Keys Generating for Office 365 Deployment
- In order to generate keys, first log in into the client’s azure portal and, from the navigation window, select Azure active directory.
- After choosing it, from overview pane choose App Registrations > New Registration.
- Then, choose >Supported account types and select the type of account to use the application.
- In the Redirect URI section, select Web, and type https://localhost in the Web field.
- Click Register, and you’ll receive the following window.
- Copy and store the Application (client) ID value & Tenant ID.
- Now, we need to generate the “client secret” for the application.
- From the Manage pane, select Certificates & secrets > New client secret.
- Select an expiry period of 24 months, and then click Add.
- You’ll receive the following windows and copy the required client secret.
- Now, we need to specify the permissions that the Microsoft Azure application must use to access Microsoft Office 365 Management APIs.
- Navigate to >manage pane > API Permissions > ADD a Permission.
- Click on the option and choose the appropriate option as -
- After selecting the appropriate option, you’ll receive the following two options -
- Select >Delegated permissions and choose the appropriate options as below -
- Then, choose the second option >Application Permissions and select the appropriate fields as
- Click on Add Permissions.
- Now, choose Grant Admin Consent > yes option as follows -
- After providing the required permissions, you need to get the window as -
Configuring Feed in Resolution Intelligence Cloud
- Login into the platform and choose your account type
- Navigate to Insights and click Threat Hunting in the left menu bar
- In Threat Hunting screen, click Chronicle Search UI
You will be navigated to Chronicle UI
4. In Chronicle UI, click nine-dot at top of the screen and select Settings from the dropdown menu
5. In the Settings screen, click Feeds at left of the screen
6. From the Feeds page, click ADD NEW at top of the screen. The ADD FEED window appears.
7. In Set Properties tab, select SOURCE TYPE from the dropdown menu to ingest data into your Chronicle account. The following source types are available.
-
- Amazon S3
- Amazon SQS
- Google Cloud Storage
- HTTP(S) Files (non-API)
- Microsoft Azure Blob Storage
- Third party API
8. Select the Log Type from the dropdown menu. The log types are populated based on the SOURCE TYPE that you selected and then click Next.
9. In Input Parameters tab, fill the mandatory fields provided. The options vary based on what you select in the Source Type and Log Type. Click to get additional information that you want to provide.
Note: In the OAUTH CLIENT ID field, please enter the Application (client) ID that we obtained during O365 configuration.
10. Click NEXT.
11. In Finalize tab, review the feed configuration that you have provided. Click SUBMIT. Chronicle starts and completes validation check for the new feed. If the validation is successful, a name is generated for the feed and Chronicle attempts to fetch the data.
12. Now repeat the steps from 7 and add all the other content type one by one.
Sample Logs
The following are the logs that O365 sends to Chronicle.
{"Actor":[{"ID":"365ae654-4r8e-49c3-a322-088491a91b7a","Type":0},{"ID":"euser1@contoso.com","Type":5}],"ActorContextId":"2dr5fee6-1dd2-4f6e-9832-147151cb61ee","ActorIpAddress":"2a02:3r00:a884:500:f444:6d58:6ee7:af9a","ApplicationId":"89bff1f9-5e6e-4d8a-9f3d-ecd601059da7","AzureActiveDirectoryEventType":1,"ClientIP":"2a00:4d00:r114:400:f434:6e57:6dr7:am9a","CreationTime":"2023-07-13T13:14:28","DeviceProperties":[{"Name":"Id","Value":"50c506ad-fc64-48e4-87ab-4a7217rd2362"},{"Name":"DisplayName","Value":"ARD013004104900"},{"Name":"OS","Value":"Windows 10"},{"Name":"BrowserType","Value":"Edge"},{"Name":"IsCompliant","Value":"True"},{"Name":"IsCompliantAndManaged","Value":"True"},{"Name":"TrustType","Value":"1"},{"Name":"SessionId","Value":"26a8d19a-27d5-4d00-b65b-fr0645961c00"}],"ErrorNumber":"0","ExtendedProperties":[{"Name":"ResultStatusDetail","Value":"Redirect"},{"Name":"UserAgent","Value":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36 Edg/114.0.1823.79"},{"Name":"RequestType","Value":"OAuth2:Authorize"}],"Id":"565e49bd-bn4e-4e0d-af42-0a1d11db1a00","InterSystemsId":"81a1e33a-0089-47f6-9763-e46fcefed6bb","IntraSystemId":"556e68be-ac2b-3c0d-ba53-0f1e11ab0b01","ModifiedProperties":[],"ObjectId":"5f09333a-842c-47da-a157-57da27ecbcb6","Operation":"UserLoggedIn","OrganizationId":"2ee5fdd6-1ff2-4c6a-9832-147151cb61ee","RecordType":15,"ResultStatus":"Success","SupportTicketId":"","Target":[{"ID":"6e09445c-842a-47da-a157-57da29fcaba5","Type":0}],"TargetContextId":"2ee5cdd6-2ff3-4f6e-9832-147151cb61ee","UserId":"euser@contoso.com","UserKey":"365ae653-4a8d-49b3-a322-088491a91b7a","UserType":0,"Version":1,"Workload":"AzureActiveDirectory"}
Comments
0 comments
Please sign in to leave a comment.