Azure AD logs

[Mike Riforgiate]

Create the App in Azure

• https://portal.azure.com/#blade/Microsoft_AAD_RegisteredApps/ApplicationsListBlade
• Click New registration
• Name it WitFoo Precinct (Azure AD)
• Select who can use the application (access the API)
• Select Web and enter the Redirect URI as https://PrecinctIP/v1/api/azure_auth (Note: replace PrecinctIP with the IP address or FQDN of your Precinct appliance)
• Click “Register”
• Under Certificates & secrets click New client secret (give it a description and expiration, then click Add)
  • Save the Secret ID

• Go to API permissions.
  • Click on Microsoft Graph and add the following minimum permissions:
    • Auditlog: Auditlog.Read.All
    • SecurityEvents: SecurityEvents.Read.All
    • Directory: Directory.Read.All
• Click Update permissions (Making sure the status shows each permission is granted for your organization)

Configure WitFoo Precinct

• Go to Admin->SOAR->Azure Active Directory>Config
• Click the checkbox for Enable Azure AD Log Integration
• Paste the Application (client) ID, Secret key and Directory (tenant) ID
• Click the disk icon (Save)
• Click Jobs and go to Artifacts from Microsft Azure.
• Select Triggers, expanding Manual Trigger and Interval Trigger. 
  • Toggle both to State: ENABLED
• The Interval Trigger is set to 2 hours by default, but you can update it to what best suits your organization. (Recommended: 5 minutes)
• Click the disk icon (Save)
• Within 1 hour “Azure” should be listed as an Artifact Source under Report->Tool Effectiveness->Artifact Source Types

Testing the Configuration

While still in Jobs > Artifacts from Microsft Azure

• Click the “paper airplane” to execute the Manual Trigger
• Go to Execution History
• Within a couple of minutes, you should see “State Machine completed successfully just now”
  • Failure – Will be indicated by a message pop-up displaying fail code
  • Fail code can also be seen by expanding the line in Execution History, expanding Job Result Data

[Author]

Posts