Solved: Office 365 apps configuration

phaubertin

Hi all, I'm in process of ingesting Office 365 feed into chronicle SIEM. I would like to know if there is guidance on how to configure apps on Azure side. Chronicle doc page forward people on Microsoft doc, Office 365 Management APIs , Microsoft explain the behavior of the setting, but It don't told us what parameter to satisfied the requirements for chronicle feeds ingestion.

Any Chronicle customer, that have configure apps on azure and can share their experience?

Best regards,

jstoner

I think this link is the one that does the best to explain the API permissions that need to be configured in the app to gain access to the relevant data streams. I've used this with Chronicle and with Splunk previously and it seems to work fine. Once the application is configured, you will set up 1-5 feeds in Chronicle for the different content types available from your O365 app. It probably is wise to have a specific application with just the permissions mentioned in the link above responsible for the data feeds to interact with.

https://learn.microsoft.com/en-us/office/office-365-management-api/get-started-with-office-365-manag...

View solution in original post

jstoner

I went back and double checked my lab system and stripped out any signs of delegated permissions and validated that I am ingesting Entra ID and O365 audit and sign-in events using application permissions. Your thought around service/daemon aligning with application scope is correct.

If I was in as delegated that would be more like I am in as a user and the permissions assigned for that user. This might be good for working with an inbox for example but not as good with audit streams.

View solution in original post

jstoner

I think this link is the one that does the best to explain the API permissions that need to be configured in the app to gain access to the relevant data streams. I've used this with Chronicle and with Splunk previously and it seems to work fine. Once the application is configured, you will set up 1-5 feeds in Chronicle for the different content types available from your O365 app. It probably is wise to have a specific application with just the permissions mentioned in the link above responsible for the data feeds to interact with.

https://learn.microsoft.com/en-us/office/office-365-management-api/get-started-with-office-365-manag...

phaubertin

thank you for pointing me that.

phaubertin

@jstoner I may have another question about configuring azure apps. This time more precise. In the api permissions, we have the choices of 2 permissions (delegated permissions or Applications permissions). Based on Microsoft docs, Application Permissions might seems more appropriate for the integration(Def: Permissions that enable the client app to authenticate as itself without user interaction or consent, such as an app used by background services or daemon apps.).

Would it change something if ActivityFeed.Read and ActivityFeed.ReadDlp are one of the 2 types?
Does the type of permissions is important for feeds ingestion?

Let me know if you have input about this.

Thank you again for your help.

jstoner

I went back and double checked my lab system and stripped out any signs of delegated permissions and validated that I am ingesting Entra ID and O365 audit and sign-in events using application permissions. Your thought around service/daemon aligning with application scope is correct.

If I was in as delegated that would be more like I am in as a user and the permissions assigned for that user. This might be good for working with an inbox for example but not as good with audit streams.

phaubertin

thank you again for the answer!