Connect Cribl Search to Microsoft Graph API
Configure Cribl Search to query a Microsoft Graph API endpoint.
With Microsoft Graph, you can access data across all Microsoft 365 services.
In this guide, you’ll set up a Dataset Provider and a Dataset to search your Microsoft Entra ID or Microsoft 365 account(s) supporting the following endpoints:
- agreementAcceptances
- agreements
- applicationTemplates
- applications
- authenticationMethodConfigurations
- certificateBasedAuthConfiguration
- chats
- connections
- contacts
- contracts
- dataPolicyOperations
- devices
- directoryObjects
- directoryRoleTemplates
- directoryRoles
- domainDnsRecords
- domains
- drives
- filterOperators
- functions
- groupLifecyclePolicies
- groupSettingTemplates
- groupSettings
- groups
- identityProviders
- invitations
- localizations
- oauth2PermissionGrants
- organization
- permissionGrants
- places
- schemaExtensions
- scopedRoleMemberships
- servicePrincipals
- shares
- sites
- subscribedSkus
- subscriptions
- teamsTemplates
- teams
- users
Add a Microsoft Graph API Dataset Provider
A Dataset Provider tells Cribl Search where to query and contains access credentials. Here, you will add a Microsoft Graph API Dataset Provider.
To add a new Dataset Provider, select Data, then Dataset Providers, then Add Provider.
Set the following configurations in the New Dataset Provider modal:
- ID is a unique identifier for the Dataset Provider. This is how you’ll reference it when assigning Datasets to
it. Start the ID with a letter; the rest of the ID can use letters, numbers, and underscores (for example,
my_dataset_provider_1). - Description is optional.
- Set Dataset Provider Type to Microsoft Graph API.
- Select Add Configuration to specify your Microsoft Graph account(s).
- Account Name is the Microsoft Graph account name.
- Tenant ID is the ID of the Microsoft Entra ID or Microsoft 365 to retrieve information from.
- Client ID is the ID of the application that will connect to Microsoft Entra ID or Microsoft 365 account.
- Client Secret is the key that will be used as the secret in the connection to Microsoft Entra ID or Microsoft 365 account.
- Select Save when finished.
Add a Microsoft Graph API Dataset
Now you’ll add a Dataset that tells Cribl Search what data to search from the Dataset Provider.
To add a new Dataset, select Data, then Datasets, then Add Dataset.
Set the following configurations in the New Dataset modal:
- ID is an identifier unique for both Cribl Search and Cribl Lake. You’ll use this to specify the
Dataset in a query’s scope, telling Cribl Search to search the Dataset. Start the ID with a letter; the rest of the ID can use letters, numbers, and underscores (for example,
my_dataset_1). - Description is optional.
- Set Dataset Provider to the ID of a Microsoft Graph API Dataset Provider.
- Select Add endpoint to select the endpoints for your Dataset.
- Enabled endpoints: Select an endpoint from the drop-down menu. For details on the endpoints, see the
Microsoft Graph Rest API reference docs.
Your options are:
invitationsusersapplicationTemplatesauthenticationMethodConfigurationsidentityProvidersapplicationscertificateBasedAuthConfigurationcontactscontractsdevicesdirectoryObjectsdirectoryRolesdirectoryRoleTemplatesdomainDnsRecordsdomainsgroupsgroupSettingsgroupSettingTemplateslocalizationsoauth2PermissionGrantsorganizationpermissionGrantsscopedRoleMembershipsservicePrincipalssubscribedSkusplacesdrivessharessitesschemaExtensionsgroupLifecyclePoliciesfilterOperatorsfunctionsagreementAcceptancesagreementsdataPolicyOperationssubscriptionsconnectionschatsteamsteamsTemplates
- In Processing, you can apply rules for breaking data into discrete events. For more information, see Datatypes.
- In Snapshots, you can set up API Snapshots.
- Select Save when finished.
Search Microsoft Graph API
Now that you have a Dataset Provider and Dataset, you’re ready to start searching.
Search results can start showing up within a second or two, but when the search completes depends on how much data there is in the account.