Azure Microsoft Graph Activity Logs Test
Microsoft Graph activity logs are an audit trail of all HTTP requests that the Microsoft Graph service received and processed for a tenant. The activity logs consist of a list of API requests originating from SDKs, API clients, Microsoft applications, and business applications.
Using the Azure Microsoft Graph Activity Logs test, administrators can:
-
Spot problematic or unforeseen behaviour in client applications or SDKs;
-
Obtain insights into the activities carried out by a compromised user account;
-
Analyze and detect potentially suspicious or unusual usage of Microsoft Graph APIs;
-
Establish connections between Microsoft Graph requests made by a user or app and corresponding sign-in information.
Additionally, this test helps administrators to identify whether HTTP requests with client errors have occurred - is it redirections? or client errors? or server errors? or unauthorized errors? or forbidden errors? or 404 errors?
Target of the Test: A Microsoft Azure Entra ID
Agent deploying the test: A remote agent
Output of the test: One set of results for the Microsoft Azure Entra ID tenant being monitored.
| Parameters | Description |
|---|---|
|
Test Period |
How often should the test be executed. |
|
Host |
The host for which the test is to be configured. |
|
Tenant ID |
Specify the Directory ID of the Microsoft Azure Entra ID tenant to which the target subscription belongs. To know how to determine the Directory ID, refer to Configuring the eG Agent to Monitor Microsoft Entra Using Microsoft Graph API |
|
Client ID, Client Password, and Confirm Password |
To connect to Microsoft Azure Entra ID, the eG agent requires an Access token in the form of an Application ID and the client secret value. If a Microsoft Azure Subscription component is already monitored in your environment, then you would have already created an Application for monitoring purposes. You can provide the Application ID and Client Secret value of that application here. However, if no such application pre-exists, you will have to create one for monitoring Microsoft Azure Entra ID. To know how to create such an application and determine its Application ID and Client Secret, refer to Configuring the eG Agent to Monitor Microsoft Entra Using Microsoft Graph API. Specify the Application ID of the Application in the Client ID text box and the client secret value in the Client Password text box. Confirm the Client Password by retyping it in the Confirm Password text box. |
|
Proxy Host and Proxy Port |
In some environments, all communication with the Azure cloud be routed through a proxy server. In such environments, you should make sure that the eG agent connects to the cloud via the proxy server and collects metrics. To enable metrics collection via a proxy, specify the IP address of the proxy server and the port at which the server listens against the Proxy Host and Proxy Port parameters. By default, these parameters are set to none, indicating that the eG agent is not configured to communicate via a proxy, by default. |
|
Proxy Username, Proxy Password and Confirm Password |
If the proxy server requires authentication, then, specify a valid proxy user name and password in the Proxy Username and Proxy Password parameters, respectively. Then, confirm the password by retyping it in the Confirm Password text box. |
|
Microsoft Graph Activity Logs Workspace Name |
The Microsoft Graph Activity Logs Workspace name identifies the specific Azure Log Analytics workspace where Graph API activity logs from Entra ID tenant are streamed and stored for analysis. Specify such name in Microsoft Graph Activity Logs Workspace Name text box. |
|
Public Client DD |
By default, this flag is set to No. This implies that by default, detailed metrics will not be available for the Public Client measure of this test. To enable detailed diagnosis for this measure, you can set this flag to Yes. |
|
Client Secret DD |
By default, this flag is set to No. This implies that by default, detailed metrics will not be available for the Client Secret measure of this test. To enable detailed diagnosis for this measure, you can set this flag to Yes. |
|
Client Certificate DD |
By default, this flag is set to No. This implies that by default, detailed metrics will not be available for the Client Certificate measure of this test. To enable detailed diagnosis for this measure, you can set this flag to Yes. |
|
HTTPPost DD |
By default, this flag is set to No. This implies that by default, detailed metrics will not be available for the HTTPPost measure of this test. To enable detailed diagnosis for this measure, you can set this flag to Yes. |
|
HTTPGet DD |
By default, this flag is set to No. This implies that by default, detailed metrics will not be available for the HTTPGet measure of this test. To enable detailed diagnosis for this measure, you can set this flag to Yes. |
|
HTTPPut DD |
By default, this flag is set to No. This implies that by default, detailed metrics will not be available for the HTTPPut measure of this test. To enable detailed diagnosis for this measure, you can set this flag to Yes. |
|
HTTPDelete DD |
By default, this flag is set to No. This implies that by default, detailed metrics will not be available for the HTTPDelete measure of this test. To enable detailed diagnosis for this measure, you can set this flag to Yes. |
|
HTTPPatch DD |
By default, this flag is set to No. This implies that by default, detailed metrics will not be available for the HTTPPatch measure of this test. To enable detailed diagnosis for this measure, you can set this flag to Yes. |
|
HTTPOptions DD |
By default, this flag is set to No. This implies that by default, detailed metrics will not be available for the HTTPOptions measure of this test. To enable detailed diagnosis for this measure, you can set this flag to Yes. |
|
DD Frequency |
Refers to the frequency with which detailed diagnosis measures are to be generated for this test. The default is 1:1. This indicates that, by default, detailed measures will be generated every time this test runs, and also every time the test detects a problem. You can modify this frequency, if you so desire. Also, if you intend to disable the detailed diagnosis capability for this test, you can do so by specifying none against DD frequency. |
|
Detailed Diagnosis |
To make diagnosis more efficient and accurate, the eG Enterprise embeds an optional detailed diagnostic capability. With this capability, the eG agents can be configured to run detailed, more elaborate tests as and when specific problems are detected. To enable the detailed diagnosis capability of this test for a particular server, choose the On option. To disable the capability, click on the Off option. The option to selectively enable/disable the detailed diagnosis capability will be available only if the following conditions are fulfilled:
|
| Measurement | Description | Measurement Unit | Interpretation |
|---|---|---|---|
|
Requests with success response code |
Indicates the number of requests with success response code. |
Number |
|
|
Requests with redirection response code |
Indicates the number of requests with redirection response code. |
Number |
|
|
Requests with client errors response code |
Indicates the number of requests with client error response code. |
Number |
Use Detailed Diagnosis report of this measure to view further details on the HTTP requests that were returned with client errors. |
|
Requests with server errors response code |
Indicates the number of requests with server errors response code. |
Number |
|
|
Requests with unauthorized errors |
Indicates the number of requests with unauthorized errors. |
Number |
A very high value of this measure signals an elevated 401 Unauthorized responses across API calls in Entra ID tenant. |
|
Requests forbidden errors |
Indicates the number of requests forbidden errors. |
Number |
|
|
Requests with 404 errors |
Indicates the number of requests with 404 errors. |
Number |
A very high value of this measure indicates frequent "Not Found" responses when apps or services query non-existent resources in Entra ID tenant. |
|
Requests with not acceptable errors |
Indicates the number of requests with not acceptable errors. |
Number |
|
|
Unique public applications used |
Indicates the number of unique public applications. |
Number |
|
|
Unique confidential client ID credentials used |
Indicates the number of unique confidential client ID credentials. |
Number |
|
|
Unique confidential client certificates used |
Indicates the number of unique confidential client certificates. |
Number |
|
|
Unique client IP addresses with successful responses |
Indicates the number of unique client IP addresses with successful responses. |
Number |
|
|
Unique locations with successful responses |
Indicates the number of unique locations with successful responses. |
Number |
|
|
Unique applications with successful responses |
Indicates the number of unique applications with successful responses. |
Number |
|
|
Unique client IP addresses with failed responses |
Indicates the number of unique client IP addresses with failed responses. |
Number |
Use Detailed Diagnosis report of this measure to isolate HTTP requests failures based on the IP Addresses, location and applications. |
|
Unique locations with failed responses |
Indicates the number of unique locations with failed responses. |
Number |
A very high value of this measure indicates API failures originating from diverse IP addresses or geographic regions in Entra ID tenant. |
|
Unique applications with failed responses |
Indicates the number of unique applications with failed responses. |
Number |
A very high value of this measure signals diverse service principals or app registrations in Entra ID tenant generating errors like 401s, 403s, or 404s. |
|
Total POST requests |
Indicates the total number of POST requests. |
Number |
POST, GET, PUT, DELETE, PATCH, and OPTIONS are standard HTTP methods logged in Microsoft Graph Activity Logs within Entra ID, representing API request types to Graph endpoints.
|
|
Total GET requests |
Indicates the total number of GET requests. |
Number |
|
|
Total PUT requests |
Indicates the total number of PUT requests. |
Number |
|
|
Total DELETE requests |
Indicates the total number of DELETE requests. |
Number |
|
|
Total PATCH requests |
Indicates the total number of PATCH requests. |
Number |
|
|
Total OPTIONS requests |
Indicates the total number of OPTIONS requests. |
Number |
|
|
User agents used |
Indicates the number of user agents. |
Number |
|
|
Total requests in the last measurement period |
Indicates the total number of requests captured by the activity logs during the last measurement period. |
Number |
|