09-05, 15:00–15:20 (Europe/Amsterdam), Second track
In this presentation, we will explore the potential of Microsoft Graph API logs, focusing on its use for enhancing security, insights, and real-world attack scenarios within M365 environments. We begin by detailing the process of obtaining logs. We'll talk about fields which are critical for monitoring and analysis, correlatable fields and useful KQL functions that help. A comparison of delegated vs. application permissions to help attendees understand their distinct attack use cases and best practices.
The discussion will move to common attack patterns using Graph API, offering strategies for threat hunting and detection. Real-world stories from the frontlines will illustrate how organizations have successfully utilized Graph API to mitigate security incidents. Additionally, we will also highlight significant contributions from researchers and authors who've done great research in this field. The presentation will conclude with a summary of best practices and actionable insights for leveraging Microsoft Graph API logs to its fullest potential. This session aims to equip security professionals with the knowledge to effectively use Microsoft Graph API logs.
Graph API Mastery: From Logs to Real-World Impact
Introduction
Microsoft Graph API provides a unified endpoint to access Microsoft 365 services, enabling developers to build powerful applications that integrate deeply with the Microsoft ecosystem. This presentation will explore how to leverage Graph API LOGS for enhanced operational security.
Obtaining the Logs
We will discuss methods to access and retrieve logs from Graph API, focusing on setting up appropriate permissions and using relevant endpoints to gather valuable data.
Correlatable Fields & Useful Functions
Learn about fields that can be correlated across different logs and systems to create a comprehensive view of user and application activities. We will also cover useful KQL functions for data analysis.
Delegated vs Application Permissions
Understand the differences between delegated and application permissions, their use cases, and best practices for managing permissions to ensure security and compliance.
Attack Patterns and Hunting/Detection Opportunities
Explore common attack patterns targeting Microsoft Graph API and discover strategies for threat hunting and detection. We will highlight specific indicators of compromise and techniques to identify malicious activities.
From the Frontlines – Real World Stories
Real-world examples and case studies illustrating attacks observed on the frontlines, highlighting how organizations could have used Graph API logs to prevent/monitor security incidents.
Highlighting other researchers and their work:
Highlight contributions from other researchers and authors who have done great work on Microsoft Graph API research. This will include a snippet of who to follow and what they’ve done.
Conclusion
A summary of key takeaways and best practices for leveraging Microsoft Graph API in your organization. Emphasis on the importance of continuous monitoring and the potential for future enhancements. This session aims to equip security professionals with the knowledge to effectively use Microsoft Graph API logs.
Shiva is currently working as a Sr. Security Researcher at Dart Microsoft.
With a background in engineering and operational security, he has over 9 yrs of experience working in various parts of security operations specializing in Threat Hunting, Incident Response, Detection Engineering and helping build SOC's from ground up.
Apart from work, he loves visiting trekking and is an avid gamer.
Parthiban is working as a Sr. Threat Intelligence Analyst at Atlassian, with around 10 years of experience in the cybersecurity domain, and holds a Master's degree in Information Security & Cyber Forensics. Previously he worked as a Threat Researcher at Anomali as part of the Threat Research Team. He was responsible for researching and tracking threat actors, writing threat intel blogs, and analyzing actor infrastructure. He also worked as an Incident Handler at Symantec and Microsoft, handling various security incidents and attacks on Fortune 500 companies. Outside of work he enjoys traveling and exploring different food cuisines.