Skip to main content

Microsoft Security

Application Support

The Microsoft Security Service Connector supports events for a number of applications with more being added by Microsoft. Currently the following applications are supported within this portal for log collection.

  • Microsoft Azure Identity Protection
  • Microsoft Cloud App Security
  • Microsoft Defender Advanced Threat Protection (ATP)

Credentials Support Information

The Microsoft Security Service Connector can use existing credentials setup for collection of other Microsoft services (Office 365, Azure, etc). If an existing set of credentials will be used then access to the Microsoft Graph Security API role (Microsoft Graph, Application permissions, SecurityEvents.Read.All) is all that would be needed to be added if it is not already enabled. If a new set of credentials will be used then the instructions below can be followed for enabling the credentials.

Client Information

Before logs can be pulled using the Microsoft Security Service Connector, some information will need to be gathered. Some of these items may require additional setup within your Microsoft account and are documented in the subsequent sections.

In order to enable log retrieval, the following information will need to be collected:

  • Directory ID - Sometimes referred to as the tenant or account id. This is a UUID string 36 characters in length
  • Application ID - This is a UUID string 36 characters in length
  • Secret Key - A random string approximately 44 characters in length

Additionally permissions will be required to be set to provide access to the log resources. These permissions are detailed below.

Configuring the Application Credentials

The first step will be to gather the information noted above and to setup an application registration for use.

Get the Directory ID

To get the Directory ID perform the following steps

  1. Login to the Microsoft Azure Portal with an administrator account.
  2. Select "Azure Active Directory" from "Favorites" on the left or "All services"
  3. Choose "Properties" under "Manage"
  4. Copy the "Directory ID" using the copy button to the right of the Directory ID
  5. Record this value and denote it as the "Directory ID"

Create an Application Registration

A new app registration must be created in the Azure Portal from which the Application ID and Secret Key will be copied.

  1. In the Microsoft Azure Portal select “Azure Active Directory”
  2. Then select “App Registrations” under "Manage”
  3. Click the “New registration” button at the top
  4. Enter in the Name “ActiveEye Security Monitor”
  5. Under "Supported account types", select "Accounts in this organizational directory only (<Your Organization Here>)"
  6. Leave "Redirect URI (optional)" unmodified
  7. At the bottom, click "Register"

Get the Application ID

You will be redirected to the registered application page for your new application registration. From here:

  1. Hover over "Application (client) ID" and the copy button will appear to the right. Click this button.
  2. Record this value as the "Application ID".
note

The value needed on this page is the Application ID, not the Object ID

Get the Secret Key

  1. From the registered application page where you obtained the Application ID, click "Certificates and secrets" from the left-side menu.
  2. Under "Client secrets", click "New client secret".
  3. For "Description", enter "ActiveEye Security Monitor".
  4. Select "Never", then click "Add".
  5. When the screen refreshes, there will be a new entry under "Client secrets". Under "Value", there will be a copy button. Click this button.
  6. Record this value as the "Secret Key".
note

This is the only time this key will be available. If capturing this key was missed in the process then delete the original and create a new key.

Configure Windows Security Graph Permissions

While in "App registrations" (you will already be there if you are following step-by-step), continue below. If not, select "App registrations", then click on your newly created app. Then:

  1. From the left-side menu, click "API permissions".
  2. From the "API permissions" page, click "Add a permission", then find "Microsoft Graph" and click it.
  3. From the "Microsoft Graph" page, select "Application permissions". After redirecting to the new page, click the "SecurityEvents" drop down menu, then check "SecurityEvents.Read.All".
  4. Click "Add permissions".

Grant Permissions

warning

You must be a "Global Administrator" to perform this action. If you are not, you can ask an administrator do to so.

Anytime you make changes to app permissions an administrator must take the additional step to grant those permissions by performing the following steps. This step is critical and if not done event log collection will not function properly.

  1. On the next screen, click the "Grant Permissions" button
  2. Click "Yes" on the confirmation screen
  3. This will authorize the change to permissions that was made

READ ME: STOP! MAKE SURE TO COMPLETE THIS STEP

Provide Client Information

The Directory ID, Application ID and Secret Key should now be collected and available to complete the setup and start log collection. Provide these value to your service representative or use them for self service configuration following the "Configuring a new Service Connector for log collection" guide.

VENDOR REFERENCE: https://docs.microsoft.com/en-us/graph/security-authorization