Using ThreatLockDown to monitor Microsoft Graph

New in version 4.6.0.

This section provides instructions for monitoring Microsoft Graph API resources and relationships within your organization.

Currently, the module allows you to monitor the following with Wazuh:

  • Microsoft Entra ID Protection

  • Microsoft 365 Defender

  • Microsoft Defender for Cloud Apps

  • Microsoft Defender for Endpoint

  • Microsoft Defender for Identity

  • Microsoft Defender for Office 365

  • Microsoft Purview eDiscovery

  • Microsoft Purview Data Loss Prevention (DLP)

While these are centric to the security resource, the Microsoft Graph REST API contains a large number of additional resources that can be monitored. See the Overview of Microsoft Graph documentation to learn more.

Note

Currently, only the security resource can be considered mature as it's the only one tested and with pre-made rules. However, the logs of other resources can still be ingested at your organization's discretion.