Here's the current list of possible event logs available in Azure Graph:

/auditLogs/applicationManagement : Event log for application management activities.

/auditLogs/appRoleAssignments : Event log for application role assignments.

/auditLogs/directoryAudits : Event log for directory-level administrative activities.

/auditLogs/directoryManagement : Event log for directory-level management activities.

/auditLogs/directoryRole : Event log for directory role activities.

/auditLogs/directoryRoleTemplate : Event log for directory role template activities.

/auditLogs/groupMembership : Event log for group membership changes.

/auditLogs/managedIdentity : Event log for managed identity activities.

/auditLogs/oauth2PermissionGrants : Event log for OAuth 2.0 permission grants.

/auditLogs/policy : Event log for policy-related activities.

/auditLogs/rbacResourceWrite : Event log for RBAC resource write operations.

/auditLogs/rbacRoleAssignmentWrite : Event log for RBAC role assignment write operations.

/auditLogs/resourceManagement : Event log for resource management activities.

/auditLogs/roleAssignments : Event log for role assignment and changes.

/auditLogs/roleManagement : Event log for role management activities.

/auditLogs/servicePrincipals : Event log for service principal-related activities.

/auditLogs/signIns : Event log for user sign-in activities.

/auditLogs/userManagement : Event log for user management activities.

Please note that the availability of these event logs may vary based on the specific Azure services and features you are using. Additionally, new event logs may be introduced over time as Azure evolves.

To enable or configure each of the Azure Graph logging types you mentioned, you'll need to take specific steps in Azure. Here's a breakdown of what needs to be done for each audit log to be present and active:

1. /auditLogs/applicationManagement:

   • No specific configuration is required. This log should be available by default when application management activities occur.

2. /auditLogs/appRoleAssignments:

   • Application role assignments are logged automatically when they occur, and no additional configuration is needed.

3. /auditLogs/directoryAudits:

   • Azure AD audit logging should be enabled at the directory level. You can enable it in the Azure portal by going to Azure Active Directory > Monitoring > Audit logs and selecting the appropriate audit log settings.

4. /auditLogs/directoryManagement:

   • Azure AD audit logging should be enabled at the directory level. Follow the same steps as mentioned for /auditLogs/directoryAudits to enable directory management auditing.

5. /auditLogs/directoryRole:

   • Directory role activities are audited by default when they occur, and no specific configuration is needed.

6. /auditLogs/directoryRoleTemplate:

   • Directory role template activities are audited by default, and no additional configuration is required.

7. /auditLogs/groupMembership:

   • Azure AD audit logging should be enabled at the directory level to capture group membership changes. Refer to the steps mentioned for /auditLogs/directoryAudits to enable auditing.

8. /auditLogs/managedIdentity:

   • Managed identity activities are automatically logged when they occur, and no additional configuration is required.

9. /auditLogs/oauth2PermissionGrants:

   • OAuth 2.0 permission grants are logged automatically when they occur, and no specific configuration is needed.

10. /auditLogs/policy:

    • Azure AD audit logging should be enabled at the directory level to capture policy-related activities. Follow the steps mentioned for /auditLogs/directoryAudits to enable auditing.

11. /auditLogs/rbacResourceWrite:

    • Resource write operations related to RBAC are automatically logged, and no specific configuration is required.

12. /auditLogs/rbacRoleAssignmentWrite:

    • RBAC role assignment write operations are logged by default when they occur, and no additional configuration is needed.

13. /auditLogs/resourceManagement:

    • Resource management activities are automatically logged, and no specific configuration is required.

14. /auditLogs/roleAssignments:

    • Role assignments and changes are logged by default, and no additional configuration is needed.

15. /auditLogs/roleManagement:

    • Role management activities are logged automatically when they occur, and no specific configuration is required.

16. /auditLogs/servicePrincipals:

    • Service principal-related activities are logged by default, and no additional configuration is needed.

17. /auditLogs/signIns:

    • User sign-in activities are logged automatically when Azure AD sign-in auditing is enabled. Enable sign-in auditing in the Azure portal by going to Azure Active Directory > Monitoring > Sign-ins and selecting the appropriate settings.

18. /auditLogs/userManagement:

    • User management activities are logged by default, and no specific configuration is required.

Note: The availability and retention of audit logs may depend on the Azure subscription type and configuration. Ensure that you have the necessary permissions and access to enable and view audit logs in Azure.

The Azure Graph API provides several query parameters that you can use to customize and refine your API requests. Here are some commonly used query parameters along with their usage examples:

$batch: Allows batching multiple requests into a single request.

• For example: Send a batch request containing multiple individual requests within a single HTTP request.

$count: Returns the count of entities without returning the actual entities.

• For example: /users?$count=true: Retrieves the count of users without returning the user details.

$countOnly: Returns only the count of entities without returning the actual entities.

• For example: /users?$countOnly=true: Retrieves only the count of users without returning the user details.

$deltalink: Retrieves a delta link to track changes in subsequent requests.

• For example: /users?$deltalink: Retrieves a delta link that can be used to retrieve changes since the last request.

$expand: Expands related entities or properties in the response.

• For example: /users?$expand=memberOf: Retrieves users along with their associated group memberships.

$filter: Used to filter the results based on specific conditions.

• For example: /users?$filter=displayName eq 'John Doe': Retrieves users with the display name 'John Doe'.

$format: Specifies the format of the response.

• For example: /users?$format=json: Retrieves the response in JSON format.

$levels: Specifies the depth of expansion when using $expand.

• For example: /users?$expand=memberOf($levels=1): Retrieves users and expands their immediate group memberships.

$orderby: Specifies the sorting order of the results based on a property.

• For example: /users?$orderby=displayName desc: Retrieves users sorted in descending order based on their display name.

$search: Performs a full-text search across specified properties.

• For example: /users?$search="John Doe": Retrieves users that match the search term "John Doe".

$searchMode: Specifies the search mode for the $search parameter.

• For example: /users?$search="John Doe"&$searchMode=all: Retrieves users where all the search terms ("John" and "Doe") are present.

$select: Specifies the properties to include in the response.

• For example: /users?$select=id,displayName,mail: Retrieves users with only the 'id', 'displayName', and 'mail' properties included in the response.

$skip: Skips a specified number of results.

• For example: /users?$skip=5: Skips the first 5 users and retrieves the subsequent results.

$skiptoken: Used for paging through large result sets.

• For example: /users?$top=10&$skiptoken=: Retrieves the next set of 10 users using the provided skip token.

$top: Limits the number of results returned.

• For example: /users?$top=10: Retrieves only the top 10 users.

/auditLogs/signIns?&$filter=authenticationDetail/authenticationStepDateTime eg '1933-04-29T16:20:00Z' and (userId eq '4c1474b3-2666-77d1-a46a-4475e3d67f')

• For example: Look for a specific user with a signin time equal to or greater than the specified time

/auditLogs/signIns?&$filter=(userAgent eq 'python-requests/2.28.1')

• For Example: Look for a signin event where the userAgent is 'python-requests/2.28.1'

/auditLogs/signIns?&$filter=createdatetime le 2023-06-11T14:04:49Z and (location/CountryOrRegion eq 'RU')

• For Example: find a signin event at and before 2023-06-11T14:04:49Z that originated in Russia

• Two Letter ISO country code list

/auditLogs/signIns?&$filter=(signInEventTypes/any (t: t eq 'servicePrincipal' or t eq 'interactiveUser' or t eq 'noninteractiveUser' or t eq 'managedIdentity')) and ((autonomousSystemNumber eq 8100) or (autonomousSystemNumber eq 22612) or (autonomousSystemNumber eq 46562) or (autonomousSystemNumber eq 207743) or (autonomousSystemNumber eq 396356) or (appDisplayName eq 'CloudSponge'))

• For Example: Find the signIn events for Service Principals, Interactive User, Noninteractive User, or Managed User that originated from one of the following ASN's: 8100, 22612, 46562, 207743, 396356 or is logging into the application named 'CloudSpinge'

/auditLogs/signIns?&$filter=userPrincipalName eq [email protected]' and (signInEventTypes/any (t: t eq 'servicePrincipal' or t eq 'interactiveUser' or t eq 'noninteractiveUser' or t eq 'managedIdentity')) and ((status/errorCode eq 50140) or (status/errorCode eq 0))

• For Example: Find all SignIns that have a return code of 0 (Successful) or 50140 (Interrupt - Keep Me Signed In [KMSI]) which a threat actor will typically set when logging into Azure with a stolen credential.

There are several different signInEventTypes that can be used to filter sign-in logs in Azure AD. Some of the most common signInEventTypes include:

• interactiveUser: Sign-ins where a user interactively signed in to an application.

• nonInteractiveUser: Sign-ins where a user signed in to an application without interaction.

• servicePrincipal: Sign-ins performed by service principals.

• managedIdentity: Sign-ins performed by managed identities.

• phoneFactor: Sign-ins performed using phone factor authentication.

Here is a detailed explanation of the 5 types of Azure logins:

1. interactiveUser: This refers to sign-ins where a user interactively signed in to an application. This means that the user provided their credentials, such as a username and password, to sign in to the application.

2. nonInteractiveUser: This refers to sign-ins where a user signed in to an application without interaction. This means that the user was signed in automatically, without the need to provide their credentials.

3. servicePrincipal: This refers to sign-ins performed by service principals. A service principal is an identity created for use with applications, hosted services, and automated tools to access Azure resources.

4. managedIdentity: This refers to sign-ins performed by managed identities. A managed identity is an identity in Azure AD that is automatically managed by Azure. It can be used to authenticate to services that support Azure AD authentication.

5. phoneFactor: This refers to sign-ins performed using phone factor authentication. This includes methods such as receiving a text message or phone call with a verification code, or using the Microsoft Authenticator app to approve a sign-in request. These methods provide an additional layer of security by requiring the user to have access to their phone in order to sign in.

| Category | Query |

| --- | --- |

| Location | To discover sign-ins from a specific country: /auditLogs/signIns?&$filter=location/CountryOrRegion eq 'RU' |

| | To discover successful sign-ins from a specific country: /auditLogs/signIns?&$filter=(location/CountryOrRegion eq 'RU') and (status/errorCode eq 0) |

| User | To discover sign-ins by a specific user: /auditLogs/signIns?&$filter=userId eq 'aefc8c90-9503-4d1f-b0ef-8d47779713e4' |

| | To discover sign-ins by a specific user: /auditLogs/signIns?&$filter=userId eq '8d977206-96bd-4bcb-9426-ccc1a7a3bf25' |

| User Agent | To discover sign-ins by a specific user agent: /auditLogs/signIns?&$filter=userAgent eq 'python-requests/2.28.1' |

| Status | To discover failed sign-ins: /auditLogs/signIns?&$filter=status/errorCode ne 0 |

| | To discover sign-ins with a specific sign-in status: /auditLogs/signIns?&$filter=status/additionalDetails/any(x:x/key eq 'SignInStatus' and x/value eq 'Interrupted') |

| IP Address | To discover sign-ins from a specific IP address: /auditLogs/signIns?&$filter=ipAddress eq '203.0.113.0' |

| Application | To discover sign-ins from a specific application: /auditLogs/signIns?&$filter=appId eq 'c44b4083-3bb0-49c1-b47d-974e53cbdf3c' |

| Risk | To discover sign-ins with a specific risk level: /auditLogs/signIns?&$filter=riskLevel eq 'high' |

| | To discover sign-ins with a specific risk event type: /auditLogs/signIns?&$filter=riskEventTypes/any(t: t eq 'unfamiliarFeatures') |

| | To discover sign-ins with a specific risk state: /identityProtection/riskyUsers?$filter=riskState eq 'atRisk' |

| | To discover sign-ins with a specific risk level and risk event type: /identityProtection/riskDetections?$filter=riskLevel eq 'high' and riskEventType eq 'unfamiliarFeatures' |

| Client App | To discover sign-ins with a specific client app used: /auditLogs/signIns?&$filter=clientAppUsed eq 'Mobile Apps and Desktop clients' |

| MFA | To discover sign-ins with a specific MFA requirement: /auditLogs/signIns?&$filter=authenticationRequirement eq 'multiFactorAuthentication' |

| | To discover sign-ins with a specific MFA result: /auditLogs/signIns?&$filter=authenticationResult eq 'success' |

| Conditional Access | To discover sign-ins with a specific conditional access status: /auditLogs/signIns?&$filter=conditionalAccessStatus eq 'success' |

| Device Detail | To discover sign-ins with a specific device detail: /auditLogs/signIns?&$filter=deviceDetail/operatingSystem eq 'Windows 10' |

| Correlation ID | To discover sign-ins with a specific correlation ID: /auditLogs/signIns?&$filter=correlationId eq 'aefc8c90-9503-4d1f-b0ef-8d47779713e4' |

| Resource Display Name | To discover sign-ins with a specific resource display name: /auditLogs/signIns?&$filter=resourceDisplayName eq 'Microsoft Graph' |

| Token Issuer | To discover sign-ins with a specific token issuer: /auditLogs/signIns?&$filter=tokenIssuerName eq 'AzureAD' |