Azure Sentinel News
  • Home
    • Home – Layout 1
    • Home – Layout 2
    • Home – Layout 3
  • Security and Compliance
  • SOC
  • Threat Intelligence
  • Security Ochestration & Automated Response
  • SOAR
  • Security Operations
  • Artificial Intelligence
No Result
View All Result
  • Home
    • Home – Layout 1
    • Home – Layout 2
    • Home – Layout 3
  • Security and Compliance
  • SOC
  • Threat Intelligence
  • Security Ochestration & Automated Response
  • SOAR
  • Security Operations
  • Artificial Intelligence
No Result
View All Result
Azure Sentinel News
No Result
View All Result
Home SOC

O365 & AAD Multi-Tenant Custom Connector – Azure Sentinel

Azure Sentinel News Editor by Azure Sentinel News Editor
November 12, 2020
in SOC
0
O365 & AAD Multi-Tenant Custom Connector – Azure Sentinel
1.6kViews

Overview & Use Case

Thanks to @Ofer_Shezaf  and @Yaniv Shasha for the brainstorming, contributing and proof reading! 

A multi-national organization having multiple branches with different identities across the globe, each branch have it’s own separate tenant (AAD & O365) logs and the global SOC team are looking for a way on how to ingest these logs coming from all branches to their main parent tenant via Azure Sentinel.

While Azure Sentinel can’t natively do that using the out-of-the box data connectors (Office 365 / Azure AD), we cover your back with O365 & AAD Multi-Tenancy custom connector via an Azure Sentinel Playbook (Logic App) that invoke the Office 365 Management API & Graph API to read from multiple tenants and writes to a custom table in Sentinel, same can be done using Azure Function.

Implementation

With the help of Office 365 Management API & Microsoft Graph API we can invoke specific content types cross-tenants:

APIContent-Type / Activity Log
Office 365 Management APIAudit.AzureActiveDirectory
Office 365 Management APIAudit.Exchange
Office 365 Management APIAudit.SharePoint
Office 365 Management APIAudit.General (includes all other workloads not included in the previous content types)
Office 365 Management APIDLP.All (DLP events only for all workloads)
Graph APIaudit-Logs
Graph APISign-in Logs

So, tell us more about the steps?

Assuming, we have a parent tenant (Pt) & a child tenant (Ct) and the requirements is to invoke the “Ct” tenant O365 Management API & Graph APIs to pull Office 365 & AAD logs and ingest at “Pt” ones.

Step(1): Prep & App Registration

  • Ensure that “Ct” Office 365 Security & Compliance audit logs is enabled 
    • Log in to “Ct” http://protection.office.com
    • Search > Audit Log search (enabled and be able to search for activities)
  • Log in to “Ct” Azure tenant, http://portal.azure.com
  • Search for App Registration > New Registration
  • Type Name, ensure of selecting the right “supported account type”: Accounts in any organizational directory (Any Azure AD directory – Multitenant), then click Register button
  • Follow the below gif / step-by step guide on how to define and configure the API permissions & create the secret:
  • Click at “API permissions”
    • Add a permission > Office 365 Management API > Application permissions
    • Select and check “ActivityFeed.Read” , “ActivityFeed.ReadDlp” & “ServiceHealth.Read”
    • Add a permission > Microsoft Graph
    • Select and check “Directory.Read.All”, “AuditLog.Read.All”
    • Click at “grant admin consent” link
  • Click at “Certificates & secrets”
    • Under Client secrets > Add client secret
  • Get the following values:
    • Application / Client ID
    • Tenant ID
    • Secret
    • Azure Active Directory Domain
  • Register the API subscription via PowerShell, run the below PowerShell as administrator and connect to the “Ct” tenant directory, ensure of replacing $ClientID, $ClientSecret, $tenantdomain and $TenantGUID with the above copied values:
Connect-AzAccount # connect via child "Pt" admin account

# Populate with App ID and Secret from your Azure AD app registration 
$ClientID = "<Client_ID>"  
$ClientSecret = "<Secret>"  
$loginURL = "https://login.microsoftonline.com/"  
$tenantdomain = "<tenant-domain>.onmicrosoft.com"  
# Get the tenant GUID from Properties | Directory ID under the Azure Active Directory section 
$TenantGUID = "<tenant_ID>"  
$resource = "https://manage.office.com"  
$body = @{grant_type="client_credentials";resource=$resource;client_id=$ClientID;client_secret=$ClientSecret} 
$oauth = Invoke-RestMethod -Method Post -Uri $loginURL/$tenantdomain/oauth2/token?api-version=1.0 -Body $body  
$headerParams = @{'Authorization'="$($oauth.token_type) $($oauth.access_token)"}   
$publisher = New-Guid
Invoke-WebRequest -Method Post -Headers $headerParams -Uri "https://manage.office.com/api/v1.0/$tenantGuid/activity/feed/subscriptions/start?contentType=Audit.AzureActiveDirectory&PublisherIdentifier=$Publisher" 
Invoke-WebRequest -Method Post -Headers $headerParams -Uri "https://manage.office.com/api/v1.0/$tenantGuid/activity/feed/subscriptions/start?contentType=DLP.ALL&PublisherIdentifier=$Publisher" 
Invoke-WebRequest -Method Post -Headers $headerParams -Uri "https://manage.office.com/api/v1.0/$tenantGuid/activity/feed/subscriptions/start?contentType=Audit.General&PublisherIdentifier=$Publisher" 
Invoke-WebRequest -Method Post -Headers $headerParams -Uri "https://manage.office.com/api/v1.0/$tenantGuid/activity/feed/subscriptions/start?contentType=Audit.Exchange&PublisherIdentifier=$Publisher" 
Invoke-WebRequest -Method Post -Headers $headerParams -Uri "https://manage.office.com/api/v1.0/$tenantGuid/activity/feed/subscriptions/start?contentType=Audit.SharePoint&PublisherIdentifier=$Publisher" 

Step(2): Cross-Tenants Custom Connector

  • Log in to “Pt” Azure tenant, http://portal.azure.com
  • Go to Azure Sentinel > Playbooks
  • Create a new Playbook and follow the below gif / step-by-step guide, the code being uploaded to github repo as well:
    • Add a “Recurrence” step and set the following field, below is an example to trigger the Playbook every 5 minutes:
      • Interval: 5
      • Frequency: Minute
    • Initialize set of variables for the content-types values:
      • Child-Tenant ID:
        • Name: ChildTenantID
        • Type: String
        • Value: value of the child tenant ID
      • Audit.General-Var:
        • Name: AuditGeneral
        • Type: String
        • Value: https://manage.office.com/api/v1.0/@{variables(‘ChildTenantID’)}/activity/feed/subscriptions/content…
      • Audit.AzureActiveDirectory-Var:
        • Name: AAD
        • Type: String
        • Value: https://manage.office.com/api/v1.0/@{variables(‘ChildTenantID’)}/activity/feed/subscriptions/content…
      • DLP-Var:
        • Name: DLP
        • Type: String
        • Value: https://manage.office.com/api/v1.0/@{variables(‘ChildTenantID’)}/activity/feed/subscriptions/content…
      • User SignIns-Var:
        • Name: Sign-Ins
        • Type: String
        • Value: https://graph.microsoft.com/v1.0/auditLogs/signIns
      • User-Activities-Var:
        • Name: UserActivities
        • Type: String
        • Value: https://graph.microsoft.com/v1.0/auditLogs/directoryAudits
    • Set an HTTP endpoints to Get content-types data, ensure the authorization type is Active Directory OAuth:
      • HTTP – Get Logs – O365API:
        • Method: GET
        • URI: @{variables(‘AAD’)}
        • Headers:
          • Accept: application/json
          • Content-Type: application/json
        • Authentication type: Active Directory OAuth
      • HTTP – GraphAPI:
        • Method: GET
        • URI: @{variables(‘Sign-Ins’)}
        • Headers:
          • Accept: application/json
          • Content-Type: application/json
        • Authentication type: Active Directory OAuth
    • Parse content-types data via Json:
      • Parse JSON – O365API:
        • Content: @{body(‘HTTP__-_Get_Logs-O365API’)}
        • Schema: uploaded to github
      • Parse JSON – GraphAPI:
        • Content: @{body(‘HTTP_-_GraphAPI’)}
        • Schema: uploaded to github
    • Next step is to send logs to Azure Sentinel via a custom log table, so will show an example of iterating all returned values from O365 Management API and send data to Log analytics and another example of sending the raw-data from Graph API to log analytics without the iteration phase:
      • Iterate (For-each) on all returned values (Body) and Get contentUri from Office 365 API and value from Graph API via an embedded – looped HTTP Endpoints, ensuring that the authorization type is Active Directory OAuth:
        • Add  For Each control:
          • Select an output from previous steps: @body(‘Parse_JSON_-_O365API’)
        • Add HTTP endpoint step:
          • Method: GET
          • URI: @{items(‘For_each_-O365API’)[‘contentUri’]}
          • Headers:
            • Accept: application/json
            • Content-Type: application/json
          • Authentication: Active Driectory OAuth
        • Add Send Data to Log Analytics Control:
          • JSON Request body: @{json(body(‘HTTP’))}
          • Custom Log Name: ChildO365AAD
    • Send the data (Office 365 Management API and Graph API) to Azure Sentinel Log analytics workspace via a custom log tables:
      • JSON Request body: @{body(‘HTTP_-_GraphAPI’)}
      • Custom Log Name: ChildAADSignIn

Notes & Consideration

  • You can customize the parsers at the connector’s flow with the required and needed attributed / fields based on your schema / payload before the ingestion process, also you can create custom Azure Functions once the data being ingested to Azure Sentinel
  • Azure Function can be used to create custom connector for multi-tenant access, here’s a great example created by Jon Nord invoking Office 365 Management API which you can extend and add Graph API as well.
  • Couple of points to be considered while using Logic Apps:
    • Cost (standard / enterprise connectors)
    • Considerations & Configurations
    • Non standard schema
    • Rewriting rules

Get started today!

We encourage you to try it now!

You can also contribute new connectors, workbooks, analytics and more in Azure Sentinel. Get started now by joining the Azure Sentinel Threat Hunters GitHub community.

Reference: https://techcommunity.microsoft.com/t5/azure-sentinel/o365-amp-aad-multi-tenant-custom-connector-azure-sentinel/ba-p/1848968

Tags: Multitenancy
Azure Sentinel News Editor

Azure Sentinel News Editor

Related Posts

Microsoft’s newest sustainable datacenter region coming to Arizona in 2021
SOC

How to Evolve the SOC with Azure Sentinel: Hunting Queries

January 5, 2021
Microsoft’s newest sustainable datacenter region coming to Arizona in 2021
SOC

How to Grant Access to Specific Azure Sentinel Playbooks for Specific Analysts

December 31, 2020
Enriching Windows Security Events with Parameterized Function
SOC

New Private Preview Tag in Azure Sentinel

December 30, 2020
Next Post
What’s new – Announcing new Azure Sentinel data residency locations: Japan, UK and Canada

What’s new – Announcing new Azure Sentinel data residency locations: Japan, UK and Canada

Announcing the Investigation Insights Workbook

Announcing the Investigation Insights Workbook

What’s new: Watchlist is now in public preview!

What's new: Watchlist is now in public preview!

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Follow Us

  • 21.8M Fans
  • 81 Followers

Recommended

What’s new: Microsoft 365 Defender connector now in Public Preview for Azure Sentinel

What’s new: Microsoft 365 Defender connector now in Public Preview for Azure Sentinel

5 months ago
Microsoft Rolling Out Policy Previews for Insider Risk Management Service

Microsoft Rolling Out Policy Previews for Insider Risk Management Service

3 months ago
Microsoft announces security, identity, management, and compliance updates across Azure and Office

Getting Direct URLs for Azure Sentinel Incidents Using KQL

2 months ago
Improve security with Azure Sentinel, a cloud-native SIEM and SOAR solution

Sharing Workbook Data Outside Azure Sentinel with Non-analysts

2 months ago

Instagram

    Please install/update and activate JNews Instagram plugin.

Categories

  • AI & ML
  • Artificial Intelligence
  • Incident Response
  • IR
  • KQL
  • Security and Compliance
  • Security Ochestration & Automated Response
  • Security Operations
  • SIEM
  • SOAR
  • SOC
  • Threat Intelligence
  • Uncategorized

Topics

anomaly automation Azure Azure DevOps Azure Security Center Azure Sentinel Azure Sentinel API Azure Sentinel Connector BlueVoyant Call cybersecurity Detection file GitHub Hunting Huntingy IAC incident response Incident Triage infrastructure as code Investigation jupyter LAQueryLogs MDR Microsoft microsoft 365 mssp Multitenancy Notebooks Pester Playbooks PowerShell python Records Security Sentinel Sharing SIEM signin Supply Chain teams Threat hunting Watchlists Workbooks XDR
No Result
View All Result

Highlights

New Search Capability for Azure Sentinel Incidents

Follow-up: Microsoft Tech Talks Practical Sentinel : A Day in the Life of a Sentinel Analyst

Changes in How Running Hunting Queries Works in Azure Sentinel

Azure Sentinel can now Analyze All Available Azure Active Directory Log Files

Replay Now Available – Microsoft Security Insights 036: Azure Sentinel with Rod Trent

Understanding the Little Blue Permissions Locks in Azure Sentinel Data Connectors

Trending

Microsoft’s newest sustainable datacenter region coming to Arizona in 2021
IR

The Holy Grail of Azure Sentinel Data Connections: The Azure Service Diagnostic Setting

by Azure Sentinel News Editor
February 22, 2021
0

The Azure Sentinel product group continues to crank out new Data Connector after new Data Connector. There...

Microsoft’s newest sustainable datacenter region coming to Arizona in 2021

New Items of Note on the Azure Sentinel GitHub Repo

February 18, 2021
Microsoft’s newest sustainable datacenter region coming to Arizona in 2021

Tuning the MCAS Analytics Rule for Azure Sentinel: System Alerts and Feature Deprecation

February 17, 2021
What’s new: Microsoft Teams connector in Public Preview

New Search Capability for Azure Sentinel Incidents

February 16, 2021
With new release, CrowdStrike targets Google Cloud, Azure and container adopters

Follow-up: Microsoft Tech Talks Practical Sentinel : A Day in the Life of a Sentinel Analyst

February 16, 2021

We bring you the best, latest and perfect Azure Sentinel News, Magazine, Personal Blogs, etc. Visit our landing page to see all features & demos.
LEARN MORE »

Recent News

  • The Holy Grail of Azure Sentinel Data Connections: The Azure Service Diagnostic Setting February 22, 2021
  • New Items of Note on the Azure Sentinel GitHub Repo February 18, 2021
  • Tuning the MCAS Analytics Rule for Azure Sentinel: System Alerts and Feature Deprecation February 17, 2021

Categories

  • AI & ML
  • Artificial Intelligence
  • Incident Response
  • IR
  • KQL
  • Security and Compliance
  • Security Ochestration & Automated Response
  • Security Operations
  • SIEM
  • SOAR
  • SOC
  • Threat Intelligence
  • Uncategorized

[mc4wp_form]

Copyright © 2020 - Azure Sentinel News

No Result
View All Result
  • Home
  • Security and Compliance
  • SOC
  • Threat Intelligence
  • Security Ochestration & Automated Response
  • SOAR
  • Security Operations
  • Artificial Intelligence

Copyright © 2020 Azure Sentinel News