Use https://seceonhelp.freshdesk.com/support/login to access updated Knowledge Base Articles, Submit Technical Support Tickets and Review Status of submitted support tickets.

Configuration of Microsoft Azure at portal.azure.com (Office 365)

Owned by Customer Success & Engineering
Last updated: Apr 21, 2023
5 min read

Overview:

We are providing you with the steps to integrate your Office-365 with Seceon SIEM so One can have Comprehensive visibility and Proactive Threat Detection in your Environment. There will be a log transfer between your firewall to APE(Analytics and Policy Engine) via CCE (Collection and Control Engine). In this document, we are guiding you through the steps for Log and Netflows forwarding.

Steps of configuration:

 

Configuration on Azure Portal:

Step 1: Login to Microsoft Azure portal.

 

Step 2: Now click on three horizontal lines at the top on the left & click on Azure Active Directory.

Step 3: Now click on App Registration as you can see below.

 Step 4: Here, you need to click on New Registration for the new app creation.

Step 5: Name the new app and select Supported account types to Accounts in this organizational directory only as it is shown below.

Please put your primary domain in section of redirect URI’s.

Now click on Register you will find below.

Step 6: Now, Go to Redirect URI and tick out the ID tokens and save.

Step 7:  Now click on Certificates & Secrets.

Step 8: You need to add New Client secret as given below.

Step 9: Select and add Expiration year.

Step 10: Now copy the Value and Secret ID and save it in another place. It will disappear after jumping on another page.

Step 11: Now go to the API permission tab as given below:

Step 12: Add permission.

Step 13: Click on the Microsoft Graph.

Step 14: Select the Application Permission.

Step 15: Search the keyword Audit and give the permission to AuditLog.Read.All then click on Add permission button.

Step 16: Again follow step 12 & step 13, search the keyword User.Read.All and give the permission to User.Read.All then Add permission button.

Step 17: Follow step 12 & step 13 then search the keyword Mail.Read and Security.events give the permission to Mail.Read and security.events.read.all then click on Add permission button.

 Step 18: Follow step 12 and Click on the Office 365 Management APIs.

Step 19: On Office 365 Management API click on Application Permissions.

Step 20: Add permissions to ActivityFeed.Read

 

Step 21: Add Security events permission to get the Microsoft defender logs.

 

 

Step 22: Select the Application Permission & search for SecurityEvents.Read.all.

Step 23: Now you need to Grant admin consent and click on Yes.

 

Step 24: Check if all the permissions are granted or not.

Note:

URLs need to be allowed from the Firewall:

  1. http://graph.microsoft.com

  2. manage.office.com

  3. login.microsoftonline.com

  4. login.windows.net

Compulsory CREDENTIALS we need :

  1. Client ID

  2. Tenant ID

  3. Client Secret (You will get this under certificate and secret page client secret value.)

  4. Primary Domain (Tenant Domain) (You will get the primary domain details in overview of Azure Active directory portal)

Note: The port used to get logs is 443.

Configuration on Seceon GUI:

 Step 1: Go to Provisioning Tab --> Cloud Devices --> Azure Configuration then click on Add, Choose Azure AD / Office 365 (E1 or E3).

 

Step 2: Fill the required fields as shown below:

Note : For - Tenant ID , Primary Domain (Tenant Domain), you can get this from Seceon Overview

Step 3: Save

Verification:

Go into the system tab then logs flow collection status--

 

Seceon Inc. All rights reserved. https://www.seceon.com