☰

🌙☀

Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

Taegis Docs Home
About XDR
Get Started
- Get Started with XDR
- Top 5 Tasks
Integrate with XDR
- Integration Overview
- Data Source Integration Definitions
- All Available Integrations
- Add Data Collectors
- Add Endpoint Agents
- Forward Data to XDR
- Create Custom Parsers
  - Overview
  - Syntax
  - Repeating Fields
  - Overriding and Extending Global Parsers
  - Supported Schemas
  - All Schemas
    - Antivirus
    - Auth
    - CloudAudit
    - DHCP
    - DNS
    - Email
    - Encrypt
    - FileMod
    - HTTP
    - Management Event
    - Netflow
    - NIDS
    - Process
    - Registry
    - Thirdparty
    - Types
Manage Integrations
Alerts, Events, and Investigations
- Alerts
- Events
- Investigations
- CyberChef
Dashboards
Search and Reports
- Search
- Reports
Automation
- Automation Overview
- Supported Playbooks
- Supported Connectors
- Playbooks
- Connectors
- Automation Authoring
  - Building Connector Definitions
  - Building Playbook Templates
  - Common Expression Language (CEL)
Threat Intelligence, Hunting, and Detection
- Threat Intelligence
- Threat Hunting
  - Hunting with Jupyter Notebooks
- Detectors
- Adversary Software Coverage
  - Adversary Software Coverage
  - Frequently Asked Questions
XDR Admin
- Your Account
- Tenant Settings
APIs, SDK, and Magic
- Using XDR GraphQL APIs
- API Authentication
- XDR Python SDK
- Taegis Magic Jupyter Integration
  - Overview
- Alerts API
  - Using the Alerts API
  - Alerts GraphQL API
- Assets API
- Audits API
  - Using the Audits API
  - Audits GraphQL API
- Automations APIs
- Bring Your Own Threat Intelligence API
  - Using the BYOTI API
  - BYOTI GraphQL API
- Collector APIs
- Investigations API
  - Using the Investigations API
  - Investigations GraphQL API
- Threat Intelligence API
  - Using the Threat Intelligence API
  - Threat Intelligence GraphQL API
- Using the Users GraphQL API
- Using the Tenants GraphQL API
- Using the Countermeasures API
- Using the File Upload API
Secureworks Products, Services, and Policies
- Managed iSensor
- ManagedXDR
- ManagedXDR Elite
  - Service Description
  - Onboarding Guide
- ManagedXDR for OT
- ManagedXDR Enhanced
  - Service Description
  - Onboarding Guide
- ManagedXDR–Managed iSensor Add-on
- Secureworks Professional Services
- Legal

Microsoft Azure Activity Log Integration Guide

cloud integrations microsoft azure azure activity

The following instructions are for configuring an integration of Azure Activity Logs to facilitate ingestion into Secureworks® Taegis™ XDR.

Note

Collection of Azure Activity logs uses the Azure Monitor REST API, which leverages an authorization scope of user_impersonation to collect log data. In addition to this, the permission is delegated, meaning actions are performed on behalf of the consenting user, instead of on behalf of the application. This document guides you through the process of setting up and configuring a user within Azure that has least-privileged access to the data to be collected, in addition to consenting to the application and enabling the collection of logs within XDR. If a user with the required access to Azure activity logs is already configured, the steps for configuring a user in Azure are optional.

Notes

Azure integrations are supported in US and EU regions, but may not be supported by Microsoft in other regions. Contact Microsoft directly to verify their support of services in other regions.
Azure Active Directory and Microsoft 365 integrations are available for the global Azure cloud. Other national clouds, such as Azure Government, Azure China 21Vianet, and Azure Germany are currently not supported.

Note

The integration collects subscription-level activity logs from Azure. Please see the vendor documentation for more details.

Data Provided from Integrations ⫘

	Antivirus	Auth	CloudAudit	DHCP	DNS	Email	Encrypt	HTTP	Management	Netflow	NIDS	Thirdparty
MS Azure Activity Logs			V

Y = Normalized | D = Out-of-the-Box Detections | V = Vendor-Specific Detections

Note

XDR detectors are not guaranteed to be triggered, even if a data source's logs are normalized to a schema associated with a given detector. However, you can create Custom Alert Rules to generate alerts based on normalized data from a data source.

Configuring an Azure User ⫘

Creating a user in Microsoft Azure requires a user with the role User Administrator or equivalent permissions.

Note

Creating a new Azure Active Directory user creates an identity with access to your Azure resources. Securing this identity is the responsibility of the user. This guide will only cover configuring the necessary user settings for integration with XDR, however additional steps should be taken to secure the user according to recommended best practices, as well as your organizations security controls and standards.

Create the User ⫘

Navigate to the Microsoft Azure Portal.
Proceed to the Azure Active Directory resource and select the Users option in the left-hand pane.
From Users, select New User.
Leave the default option selected to Create a New User.
Under Identity fill in the following fields:
- User Name — TaegisActivityIntegrationUser, for example. Make a note of the user name, you'll need it in a later step.
- Name — Secureworks Taegis, for example.
In the Password, select the option for Let me create the password and fill in a secure password. You will be prompted to enter this password when performing consent in a later step.
From Groups and roles, click on the User role to be prompted with a set of built-in roles to assign to the user. Select the Directory readers role in the right-hand pane and click Select.
Click the Create button to finish creating the user.

Collect a List of Subscription IDs to be Integrated ⫘

Navigate to the Subscriptions Resource in the Microsoft Azure Portal.
Copy the Subscription ID(s) for each subscription to be monitored by XDR. You will be prompted to enter this ID in the next step.

Note

Filters and user IAM roles may prevent viewing some subscriptions. Ensure your user allows access to view all subscriptions and that any subscription filters are not hiding subscriptions to be monitored.

Add the Service Principal to the Subscriptions to be Monitored ⫘

Navigate to the Subscriptions Resource in the Microsoft Azure Portal.
Select the Access Control (IAM) option in the left-hand pane.
Select the option to Add and choose Add role assignment.
Select the Reader role and click Next.
Under Assign access to, leave the option selected for User, group, or service principal.
In the Members section, select to add a member. In the right-hand pane, search for the service principal of the application that was consented, Secureworks Taegis - Azure Activity Logs Integration.
Click the Review and Assign button to assign the user to the subscription.

Note

The above steps must be completed for each subscription to be monitored.

Note

Currently subscriptions must be added to XDR one at a time, but you can add any number of subscriptions. For each subscription to be added, the consent process must be repeated. When completing the consent process, you may use the same user created previously.

Navigate to Integrations and select Cloud APIs from the left-hand pane in XDR.
Select the option to Add API Integration and choose Set up Azure Integrations
In the Azure Activity Logs box, enter a valid Subscription ID.

Note

This ID may have been copied in the previous step.

Add Azure Subscription

Once the subscription is entered, you will be redirected to Microsoft’s identity provider to consent access. Log in using the user you created from Create the User and approve the listed permissions to authorize XDR access.
If the consent process is successful, you will be redirected back to XDR.

Note

If you receive an error message related to application consent, the underlying cause is that the Azure account has Admin Consent enabled. XDR is unable to process the asynchronous application consent and complete the integration regardless of whether the correct permissions are assigned to it. There are two options to resolve this issue:

Add the Application Administrator role to the TaegisActivityIntegrationUser and perform the consent using that user. Once the consent has been granted the Role can be removed from the user.
Disable Admin Consent option on the Azure account and perform the consent using the user TaegisActivityIntegrationUser. Once the integration has been completed Admin Consent option can be re-enabled on the Azure account.

Enter a unique name for the integration.

Name the O365 Management API Integration

Azure Activity Logs Integrations

Repeat these steps to add additional subscriptions.

Follow-On ⫘

Complete the Link a Partner Process.

Microsoft Azure Activity Log Integration Guide

Data Provided from Integrations ⫘

Configuring an Azure User ⫘

Create the User ⫘

Collect a List of Subscription IDs to be Integrated ⫘

Add the Service Principal to the Subscriptions to be Monitored ⫘

Consent the Application ⫘

Follow-On ⫘

On this page: