🌙
 

Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

Microsoft Azure Activity Log Integration Guide

cloud integrations microsoft azure


The following instructions are for configuring an integration of Azure Activity Logs to facilitate ingestion into Secureworks® Taegis™ XDR.

Note

Collection of Azure Activity logs uses the Azure Monitor REST API, which leverages an authorization scope of user_impersonation to collect log data. In addition to this, the permission is delegated, meaning actions are performed on behalf of the consenting user, instead of on behalf of the application. This document guides you through the process of setting up and configuring a user within Azure that has least-privileged access to the data to be collected, in addition to consenting to the application and enabling the collection of logs within Secureworks® Taegis™ XDR. If a user with the required access to Azure activity logs is already configured, the steps for configuring a user in Azure are optional.

Notes

  • Azure integrations are supported in US and EU regions, but may not be supported by Microsoft in other regions. Contact Microsoft directly to verify their support of services in other regions.
  • Azure Active Directory and Microsoft 365 integrations are available for the global Azure cloud. Other national clouds, such as Azure Government, Azure China 21Vianet, and Azure Germany are currently not supported.

Data Provided from Integrations

  Antivirus Auth CloudAudit DHCP DNS Email Encrypt HTTP Management Netflow NIDS Thirdparty
MS Azure Activity Logs     V                  

Y = Normalized | D = Out-of-the-Box Detections | V = Vendor-Specific Detections

Note

Taegis™ XDR detectors are not guaranteed to be triggered, even if a data source's logs are normalized to a schema associated with a given detector. However, you can create Custom Alert Rules to generate alerts based on normalized data from a data source.

Configuring an Azure User

Creating a user in Microsoft Azure requires a user with the role User Administrator or equivalent permissions.

Note

Creating a new Azure Active Directory user creates an identity with access to your Azure resources. Securing this identity is the responsibility of the user. This guide will only cover configuring the necessary user settings for integration with Taegis™ XDR, however additional steps should be taken to secure the user according to recommended best practices, as well as your organizations security controls and standards.

Create the User

  1. Navigate to the Microsoft Azure Portal.
  2. Proceed to the Azure Active Directory resource and select the Users option in the left-hand pane.
  3. From Users, select New User.
  4. Leave the default option selected to Create a New User.
  5. Under Identity fill in the following fields: 6.

    • User Name , for example TaegisActivityIntegrationUser. Make a note of the user name, you'll need it in a later step.
    • Name, for example Secureworks Taegis.
  6. In the Password, select the option for Let me create the password and fill in a secure password. You will be prompted to enter this password when performing consent in a later step.

  7. From Groups and roles, click on the User role to be prompted with a set of built-in roles to assign to the user. Select the Directory readers role in the right-hand pane and click Select.
  8. Click the Create button to finish creating the user.

Collect a List of Subscription IDs to be Integrated

  1. Navigate to the Subscriptions Resource in the Microsoft Azure Portal.
  2. Copy the Subscription ID(s) for each subscription to be monitored by Taegis™ XDR. You will be prompted to enter this ID in the next step.

Note

Filters and user IAM roles may prevent viewing some subscriptions. Ensure your user allows access to view all subscriptions and that any subscription filters are not hiding subscriptions to be monitored.

Note

Currently subscriptions must be added to Taegis™ XDR one at a time, but you can add any number of subscriptions. For each subscription to be added, the consent process must be repeated. When completing the consent process, you may use the same user created previously.

  1. Navigate to Integrations and select Cloud APIs from the left-hand pane in Secureworks® Taegis™ XDR.
  2. Select the option to Add API Integration and choose Set up Azure Integrations
  3. In the Azure Activity Logs box, enter a valid Subscription ID.

Note

This ID may have been copied in the previous step.

Add Azure Subscription

Add Azure Subscription

  1. Once the subscription is entered, you will be redirected to Microsoft’s identity provider to consent access. Log in using the user you created from Create the User and approve the listed permissions to authorize Taegis™ XDR access.
  2. If the consent process is successful, you will be redirected back to Taegis™ XDR.

Note

If you receive an error message related to application consent, the underlying cause is that the Azure account has Admin Consent enabled. Taegis™ XDR is unable to process the asynchronous application consent and complete the integration regardless of whether the correct permissions are assigned to it. There are two options to resolve this issue:

  • Add the Application Administrator role to the TaegisActivityIntegrationUser and perform the consent using that user. Once the consent has been granted the Role can be removed from the user.
  • Disable Admin Consent option on the Azure account and perform the consent using the user TaegisActivityIntegrationUser. Once the integration has been completed Admin Consent option can be re-enabled on the Azure account.
  1. Enter a unique name for the integration.

Name the O365 Management API Integration

Azure Activity Logs Integrations

  1. Repeat these steps to add additional subscriptions.

Add the Service Principal to the Subscriptions to be Monitored

  1. Navigate to the Subscriptions Resource in the Microsoft Azure Portal.
  2. Select the Access Control (IAM) option in the left-hand pane.
  3. Select the option to Add and choose Add role assignment.
  4. Select the Reader role and click Next.
  5. Under Assign access to, leave the option selected for User, group, or service principal.
  6. In the Members section, select to add a member. In the right-hand pane, search for the service principal of the application that was consented, Secureworks Taegis - Azure Activity Logs Integration.
  7. Click the Review and Assign button to assign the user to the subscription.

Note

The above steps must be completed for each subscription to be monitored.

Follow-On

Complete the Link a Partner Process.

 

On this page: