Skip to content

f-bader/EntraIDAuditLogToMicrosoftGraph

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

22 Commits

.github/workflows

.github/workflows

 
 

output

output

 
 

source

source

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

Repository files navigation

Entra ID Audit Log To Microsoft Graph Request Uri

A list of Entra ID (Azure AD) Audit event names and the corresponding Microsoft Graph Request Uri

The data is provided as CSV and JSON for your convenience.

EntraIDOperationName,MicrosoftGraphRequestUri,RequestMethod,EntraIDOperationVersion
"Add conditional access policy","https:/graph.microsoft.com/<MSGraphVersion>/identity/conditionalAccess/policies",POST,"1.0"
"Delete FIDO2 security key(s)","https:/graph.microsoft.com/<MSGraphVersion>/users/<UUID>/authentication/fido2Methods/<ID>",DELETE,"1.0"

How to contribute?

Please create a pull request with your own CSV added to the source folder.

FAQ

How to create the CSV?

You must enable the Microsoft Graph activity logs in your Entra ID and forward the logs to a Log Analytics workspace. After a few days you can use the query below to generate the file in the correct format. Please create a pull request and put the file in the source directory. This way we can built a large dataset of Entra ID Activity logs to Microsoft Graph URI mappings.

AuditLogs
| where TimeGenerated > ago(90d)
| join kind=inner (
    MicrosoftGraphActivityLogs
    // Ignore GET requests
    | where RequestMethod != 'GET'
    )
    on $left.CorrelationId == $right.ClientRequestId
// Remove PII information and normalize the RequestURI
| extend NormalizedRequestUri = replace_regex(RequestUri, @'[0-9a-fA-F]{8}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{12}', @'<UUID>')
| extend NormalizedRequestUri = replace_regex(NormalizedRequestUri, @'[a-zA-Z0-9_-]{41,65}', @'<ID>')
| extend NormalizedRequestUri = replace_regex(NormalizedRequestUri, @'\d+$', @'<ID>')
| extend NormalizedRequestUri = replace_regex(NormalizedRequestUri, @'\/+', @'/')
| extend NormalizedRequestUri = replace_regex(NormalizedRequestUri, @'https:\/', @'https://')
| extend NormalizedRequestUri = replace_regex(NormalizedRequestUri, @'%23EXT%23', @'')
| extend NormalizedRequestUri = replace_regex(NormalizedRequestUri, @'\/[a-zA-Z0-9+_.\-]+@[a-zA-Z0-9.]+\/', @'/<UPN>/')
| extend NormalizedRequestUri = replace_regex(NormalizedRequestUri, @'^\/<UUID>', @'')
| extend NormalizedRequestUri = replace_regex(NormalizedRequestUri, @'\?.*$', @'')
// Remove POST requests to the batch endpoint
| where not ( NormalizedRequestUri matches regex @"https:\/\/graph.microsoft.com\/(v1\.0|beta)/\$batch" )
| summarize by OperationName, NormalizedRequestUri, RequestMethod, OperationVersion
| project-rename
    MicrosoftGraphRequestUri = NormalizedRequestUri,
    EntraIDOperationName = OperationName,
    EntraIDOperationVersion = OperationVersion
| sort by EntraIDOperationName asc

About

A list of Entra ID (Azure AD) Audit event names and the corresponding Microsoft Graph Request Uri

Topics

hacktoberfest

Resources

Readme

License

MIT license
Activity

Stars

23 stars

Watchers

3 watching

Forks

1 fork
Report repository

Contributors 3

  •  
  •  
  •