Azure AD

Cyderes supports the ingestion of Azure AD activity logs from the Microsoft Graph API. The types of activity logs that are supported are below:

• Sign-Ins
• Directory Audits
• Provisioning

Chronicle also supports user context and aliasing for Azure AD (AZURE_AD_CONTEXT). This functionality aliases different identities together using automated data sources to provide a unified timeline of combined endpoint and network activity. This functionality will be turned on with Azure AD ingestion.

Azure App Prerequisite

For this integration, an Azure App must be created. More information can be found about how to do that in the documentation here.

Chronicle Data Types

• AZURE_AD

Requirements

In the Cyderes Azure App Registration, select API permissions from the sidebar. Then click the Add a permission button. Click APIs my organization uses and search for 'Microsoft Graph' and then select it. Click the Application permissions and click the check box next to the following permissions. Once the permissions have been added, ensure that admin consent has been granted for each by clicking Grant admin consent for ACCOUNT.

• AuditLog.Read.All
• Directory.Read.All

Gather Information

Provide the following information to Cyderes to complete implementation:

• Identity (Azure Active Directory App)
  • Application (client) ID
  • Directory (tenant) ID
  • Secret ID
  • Secret Value