Microsoft Azure Management API and Graph API

Office365 Management API pulls good information about various user, admin, system, and policy actions from following resources

• Azure AD
• Exchange Audit
• SharePoint Audit
• Audit General
• DLP logs for all workloads
• Security and Compliance Center

This helps in general operations, security, and compliance monitoring. However, this is not enough. We are still missing many valuable analytical information that could be of much interest to analyst and can help in creating many analytics. 

I believe, the next step will be to integrate Microsoft Graph Security API. 

This API provides unified integration with security solutions from Microsoft and ecosystem partners. It will enable to pull logs from many of the azure resources that includes

• consolidated and correlated security alerts, and
• contextual data that aid in investigations

Here, Microsoft has leveraged Big Data and Machine learning to evaluate events across the entire cloud fabric, thereby, detecting threats that would be impossible to identify using manual approaches. This means, with this integration, logs from following sources are seen

• Azure Advanced Threat Protection
• Azure AD Identity Protection
• Azure Security Center
• Azure Sentinel
• Azure Information Protection
• Microsoft Cloud App Security
• Office Advanced Threat Protection
• Defender Advanced Threat Protection

  Some examples of analytics that we get from above resources are

• Risky IP address
• Login failures
• Admin activity
• Inactive accounts
• Infrequent location
• Impossible travel
• Activity rate
• Lateral movement paths
• Domain dominance
• Compromised credentials
• Exfiltrations
• Ransomware activity
• Suspicious inbox forwarding