Microsoft Azure Active Directory Activity Reports Integration Guide

integrations cloud microsoft active directory entra event hubs azure

The following instructions are for configuring an integration of Microsoft Entra logs to facilitate ingestion into Secureworks® Taegis™ XDR.

XDR supports two integration paths for Entra logs:

• (Preferred) Integrate via Azure Event Hubs — This option is preferred due to it providing the fastest and highest throughput of data, however it may incur additional costs to enable.
• Integrate via Microsoft Graph API (REST) — This option provides equivalent data to event hubs, but due to the polling nature of a REST-based API in addition to Microsoft rate-limiting, there may be limitations with how quickly data can be collected. See Office 365 and Azure Data Availability for information on our polling practices.

Start Event Hubs Integration ⫘

Configure Azure Monitor Diagnostic Settings ⫘

Follow the Microsoft instructions to enable Azure Monitor diagnostic settings:

• Microsoft Entra diagnostic settings

XDR supports the following diagnostic categories for data normalization:

Optimized Structured Logs Categories ⫘

• AuditLogs
• SignInLogs
• NonInteractiveUserSignInLogs
• UserRiskEvents

Forward to Event Hub and Enable Integration with XDR ⫘

1. Once the desired log categories are selected, choose to Stream to an event hub and enter the desired event hub destination.
2. Follow the integration instructions for an event hub to complete the integration with XDR and to begin data ingestion.

Data Provided from Integration ⫘

	Antivirus	Auth	CloudAudit	DHCP	DNS	Email	Encrypt	HTTP	Management	Netflow	NIDS	Thirdparty
MS Azure Active Directory Activity Reports		D	V
MS Azure Active Directory Identity Protection			V									V

Y = Normalized | D = Out-of-the-Box Detections | V = Vendor-Specific Detections

Start Microsoft Graph Integration ⫘

Manage Azure Integrations

Data Availability and Collection Times ⫘

Alerts are ingested using the Microsoft REST APIs on a polling basis. For information on data availability, see Office 365 and Azure Data Availability.

Register an Application in Azure ⫘

1. Register an application in the Azure portal.

• Name — Any descriptive string
• Supported account types — Accounts in this organizational directory only

Note the following values as they are used to create the integration in XDR:

• Directory (tenant) ID
• Application (client) ID

2. Configure application permissions. The following permissions are required:

• AuditLog.Read.All (application permission)
• Directory.Read.All (application permission)
• User.Read (permission automatically delegated to MS Graph)

3. Click Grant admin consent for <Azure tenant name>.

4. Provide credentials for the application by uploading a certificate.

Use one of the following commands to generate a self-signed PEM (.pem extension) certificate using PowerShell or OpenSSL.

# Prompt user for input
$certname = Read-Host -Prompt "Enter certificate name"
$keyname = Read-Host -Prompt "Enter key name"
$mypwd = Read-Host -Prompt "Enter password" -AsSecureString
$location = Read-Host -Prompt "Enter location"
$cert = New-SelfSignedCertificate -Subject "CN=$certname" -CertStoreLocation "Cert:\CurrentUser\My" -KeyExportPolicy Exportable -KeySpec Signature -KeyLength 2048 -KeyAlgorithm RSA -HashAlgorithm SHA256
Export-PfxCertificate -Cert $cert -FilePath "$location\$certname.pfx" -Password $mypwd
Install-Module -Name PSPKI -Scope CurrentUser
Import-Module -Name PSPKI
Convert-PfxToPem -InputFile "$location\$certname.pfx" -Outputfile "$location\$certname.pem"
# Read the PEM file content
$pemContent = Get-Content "$location\$certname.pem" -Raw
# Extract private key and certificate
$privateKey = $pemContent -replace "(?ms).*?(-----BEGIN PRIVATE KEY-----.+?-----END PRIVATE KEY-----).*", '$1'
$certificate = $pemContent -replace "(?ms).*?(-----BEGIN CERTIFICATE-----.+?-----END CERTIFICATE-----).*", '$1'
# Save private key and certificate to separate files
$privateKey | Set-Content "$location\$keyname.pem"
$certificate | Set-Content "$location\$certname.pem"
Write-Host "Files located at: $location"
pause

Or:

openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem

Add Integration in XDR ⫘

1. From the XDR left-hand side navigation, select Integrations → Cloud APIs → Add API Integration.
2. Choose Set Up Azure Integrations.
3. Choose Authorize under Azure Active Directory Activity Reports.
4. Enter a name for the integration. This can be any string.
5. Enter the Tenant ID and the Application Client ID from Step 1 in Register an application.
6. Upload the certificate and its associated private key.
7. Select Done to complete the integration.

Create the Integration

Data Provided from Integration ⫘

	Antivirus	Auth	CloudAudit	DHCP	DNS	Email	Encrypt	HTTP	Management	Netflow	NIDS	Thirdparty
MS Azure Active Directory Activity Reports		D	V

Y = Normalized | D = Out-of-the-Box Detections | V = Vendor-Specific Detections

Link Secureworks as a Microsoft Partner ⫘

Linking Secureworks as a Solution Provider for Security is an optional process that enables Microsoft to better understand what customers Secureworks is enabling to achieve their security goals and realize the value of the Microsoft ecosystem. This allows Secureworks better access to Microsoft as a partner, enabling us to provide you, our customer, with better products and services. If you have successfully added access to your Azure environment to allow Secureworks to help enable your business through improved security, we would appreciate if you would additionally add us as a partner link to show that this is in place.

To link Secureworks as a partner, folllow these steps:

1. Navigate to Link to a partner ID in the Azure Portal.
2. Use a user with eligible roles or permissions, see Roles and Permissions Required to Receive Credit.
3. In the Microsoft Partner ID box, enter the value: 4834104
4. Click on the Link a partner ID button to complete the process.