Currently, Cyderes can pull specific detections, indicators, or alerts when the correct permissions are enabled in the Azure App API.
Azure App Prerequisite
For this integration, an Azure App must be created. More information can be found about how to do that in the documentation here.
Detections or Indicators only available within the Azure App API:
- Azure Risk Detections
- Microsoft Threat Indicators
Alerts only available within the Azure App API:
- Azure AD Identity Protection
- Azure Advanced Threat Protection
- Azure Sentinel
- Azure Security Center
- Microsoft Defender ATP
Security Actions only available within the Azure App API:
- Microsoft Security Actions
Chronicle Data Types¶
Configure Audit Logging¶
- Navigate to
- On the sidebar, select Search and Audit log search
- Turn on Audit Logging if not enabled already. Logs will take about 24 hours to publish initially.
Note: This functionality is starting to be enabled by default on tenants. If these options do not exist, assume audit logging is turned on already and continue on.
Microsoft Defender Advanced Threat Protection Alerts¶
Additional user roles are required to ingest Defender ATP Alerts from Microsoft Graph Security API. Only the users in both Microsoft Defender Advanced Threat Protection and Microsoft Graph Security API roles can have access to the Microsoft Defender Advanced Threat Protection data.
Azure Advanced Threat Protection Alerts¶
Azure Advanced Threat Protection (Azure ATP) Alerts are available via the Microsoft Cloud App Security integration. This means Azure ATP Alerts are ingested only if the user joined Unified SecOps and connected Azure ATP into Microsoft Defender for Cloud Apps. Learn more about how to integrate Azure ATP and Microsoft Defender for Cloud Apps. Follow the Microsoft Defender for Cloud Apps integration guide to complete this set up.
Azure Risk Detection¶
Azure AD Premium P1 or P2 license is required to set up Azure Risk Detection's integration.
Azure App API Permissions for Microsoft Graph¶
In the Cyderes Azure App Registration, select API permissions from the sidebar. Then click the Add a permission button. Click APIs my organization uses and search for 'Microsoft Graph' and then select it. Click the Application permissions and click the check box next to the following permissions. Once the permissions have been added, ensure that admin consent has been granted for each by clicking Grant admin consent for ACCOUNT.
|SecurityEvents.Read.All||Azure Advanced Threat Protection Alerts|
|Azure Security Center Alerts|
|Microsoft Defender for Cloud Apps Alerts|
|Azure AD Identity Protection Alerts|
|Azure Sentinel Alerts|
|Microsoft Defender Advanced Threat Protection Alerts|
|SecurityActions.Read.All||Microsoft Security Actions|
|IdentityRiskEvent.Read.All||Azure Risk Detection|
Provide the following information to Cyderes to complete implementation:
- Identity (Azure Active Directory App)
- Application (client) ID
- Directory (tenant) ID
- Secret ID
- Secret Value
- Technologies to enable