🌙
 

Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

Office 365 and Azure Data Availability

integrations cloud microsoft office 365 azure


Data Availability and Collection Times

Secureworks® Taegis™ XDR ingest time is a representation of the time taken to collect, normalize, and store data. Variances between timeframes on original log data and the time of Secureworks® Taegis™ XDR ingest may include delays in availability of the data from the source API. All Azure and Office 365 data collection and resulting data availability follow these standards:

Important

Users may observe a disparity between the event/alert timestamps of Event Create Time and Ingest Time when activity logs are made available in historic times by the API. This is because Event Create Time is based on the observed timestamp from the original data, and Ingest Time is based on when Secureworks collected and normalized the log from the API.

Data Collection Variables

Microsoft Office 365 Management API

The Office 365 Management Activity API allows several variables for input when querying data. This section describes how these variables are used when collecting data.

Microsoft Graph API—Alerts Resource

alert resource type of the Microsoft Graph API allows several variables for input when querying data. The following describes how these variables are used when collecting data.

Microsoft Graph API—Directory Audit Resource

The directoryAudit resource type of the Microsoft Graph API allows several variables for input when querying data. The following describes how these variables are used when collecting data.

Microsoft Graph API—Sign In Resource

The sign-in resource of the Microsoft Graph API allows several variables for input when querying data. The following describes how these variables are used when collecting data.

Microsoft Azure Active Directory Activity Reports

Data is polled on a recurring basis using two configuration parameters—polling interval and lag time.

Microsoft Azure Monitor API—Activity Log Resource

Data Collection Content and Accuracy

In all collection cases, variables used when collecting data are only altered with the purposes of exposing additional logs. Data contained within a log is stored in the original_data field, and no input variables are used that alter the content of a response or original log. If users experience anomalies in the content of a JSON/log, Secureworks recommend working with the vendor to determine why the log is malformed as stored or returned by the respective API.

Additional References

 

On this page: