About The Device
Microsoft Entra ID:
Microsoft Entra ID is a cloud-based identity and access management service that enables your employees access external resources. Example resources include Microsoft 365, the Azure portal, and thousands of other SaaS applications. Microsoft Entra ID also helps them access internal resources like apps on your corporate intranet, and any cloud apps developed for your own organization.
Microsoft Entra ID B2C: (C2C - Storage)
Entra ID B2C provides business-to-customer identity as a service. Your customers can use their preferred social, enterprise, or local account identities to get single sign-on access to your applications and APIs. Entra ID B2C is a customer identity access management (CIAM) solution capable of supporting millions of users and billions of authentications per day. It takes care of the scaling and safety of the authentication platform, monitoring, and automatically handling threats like denial-of-service, password spray, or brute force attacks.
Device Information
Entity | Particulars |
---|---|
Vendor Name | Microsoft |
Product Name | Entra ID (Azure AD) |
Type of Device | Cloud |
Collection Method
Log Type | Ingestion label | Preferred Logging Protocol | Log Collection Method |
---|---|---|---|
Azure AD Azure AD Directory Audit | AZURE_AD AZURE_AD_AUDIT | JSON | C2C |
Device Configuration
For Microsoft Entra ID via 3RD Party API (Preferred):
Pre-requisites:
Get an Microsoft Entra ID P1 or P2 license.
To get access to the reporting data through the API, you need to have one of the following roles:
Security Reader
Security Administrator
Global Administrator
Register a Microsoft Entra application:
Sign in to the Microsoft Entra admin center as at least a Security Reader.
Browse to Identity > Applications > App registrations.
Select New registration.
On the Registration an Application page:
Give the application a Name.
For Supported accounts type, select Accounts in this organizational directory only.
In the Redirect URI section, select Web from the list and type
https://localhost
.Select Register.
Once Application is created, you will see Application (client) ID & Directory (tenant) ID on Overview tab of the application. Copy these IDs for integrations with Chronicle.
Grant permissions:
To access the Microsoft Entra reporting API, you must grant your app Read directory data and Read all audit log data permissions for the Microsoft Graph API.
Select API Permissions → Add a permission
Select Microsoft Graph > Application permissions.
Select the Application permissions option.
Add
AuditLog.Read.All
,Directory.Read.All
andSecurityEvents.Read.All
then select the Add permissions button.
On the Request API Permissions page, select Grant admin consent for Default Directory.
Add a client secret:
In the Certificates & Secrets tab, and click New client secret.
Select description and expiry period for the created secret and create it.
Important: Make sure you save the value for the created secret. It is only displayed once.
Configuration of the Entra ID application is completed. Use the saved Application (client) ID, Client Secret, and Directory (tenant) ID to feed logs in Chronicle.
Via Azure Storage (Alternative):
Pre-requisite:
An Azure subscription that you can sign in to.
An Entra ID(Azure Active Directory) (tenant) in Azure.
A user who's a Global Administrator or Entra ID(Azure Active Directory) Administrator.
Azure Storage Account to store the logs.
Reference URLs
How to create storage account?
Create a storage account - Azure Storage
Configuration Steps for Azure Active Directory:
Log In to Azure Portal i.e https://portal.azure.com/
Click Entra ID (Azure Active Directory) from Azure services
Click Audit Logs in the left pane
Click Export Data Settings
In the next window, click + Add Diagnostic setting. The Diagnostics settings page provides the settings for the diagnostic logs.
Select AuditLogs, SignInLogs and RiskyUsers from log categories.
You can store logs in Storage Account.
Archive to a storage account
To store logs in Storage Account, select Archive to a storage account as shown in below screenshot and Choose an existing Subscription and Storage account.
Note: AMxDR recommends a minimum of 1 day of log retention, the number can be defined based on the organization's policies
Click on Save.
Entra ID (Azure Active Directory) B2C Via Azure Storage (Alternative):
Pre-requisite:
An Azure subscription that you can sign in to.
An Entra ID(Azure Active Directory) (tenant) in Azure.
For Entra ID(Azure Active Directory) B2C - Entra ID(Azure AD) B2C administrative account.
Azure Storage Account to store the logs.
Sign in to the Azure portal with your Entra ID B2C administrative account.
Make sure you're using the directory that contains your Entra ID B2C tenant:
In the Azure portal toolbar, select the Directories + subscriptions ( )icon.
On the Portal settings | Directories + subscriptions page, find your Entra ID B2C directory in the Directory name list, and then select Switch.
Select Microsoft Entra ID.
Under Monitoring, select Diagnostic settings. select Add diagnostic setting.
Select AuditLogs, SignInLogs and RiskyUsers from log categories.
You can store logs in Storage Account.
Archive to a storage account
To store logs in Storage Account, select Archive to a storage account as shown in below screenshot and Choose an existing Subscription and Storage account.
Note: AMxDR recommends a minimum of 1 day of log retention, the number can be defined based on the organization's policies.
Click Save.
Use below link to see, how you can get credentials of Azure Storage.
Get Credentials of Azure Storage
Integration Parameters
Parameters required from customer for Integration.
For Microsoft Entra ID Via 3RD Party API (Preferred):
Property | Default Value | Description |
---|---|---|
OAUTH CLIENT ID | N/A | Specify the client ID of the Entra ID application to use for the integration. |
OAUTH CLIENT SECRET | N/A | Specify the client secret value (not the secret ID!) of the Entra ID app |
TENANT ID | N/A | Specify the Entra ID (tenant ID). |
API FULL PATH | In case of AZURE_AD graph.microsoft.com/v1.0/auditLogs/signIns In case of AZURE_AD_AUDIT | API full path |
API AUTHENTICATION ENDPOINT |
For Microsoft Entra ID & Entra ID B2C Via Azure Storage (Alternative):
Property | Default Value | Description |
---|---|---|
AZURE URI | N/A | The URI pointing to a Azure Blob Storage blob or container. Container names are |
URI IS A | Directory which includes subdirectories | The type of object indicated by the URI. Valid values are:
|
SOURCE DELETION OPTION | Never delete files | The API endpoint to connect to retrieve logs, which include |
Shared Key OR SAS Token | A shared key, a 512-bit random string in base64 encoding, authorized to access Azure Blob Storage. Required if not specifying an SAS Token. |