Azure AD logs (can also be used for MS Graph)

[Mike Riforgiate]

Create the App in Azure

• https://portal.azure.com/#blade/Microsoft_AAD_RegisteredApps/ApplicationsListBlade
• Click New registration
• Name it WitFoo Precinct (Azure AD)
• Select who can use the application (access the API)
• Select Web and enter the Redirect URI as https://PrecinctIP/v1/api/azure_auth (Note: replace PrecinctIP with the IP address or FQDN of your Precinct appliance)
• Click “Register”
• Under Certificates & secrets click New client secret (give it a description and expiration, then click Add)
  • Save the Secret ID

• Go to API permissions.
  • Click on Microsoft Graph, Application Permissions, and add the following:
    • Auditlog: Auditlog.Read.All
    • SecurityEvents: SecurityEvents.Read.All
    • Directory: Directory.Read.All
• Click Update permissions (Making sure the status shows each permission is granted for your organization)

Configure WitFoo Precinct

• Go to Admin->SOAR->Azure Active Directory>Config
• Click the checkbox for Enable Azure AD Log Integration
• Paste the Application (client) ID, Secret key and Tenant ID
  • NOTE: Tenant ID can be found by navigating to Azure Portal > Azure Active Directory > Properties
• Click the disk icon (Save)
• Click Jobs and go to Artifacts from Microsft Azure.
• Select Triggers, expanding Manual Trigger and Interval Trigger. 
  • Toggle both to State: ENABLED
• The Interval Trigger is set to 2 hours by default, but you can update it to what best suits your organization. (Recommended: 5 minutes)
• Click the disk icon (Save)

Testing the Configuration

While still in Jobs > Artifacts from Microsft Azure

• Click the “paper airplane” to execute the Manual Trigger
• Go to Execution History
• Within a couple of minutes, you should see “State Machine completed successfully just now”
  • Failure – Will be indicated by a message pop-up displaying fail code
  • Fail code can also be seen by expanding the line in Execution History, expanding Job Result Data

[Author]

Posts