I'm using Security Graph API to get alerts into SIEM. And some of the alerts I get have very little amount of details. Here is the example, with some information edited, but all fields are present:
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#security/alerts/$entity",
"id": "df59a25b7179858f9d891672dee4e4a48b718fe9271e6867b20a998463b1a703",
"azureTenantId": "a2c874c8-XXXX-XXXX-XXXX-fXXX56f81134",
"azureSubscriptionId": null,
"riskScore": null,
"tags": [],
"activityGroupName": null,
"assignedTo": null,
"category": "AnomalousToken",
"closedDateTime": null,
"comments": [],
"confidence": null,
"createdDateTime": "2022-01-05T20:52:18Z",
"description": "Anomalous token indicates that there are abnormal characteristics in the token such as token duration and authentication from unfamiliar IP address",
"detectionIds": [],
"eventDateTime": "2022-01-04T12:26:36.1726686Z",
"feedback": null,
"incidentIds": [],
"lastEventDateTime": null,
"lastModifiedDateTime": "2022-01-05T22:47:28.909877Z",
"recommendedActions": [],
"severity": "medium",
"sourceMaterials": [],
"status": "newAlert",
"title": "Anomalous Token",
"vendorInformation": {
"provider": "IPC",
"providerVersion": null,
"subProvider": null,
"vendor": "Microsoft"
},
"alertDetections": [],
"cloudAppStates": [],
"fileStates": [],
"hostStates": [],
"historyStates": [],
"investigationSecurityStates": [],
"malwareStates": [],
"messageSecurityStates": [],
"networkConnections": [],
"processes": [],
"registryKeyStates": [],
"securityResources": [],
"triggers": [],
"userStates": [
{
"aadUserId": "7b9b7027-XXXX-XXXX-bXXX-1XXXXXXX9e7",
"accountName": "NicXXX.XXXXX",
"domainName": "XXX.co.uk",
"emailRole": "unknown",
"isVpn": null,
"logonDateTime": "2022-01-04T12:26:36.1726686Z",
"logonId": null,
"logonIp": "102.11.1.15",
"logonLocation": "Accra, Greater Accra, GH",
"logonType": null,
"onPremisesSecurityIdentifier": null,
"riskScore": null,
"userAccountType": null,
"userPrincipalName": "NicXXX.XXXXX@XXX.co.uk"
}
],
"uriClickSecurityStates": [],
"vulnerabilityStates": []
}
In short, the only information I can see is that the user generated some "anomalous token" from some specific IP. But I'd like to see the hostname used, what were the token details, why it was anomalous, etc.
I can see similar alerts almost empty about failed authentication attempts (azure AD), suspicious mail forwarding rule creation (Exchange), etc - all without significant details. How can I get them? Or perhaps - how should I reconfigure the Graph or data sources, to allow Graph to get access to the details?