Versions Compared

Old Version 7

changes.mady.by.user Aparna Rr

Saved on

compared with

New Version Current

changes.mady.by.user Aparna Rr

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Log Type

 Ingestion label

Preferred Logging Protocol - Format

Log Collection Method

Data Source

Azure AD

Azure AD Directory Audit

Azure AD Organizational Context

 AZURE_AD

AZURE_AD_AUDIT

AZURE_AD_CONTEXT

API - JSON

C2CFeed management API  |  Chronicle  |  Google Cloud

https://cloud.google.com/chronicle/docs/reference/feed-management-api#azure-ad

https://cloud.google.com/chronicle/docs/reference/feed-management-api#azure-ad-audit

https://cloud.google.com/chronicle/docs/reference/feed-management-api#azure-ad-context

Device Configuration

For Microsoft Entra ID via 3RD Party API (Preferred):

...

To access the Microsoft Entra reporting API, you must grant your app Read directory data and Read all audit log data permissions for the Microsoft Graph API.

  1. Select API Permissions > Add a permission

...

  1. Select Microsoft Graph > Application permissions.

  2. Select the Application permissions option.

  3. Add AuditLog.Read.All ,Directory.Read.All and SecurityEvents.Read.All then select the Add permissions button.

...

Parameters required from customer for Integration.

For Microsoft Entra ID Via 3RD Party API (Preferred):

Property

Default Value

Description

OAUTH CLIENT ID

N/A

Specify the client ID of the Entra ID application to use for the integration.

OAUTH CLIENT SECRET

N/A

Specify the client secret value (not the secret ID!) of the Entra ID app
to use for the integration.

TENANT ID

N/A

Specify the Entra ID (tenant ID).
To find it, go to the Entra ID page > App Registration >
Application you configured for your integration >
Directory (tenant) ID.

API FULL PATH

In case of AZURE_AD

graph.microsoft.com/v1.0/auditLogs/signIns

In case of AZURE_AD_AUDIT

graph.microsoft.com/v1.0/auditLogs/directoryAudits

API full path

API AUTHENTICATION ENDPOINT

login.microsoftonline.com

For Microsoft Entra ID & Entra ID B2C Via Azure Storage (Alternative):

Property

Default Value

Description

AZURE URI

N/A

The URI pointing to a Azure Blob Storage blob or container. Container names are insights-logs-signinlogs , insights-logs-auditlogs & RiskyUsers

URI IS A

Directory which includes subdirectories

The type of object indicated by the URI. Valid values are:

  • FILES: The URI points to a single blob that will be ingested with each execution of the feed.

  • FOLDERS_RECURSIVE: The URI points to a Blob Storage container.

SOURCE DELETION OPTION

Never delete files

The API endpoint to connect to retrieve logs, which include incidents or alerts.

Shared Key OR SAS Token

A shared key, a 512-bit random string in base64 encoding, authorized to access Azure Blob Storage. Required if not specifying an SAS Token.
OR
A Shared Access Signature authorized to access the Azure Blob Storage container.

For Microsoft Azure AD Context:

Property

Default Value

Description

OAUTH CLIENT ID

N/A

Specify the client ID of the Entra ID application to use for the integration.

OAUTH CLIENT SECRET

N/A

Specify the client secret value (not the secret ID!) of the Entra ID app
to use for the integration.

TENANT ID

N/A

Specify the Entra ID (tenant ID).
To find it, go to the Entra ID page > App Registration >
Application you configured for your integration >
Directory (tenant) ID.