Select Page

Azure AD logs

Welcome Forums Integrations Azure AD logs

Viewing 1 post (of 1 total)
  • Author
    Posts
  • #1667
    Mike RiforgiateMike Riforgiate
    Keymaster

    Create the App in Azure

    • Go to API permissions.
      • Click on Microsoft Graph and add the following minimum permissions:
        • Auditlog: Auditlog.Read.All
        • SecurityEvents: SecurityEvents.Read.All
        • Directory: Directory.Read.All
    • Click Update permissions (Making sure the status shows each permission is granted for your organization)

    Configure WitFoo Precinct

    • Go to Admin->SOAR->Azure Active Directory>Config
    • Click the checkbox for Enable Azure AD Log Integration
    • Paste the Application (client) ID, Secret key and Directory (tenant) ID
    • Click the disk icon (Save)
    • Click Jobs and go to Artifacts from Microsft Azure.
    • Select Triggers, expanding Manual Trigger and Interval Trigger. 
      • Toggle both to State: ENABLED
    • The Interval Trigger is set to 2 hours by default, but you can update it to what best suits your organization. (Recommended: 5 minutes)
    • Click the disk icon (Save)
    • Within 1 hour “Azure” should be listed as an Artifact Source under Report->Tool Effectiveness->Artifact Source Types

    Testing the Configuration

    While still in Jobs > Artifacts from Microsft Azure

    • Click the “paper airplane” to execute the Manual Trigger
    • Go to Execution History
    • Within a couple of minutes, you should see “State Machine completed successfully just now”
      • Failure – Will be indicated by a message pop-up displaying fail code
      • Fail code can also be seen by expanding the line in Execution History, expanding Job Result Data

Viewing 1 post (of 1 total)
  • You must be logged in to reply to this topic.