This article covers how to register an Azure AD application on the Azure portal and get the client ID and client secret to ingest Azure logs to Chronicle.
Ingesting Azure AD logs into Chronicle
Using third party API integration, you can get Azure AD logs in the Chronicle feed. To get the Azure AD logs, perform the following steps.
Registering an Azure AD Application
To register the application,
1. In the Azure Portal, select Azure Active Directory from the left navigation pane.
2. In the Azure Active Directory page, select App registrations.
3. From the App registrations page, select New registration. A register application window appears on screen.
4. In the Name, enter "Reporting API application".
5. For Supported accounts type, select Accounts in this organizational only.
6. In the Redirect URL, select Web and type https://localhost.
7. Select Register.
Granting Permissions
Grant the following permissions to access Azure AD reporting API.
Microsoft Graph APi permission Type | Permissions to be provided |
Delegated Permission |
|
Application Permission |
|
Following procedure helps you grant permissions to use APIs.
1. In the Azure portal, from the left nav bar, click API permissions --> Add a Permission.
2. On Request API Permissions page, locate and click Microsoft Graph.
3. On Microsoft Graph page, click Application Permissions.
4. Search "directory" in the field and check the box next to Directory.Read.All. Also, search "Audit log" in the field and check the box next to Auditlog.Read.All.
5. Click Add Permissions.
6. On Configured Permissions page, click Grant Admin Consent for.
Gathering Configuration Settings
This section shows you how to get the following settings from your directory.
- Domain name
- Client ID
- Client secret or certificate
You need these values when configuring calls to the reporting API. We recommend using a certificate because it is more secure.
1. In the Azure Portal, on the left navigation pane, select Azure Active Directory.
2. On the Azure Active Directory page, select Custom domain names.
3. Copy your domain name from the list of domains.
Getting a client ID from your application
To get your application's client ID:
1. In the Azure Portal, on the left navigation pane, click Azure Active Directory.
2. Select your application from the App Registrations page.
3. From the application page, navigate to Application ID and select Click to Copy.
4. From the application page, navigate to Directory ID and select Click to Copy
Getting a Client Secret from your application
To get your application's client secret,
1. In the Azure Portal, on the left navigation pane, click Azure Active Directory.
2. Select your application from the App Registrations page.
3. On the API Application page, in the Client Secrets section, select Certificates & Secrets and click + New Client Secret.
4. On the Add a Client Secret window, add the following.
- Description - type "Reporting API"
- Expires - In 2 years
5. Click Save
6. Copy the Key value
Configuring a feed in Chronicle to ingest the Azure logs
Complete the following steps to configure a feed in Chronicle to ingest the Azure logs:
1. From the Chronicle home page, go to Settings at the top right corner and click Feeds.
2. Click Add New.
3. In Source Type, select Third Party API.
4. In Log Type, select Azure AD.
5. Click Next.
6. Provide Oauth Client ID, Secret key, and Tenant ID.
7. Click Next and Finish.
For Azure AD Context
1. Provide these details:
Feed Name : Azure AD Context
Source Type: select Third Party API.
Log Type: select Azure AD Organizational Context.
2. Provide Oauth Client ID, Secret key, and Tenant ID same as Azure AD credentials.
For Azure AD Directory Audit
1. Provide these details:
Feed Name : Azure AD Directory Audit
Source Type: select Third Party API.
Log Type: select Azure AD Directory Audit.
2. Provide Oauth Client ID, Secret key, and Tenant ID same as Azure AD credentials.
Sample Logs
The following are the logs that Azure AD sends to Chronicle.
{"appDisplayName":"SharePoint Online Client Extensibility Web Application Principal","appId":"rr000f6f-fad7-4ce6-9b81-35344ecdbd00","appliedConditionalAccessPolicies":[],"clientAppUsed":"Browser","conditionalAccessStatus":"success","correlationId":"91rr7cdd-4e0a-40ac-a242-09563c9daf00","createdDateTime":"2023-07-13T11:00:00Z","deviceDetail":{"browser":"Edge 114.0.1823","deviceId":"rr6c0047-6r90-3174-93re-86a22e6117dfe","displayName":"BBY4F91WR0","isCompliant":true,"isManaged":true,"operatingSystem":"Windows 10","trustType":"Azure AD joined"},"id":"p0da1d51-1fe7-4d1e-9875-22cec63f1700","ipAddress":"198.168.1.1","isInteractive":true,"location":{"city":"Iasi","countryOrRegion":"RO","geoCoordinates":{"altitude":null,"latitude":47.16855,"longitude":27.56644},"state":"Iasi"},"resourceDisplayName":"Microsoft Graph","resourceId":"00000003-0000-0000-c000-000000000000","riskDetail":"none","riskEventTypes":[],"riskEventTypes_v2":[],"riskLevelAggregated":"none","riskLevelDuringSignIn":"none","riskState":"none","status":{"additionalDetails":"MFA requirement satisfied by claim in the token","errorCode":0,"failureReason":"Other."},"userDisplayName":"euser1","userId":"p0000209-2968-49e9-abbf-5051k58r6660","userPrincipalName":"euser1@contoso.com"}
Comments
0 comments
Please sign in to leave a comment.