Re: Chronicle. Azure AD / O365 logs

lime · 07-18-2022 07:23 AM

What is the correct way to ingest Azure Active Directory logs into Google Chronicle?
I am trying to use Azure Blob Storage and the Third Party API option but neither are working.

I have created an app in Azure, granted it the below permissions and then plugged the keys into Chronicle but to no avail. Am I missing a permission? Is there something obvious I might have missed?

Here are the permissions my Azure App Registration has:

AuditLog.Read.All
AuthenticationContext.Read.All
AuthenticationContext.ReadWrite.All
IdentityRiskEvent.Read.All
IdentityRiskEvent.ReadWrite.All
IdentityRiskyServicePrincipal.Read.All
IdentityRiskyServicePrincipal.ReadWrite.All
IdentityRiskyUser.Read.All
IdentityRiskyUser.ReadWrite.All
SecurityEvents.Read.All
SecurityEvents.ReadWrite.All
User.Read
Office 365 Management APIs (3)
ActivityFeed.Read
ActivityFeed.ReadDlp
ServiceHealth.Read

@Nick_Troutini have you seen this? any tips?

Update:

I am no longer getting "failed" instead I have "active" but no Azure AD logs are turning up in Chronicle. I am certain the keys are correct and ive given the Azure App plenty of permissions. I suspect the Microsoft APIs have changed because I saw this warning:

And also the API Content Types which Chronicle want (see below) are no longer listed on Azure App Registration permissions....

grobledo

To get the most out of your interactions, we recommend you ask specific technical questions like "how do I…" or "what does this error mean?" on StackOverflow or ServerFault. Please see the main Community Support page for a list of the tags we monitor.

If you have a reproducible bug or want to request a new feature, please visit our issue trackers on issuetracker.google.com. Somebody from Google will follow up there.

lime

I will amend the original post to ask a direct question and also post to StackOverflow. Do I just tag the article for Google Staff attention to be grabbed?

mkrovatkina

Having the same issue and waiting for a week for support already to clarify. No visibility for us, customers, to see if and what is wrong, so you'll need a separate support ticket

lime

Not showing the HTTP error code or any error output is frustrating I agree.
Which logs are you trying to get and what methods have you tired?

Rene_Figueroa

Hi, are you still facing this issue?

hereyougoo

Hi Rene,

I'm facing the issues same issues where error403 using Chronicle Third API.

reference from :
Azure AD logs via Third Party API – Netenrich
O365 logs via Third Party API – Netenrich

Rene_Figueroa

Hi!

There are certain permissions that must be set on the Microsoft side for Chronicle to pull data. You can see those permissions in our documentation:

https://cloud.google.com/chronicle/docs/reference/feed-management-api#azure-ad

https://cloud.google.com/chronicle/docs/reference/feed-management-api#office-365

Also, we suggest to not whitelist the connections on the Microsoft side. If whitelisting is required, then all of Google IP space must be whitelisted.

https://support.google.com/a/answer/10026322?hl=en