Welcome › Forums › Integrations › Azure AD logs (can also be used for MS Graph)
- This topic has 0 replies, 1 voice, and was last updated 5 years, 5 months ago by
Mike Riforgiate.
Viewing 1 post (of 1 total)
- AuthorPosts
- July 3, 2018 at 9:02 pm #1667
Mike Riforgiate
KeymasterCreate the App in Azure
- https://portal.azure.com/#blade/Microsoft_AAD_RegisteredApps/ApplicationsListBlade
- Click New registration
- Name it WitFoo Precinct (Azure AD)
- Select who can use the application (access the API)
- Select Web and enter the Redirect URI as https://PrecinctIP/v1/api/azure_auth (Note: replace PrecinctIP with the IP address or FQDN of your Precinct appliance)
- Click “Register”
- Under Certificates & secrets click New client secret (give it a description and expiration, then click Add)
- Save the Secret ID
- Go to API permissions.
- Click on Microsoft Graph, Application Permissions, and add the following:
- Auditlog: Auditlog.Read.All
- SecurityEvents: SecurityEvents.Read.All
- Directory: Directory.Read.All
- Click on Microsoft Graph, Application Permissions, and add the following:
- Click Update permissions (Making sure the status shows each permission is granted for your organization)
Configure WitFoo Precinct
- Go to Admin->SOAR->Azure Active Directory>Config
- Click the checkbox for Enable Azure AD Log Integration
- Paste the Application (client) ID, Secret key and Tenant ID
- NOTE: Tenant ID can be found by navigating to Azure Portal > Azure Active Directory > Properties
- Click the disk icon (Save)
- Click Jobs and go to Artifacts from Microsft Azure.
- Select Triggers, expanding Manual Trigger and Interval Trigger.
- Toggle both to State: ENABLED
- The Interval Trigger is set to 2 hours by default, but you can update it to what best suits your organization. (Recommended: 5 minutes)
- Click the disk icon (Save)
Testing the Configuration
While still in Jobs > Artifacts from Microsft Azure
- Click the “paper airplane” to execute the Manual Trigger
- Go to Execution History
- Within a couple of minutes, you should see “State Machine completed successfully just now”
- Failure – Will be indicated by a message pop-up displaying fail code
- Fail code can also be seen by expanding the line in Execution History, expanding Job Result Data
- AuthorPosts
Viewing 1 post (of 1 total)
- You must be logged in to reply to this topic.