get alerts Action

Once we have the filter expression, we can run Graph API query to get the list of Office 365 Alerts. Azure Sentinel Playbook comes with Microsoft Graph Security action (currently in preview) that allows to easily run Graph Security API queries.

 

First, let’s add Microsoft Graph Security API action into our Playbook:

clipboard_image_7.png

 

And now we will look for GetAlerts function:

clipboard_image_8.png

 

Next, enable filtering on Get alerts action:

clipboard_image_9.png

Now, add the Graph Security API query to retrieve the list of Office 365 Alerts that we have created in Step 1 and include datetime filter as below. Please, don’t forget to add space into “Filter alerts” box after adding lastModifiedDateTime_t variable from the list of dynamic variables.

 

This is the final Graph Security API query:

snip2.jpg

 
 

And now added into Playbook action:

Snip1.png

 
 

7.      Ingest Office 365 alerts into Azure Sentinel

As a final step, we will ingest Office 365 alerts that we retrieved in previous step into Office365Alerts_CL table. We will do so by adding Azure Log Analytics Send Data action into our playbook.

Before doing so, we first add For each action that will iterate through all Office 365 Alerts received through Graph Security API in the previous step

clipboard_image_12.png

 

Now we add Send Data action from Azure Log Analytics Data Collector

clipboard_image_13.png

 

And now we can ingest alerts into source log table which is Office365Alerts – note that you will have two CurrentItem items – please ensure you select the one that is associated to the Alerts iteration.

clipboard_image_14.png

8.      Summary

To test the playbook, we can execute it by clicking on Run Trigger and selecting Recurrence in Playbook page

clipboard_image_15.png

Once the playbook execution is completed, we can check for alerts by running query in Azure Sentinel Logs:

clipboard_image_0.png

 

And we are done. In this article we have demonstrated how to use Graph Security API to ingest Office 365 Alerts into custom table in Azure Sentinel. We have built Azure Sentinel playbook and leveraged new Graph Security API action to retrieve Office 365 alerts and ingest them into Azure Sentinel Custom Logs table. As a next step we can for example translate these alerts into Sentinel incidents through custom alert rules. 

 

For your reference, this is the final playbook:

snip4.jpg

 
9 Comments
Regular Contributor

The link Microsoft Security Products that support Graph Security API  appears to only take you to the Bing homepage.

Microsoft

Thanks @Gary Bushey , the link has been fixed

Senior Member

Thanks for taking the time to put this together.

 

As per "Step 5", it seems there have been some changes to the "Run Query and List Results" step.

 

There is now a "Time Range" box.

 

My setup appears to be ingesting duplicate alerts from 365 Sec and Compliance Centre

 

Any chance you're able to test on your side and confirm if any changes need to be made to the logic app please?

Microsoft

Hi @security_maverick , yes, I've noticed these changes, I'm looking into it now. Thanks for flagging. 

Regular Visitor

"Run Query and List Results" for Azure Log Analytics connector is depreciated now. I was trying to create this playbook but could not find this. After some researching, I found about it.  Looks like time management of alerts will need a new way now.

Microsoft

Hi @ihsmktier_00 where did you find the run query has been deprecated please? I'm not aware of it. There's just been released new version of run query than now includes also time range for the query.

Occasional Contributor

Hi @Stefan Simon ,

 

Brilliant article! Very detailed and the easiest example I have seen to pull events from the ISG.

 

Regards

 

Pieter 

Visitor
Microsoft

Hi @security_maverick , yes, I've noticed these changes, I'm looking into it now. Thanks for flagging.

 

I'm having duplicate data, did you find how to avoid it?

Thank you

Senior Member

@Ozzzz 

I am still waiting on feedback from Stefan.