Guardian 365 utilizes both the Microsoft security graph and new Defender APIs to oversee and safeguard a customer’s environment. These resources are accessed through an application established in the customer’s Entra ID. The permissions granted are structured to emulate the Security Administrator role, ensuring the appropriate level of access to protect the customer’s environment. Alerts and incidents are gathered from various APIs regularly. While the specific data in these events depends on the threat type, only information related to the affected objects is captured. Once an event is received, the service collects secondary log data pertinent to that event. This secondary data can come from:
- Audit Logs
- URL Click Events
- Sign-In Logs
- Inbox Rules
Additionally, analyzed email objects from Defender for Office are collected and supplemented with the following data from the message object:
- Links
- Message ID
- Folder ID
- Sender
- From
- toRecipients
- ccRecipients
- bccRecipients
- replyTo
All secondary data collected is attached to the same record, and a 30-day TTL (Time-To-Live) is applied. This TTL will automatically delete the record from our database once it expires. Using an application account for data collection may obscure logs for the customer, showing the application instead of a named account. Forsyte ensures transparency by auditing all application actions and making this information available to customers upon request. Additionally, comments are automatically applied to all events when actions occur.