🔥 3-day streak
Microsoft Security Operations Analyst114 / 190
Question 114 of 190

During an incident, you determine that an attacker used a stolen access token to call Microsoft Graph APIs and enumerate user and group objects in Entra ID over the past week. In the Microsoft Purview portal you attempt to build an audit search but cannot find granular records of the individual Graph API endpoint calls the attacker made. Which data source should you use to identify the specific Microsoft Graph REST API requests, including the endpoints and client application, associated with the compromised identity?

Reviewed for accuracy · Report an issueNext question