Skip to main content

Azure Security Center

Microsoft Graph is a RESTful web API that enables you to access Microsoft Cloud service resources. This integration allows you to collect data from Microsoft Graph API and send it to your account.

To integrate Microsoft Graph and

Register a new app in Azure Active Directory

In the Azure portal, go to App registration and select New registration from the top menu.

Name your app and click Register.

Create a client secret

Choose Certificates & secrets from the side menu, and click on New client secret.

Add a Description. We recommend something specific, such as "secret for Logzio-MSGraph integration".

In the Expires list, choose Never.

Click Add.

Copy the value of the generated secret to your text editor. You'll need this later.


You won't be able to retrieve the secret's value after you leave this page.

Set the app's permissions

Choose API permissions from the side menu, and click Add a permission.

Select Microsoft Graph > Application permissions.

Select this item:

  • SecurityEvents.Read.All

Click Add permissions.

Click Grant admin consent for Default Directory, and then click Yes to confirm.


Only Azure administrators can grant consent for Default Directory. If the Grant admin consent button is disabled, ask your Azure admin to update the setting for you.

Pull the Docker image of the API fetcher

docker pull logzio/logzio-api-fetcher

Create a local directory for this integration

You will need a dedicated directory to use it as mounted directory for the Docker container of the API fetcher.

mkdir logzio-api-fetcher
cd logzio-api-fetcher

Create a configuration file

In the directory created in the previous step, create a file config.yaml using the example configuration below:

url: https://<<LISTENER-HOST>>:8071

- type: azure_graph
name: azure_test
body: client_id=<<AZURE_AD_CLIENT_ID>>
method: POST
method: GET
data_date: createdDateTime
time_interval: 1
days_back_fetch: 30

URLUse the listener URL specific to the region where your account is hosted. Click to look up your listener URL. The required port depends whether HTTP or HTTPS is used: HTTP = 8070, HTTPS = 8071.Required
TOKENYour account token. Replace <<LOG-SHIPPING-TOKEN>> with the token of the account you want to ship to.Required
typeThe type of the OAuth API. Currently we support the following types: azure_graph, general.Required
nameThe name of the OAuth API. Please make names unique.Required
credentials.idThe OAuth API credentials id.Required
credentials.keyThe OAuth API credentials key.Required
http_request.methodThe HTTP method. Can be GET or POST.Required
http_request.urlThe OAuth API url. Make sure the url is without ? at the end.Required
http_request.headersPairs of key and value the represents the headers of the HTTP request.Optional
http_request.bodyThe body of the HTTP request. Will be added to HTTP POST requests only.Optional
token_http_request.methodThe HTTP method. Can be GET or POST.Required
token_http_request.urlThe OAuth API token request url. Make sure the url is without ? at the end.Required
token_http_request.headersPairs of key and value the represents the headers of the HTTP request.Optional
token_http_request.bodyThe body of the HTTP request. Will be added to HTTP POST requests only.Optional
json_paths.data_dateThe json path to the data's date value inside the response of the OAuth API.Required
settings.time_intervalThe OAuth API time interval between runs.Required
settings.days_back_fetchThe max days back to fetch from the OAuth API.Optional. Default value is 14 days.
filtersPairs of key and value of parameters that can be added to the OAuth API url. Make sure the keys and values are valid for the OAuth API.Optional
custom_fieldsPairs of key and value that will be added to each data and be sent to

Create a Last Start Dates text file

Create an empty text file named last_start_dates.txt in the same directory as the config file:

$ touch last_start_dates.txt

After every successful iteration of an API, the last start date of the next iteration will be written to last_start_dates.txt. Each line starts with the API name and ends with the last start date.

If you stopped the container, you can continue from the exact place you stopped, by adding the date to the API filters in the configuration.

Run the Docker container

docker run --name logzio-api-fetcher \
-v "$(pwd)":/app/src/shared \

Stop the Docker container

When you stop the container, the code will run until the iteration is completed. To make sure it will finish the iteration on time, please give it a grace period of 30 seconds when you run the docker stop command.

docker stop -t 30 logzio-api-fetcher

Check for your logs

Give your logs some time to get from your system to ours, and then open Open Search Dashboards. You can filter for data of your custom field type value or type api_fetcher to see the incoming Microsoft Graph logs.

If you still don’t see your logs, see log shipping troubleshooting.