Overview
This topic describes the steps how you can collect Microsoft Graph Security API Alerts logs by setting up a Chronicle feed.
Prerequisites
- Need to have Administrator login credentials.
- Azure AD Premium P1 or P2 license is required.
Keys Generating for Microsoft Graph API Alerts
- In order to generate keys, firstly log in into the client’s azure portal and from the navigation window select Azure active directory.
- After choosing it, from overview pane choose App Registrations > New Registration.
- Then, choose >Supported account types and select the type of account to use the application.
- In the Redirect URI section, select Web, and type https://localhost in the Web field.
- Click Register, and you’ll receive the following window.
- Copy and store the Application (client) ID value & Directory (tenant) ID.
- Now, we need to generate the “client secret” for the application.
- From the Manage pane, select Certificates & secrets > New client secret.
- Select an expiry period of 24 months, and then click Add.
- Now copy the Client Secret Key (Value) as show below,
- Now, we need to specify the permissions that the Microsoft Azure application must use to access Microsoft Graph API Alerts.
- Navigate to >manage pane > API Permissions > ADD a Permission.
- Click on the option and choose the Microsoft Graph as below,
- After selecting the appropriate option, you’ll receive the following two options -
- Select >Application permissions and choose the options as below,
- Click on Add Permissions.
- Now, choose Grant Admin Consent > yes option as follows,
- After providing the required permissions, you need to get the window as below,
Configuring Feed in Chronicle,
In Chronicle UI, from the left side go to Settings > Select Feeds.
- From the Feeds page, click ADD NEW at top of the screen. The ADD FEED window appears.
- Select Third party API in SOURCE TYPE and Select Microsoft Graph API Alerts in LOG TYPE.
Now please provide below required fields,
OAUTH CLIENT ID: Provide the Application (client) ID which you have copied.
OAUTH CLIENT SECRET: Provide the Client Secret Key (Value) which you have copied.
TENANT ID: Provide the Directory (tenant) ID which you have copied.
API FULL PATH: Provide the Path - graph.microsoft.com/v1.0/security/alerts
API AUTHENTICATION ENDPOINT: Provide the Endpoint - https://login.microsoftonline.com/{tenantId}/oauth2/token
Note: Required Fields are OAUTH CLIENT ID, OAUTH CLIENT SECRET & TENANT ID.
API FULL PATH & API AUTHENTICATION ENDPOINT is optional.
- Click Next and then click Submit.
Comments
0 comments
Please sign in to leave a comment.