How to monitor calls to Azure CLI, Powershell, Microsoft Graph... from a user?

Steven Joseph Paredes Baquerizo 20 Reputation points
2024-09-11T18:13:31.19+00:00

Hi everyone,

I would like to know if there is a possibility to log the events of the calls made through the API to query information. The goal is to know if they are making many calls that triggers an alert in Sentinel to see if an attacker is doing an enumeration.

For example, if I run get-EntraUser -All with my user I would like to know where it is logged or if it can be logged, how would that be done?

Thanks in advance.

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
12,273 questions
Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,159 questions
0 comments No comments
{count} votes

Accepted answer
  1. Vasil Michev 108.1K Reputation points MVP
    2024-09-13T07:09:47.23+00:00

    It depends on the calls done. Most workloads do not log "read" operations in the audit log, so you will not be able to address scenarios such as enumerating users and groups. You can however audit logins to the default apps used by the Graph module or Graph explorer, or even block them altogether for end users. It will not stop custom apps, but it's a good option. https://office365itpros.com/2023/10/12/block-powershell-m365/


0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.