You have a Microsoft 365 subscription that uses Microsoft Defender XDR.
You are investigating an attacker that is known to use the Microsoft Graph API as an attack vector. The attacker performs the tactics shown the following table.
You need to search for malicious activities in your organization.
Which tactics can you analyze by using the MicrosoftGraphActivityLogs table?
The MicrosoftGraphActivityLogs table primarily logs activities related to API calls that access Microsoft Graph resources. Tactic1 involves discovering misconfigured mailboxes, which would be captured by API calls to access mailbox settings and configurations logged in the MicrosoftGraphActivityLogs table. Tactic2 involves accessing Microsoft Teams data, which also falls under activities logged by Microsoft Graph API calls. However, Tactic3, which involves deleting Azure virtual machines, is more closely related to Azure Resource Management and would typically be logged in Azure activity logs rather than MicrosoftGraphActivityLogs. Therefore, only Tactic1 can be analyzed using the MicrosoftGraphActivityLogs table.
From ChatGPT: Tactic1: Discovers misconfigured mailboxes - This would involve API calls to access mailbox settings and configurations, which would be logged in the MicrosoftGraphActivityLogs table. Tactic2: Searches Microsoft Teams chats and exports full conversations - This involves accessing Microsoft Teams data through API calls, which would also be logged in the MicrosoftGraphActivityLogs table. Tactic3: Deletes Azure virtual machines - This is an action related to Azure Resource Management, which might not be directly logged in the MicrosoftGraphActivityLogs table. This activity is more likely to be found in Azure activity logs. Why there is no option 1 and 2?