Create the App in Azure

- Go to API permissions.
- Click on Microsoft Graph, Application Permissions, and add the following:
- Auditlog: Auditlog.Read.All
- SecurityEvents: SecurityEvents.Read.All
- Directory: Directory.Read.All
- Click Update permissions (Making sure the status shows each permission is granted for your organization)

Configure WitFoo Precinct
- Go to Admin->SOAR->Azure Active Directory>Config
- Click the checkbox for Enable Azure AD Log Integration
- Paste the Application (client) ID, Secret key and Tenant ID
- Click the disk icon (Save)
- Click Jobs and go to Artifacts from Microsft Azure.
- Select Triggers, expanding Manual Trigger and Interval Trigger.
- Toggle both to State: ENABLED
- The Interval Trigger is set to 2 hours by default, but you can update it to what best suits your organization. (Recommended: 5 minutes)
- Click the disk icon (Save)


Testing the Configuration
While still in Jobs > Artifacts from Microsft Azure
- Click the “paper airplane” to execute the Manual Trigger
- Go to Execution History
- Within a couple of minutes, you should see “State Machine completed successfully just now”
- Failure – Will be indicated by a message pop-up displaying fail code
- Fail code can also be seen by expanding the line in Execution History, expanding Job Result Data
