Versions Compared

Old Version 59

changes.mady.by.user Juan Tomás Alonso Nieto

Saved on

compared with

New Version 60

changes.mady.by.user Juan Tomás Alonso Nieto

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents
maxLevel2
typeflat

...

Note

You need the Admin level permissions on the Azure portal as the subscription setup will require admin consent API permissions, authentications, and audits.

Action

Steps

1

Register and configure the application

  1. Go to Azure portal and click on Azure Active Directory.

  2. Click on App registration on the left-menu side. Then click on + New registration.

  3. On the Register and Application page:

    1. Name the application.

    2. Select Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox) in Supported Accounts type.

    3. In Redirect URI (optional) leave it as default (blank).

    4. Click Register.

  4. App registration page will open. Click on your app to configure it and give it permissions. You will see your app’s dashboard with information (docs, endpoints, etc.) when clicking it.

  5. Click Authentication on the left-menu side, then choose + Add a platform and select Mobile and desktop application.

  6. Select the three redirects URIs:

    • https://login.microsoftonline.com/common/oauth2/nativeclient

    • https://login.live.com/oauth20_desktop.srf

    • msale36f3a02-3eef-437b-874e-8a0aa29a2bf0://auth

  7. Click Configure.

2

Grant the required permissions

  1. Go to API permissions on the left-menu side.

  2. Click + Add permission in case you don’t have Microsoft Graph in the API/Permission list.

  3. Select Application permissions and check SecurityEvents.Read.All.

  4. Check the following permissions: AuditLog.Read.All,Directory.Read.All and User.Read.All. If you did everything correctly, permissions will display.

  5. Select Grant admin consent for the applications.

Info

You do not need to activate permissions if you are not going to use its corresponding resource. Check the Permissions reference per service section for a detailed breakdown on resource and their needed permissions.

3

Obtain the requires credentials for the collector

  1. Go to Certificates & Secrets, select + New client secret . Named it and copy the token value.

  2. Go to Overview to get your Tenant ID and Client ID and copy both values.

Note

The token will display only once. You will need to create another one if you didn’t copy it the first time.

...

Expand
title2.0.0 Configuration (inputs)
Code Block
inputs:
  microsoft_graph_audit:
    id: <short_unique_id>
    enabled: true
    credentials:
      tenant_id: <tenant_id_value>
      client_id: <client_id_value>
      client_secret: <client_secret_value>
    environment: <environment_value>
    override_top_level_domain: <override_top_level_domain_value>
    override_base_url: <override_base_url_value>
    override_login_url: <override_login_url_value>
    override_scope_value: <override_scope_value_value>
    services:
      directory_audits:
        request_period_in_seconds: <request_period_in_seconds_value>
        start_time_in_utc: <start_time_in_utc_value>
        additional_filter: <additional_filter_value>
        override_tag: <override_tag_value>
        override_query_window_max_seconds: <override_query_window_max_seconds_value>
      provisioning_audits:
        request_period_in_seconds: <request_period_in_seconds_value>
        start_time_in_utc: <start_time_in_utc_value>
        additional_filter: <additional_filter_value>
        override_tag: <override_tag_value>
        override_query_window_max_seconds: <override_query_window_max_seconds_value>
      signIns:
        request_period_in_seconds: <request_period_in_seconds_value>
        start_time_in_utc: <start_time_in_utc_value>
        additional_filter: <additional_filter_value>
        override_tag: <override_tag_value>
        override_query_window_max_seconds: <override_query_window_max_seconds_value>
      signIns_v2:
        request_period_in_seconds: <request_period_in_seconds_value>
        start_time_in_utc: <start_time_in_utc_value>
        additional_filter: <additional_filter_value>
        override_tag: <override_tag_value>
        override_query_window_max_seconds: <override_query_window_max_seconds_value>
  microsoft_graph_security:
    id: <short_unique_id>
    enabled: true
    credentials:
      tenant_id: <tenant_id_value>
      client_id: <client_id_value>
      client_secret: <client_secret_value>
    environment: <environment_value>
    override_top_level_domain: <override_top_level_domain_value>
    override_base_url: <override_base_url_value>
    override_login_url: <override_login_url_value>
    override_scope_value: <override_scope_value_value>
    services:
      secure_score_control_profiles:
        request_period_in_seconds: <request_period_in_seconds_value>
        additional_filter: <additional_filter_value>
        override_tag: <override_tag_value>
      secure_scores:
        request_period_in_seconds: <request_period_in_seconds_value>
        start_time_in_utc: <start_time_in_utc_value>
        additional_filter: <additional_filter_value>
        override_tag: <override_tag_value>
        override_query_window_max_seconds: <override_query_window_max_seconds_value>
      alerts:
        request_period_in_seconds: <request_period_in_seconds_value>
        start_time_in_utc: <start_time_in_utc_value>
        additional_filter: <additional_filter_value>
        override_tag: <override_tag_value>
        override_query_window_max_seconds: <override_query_window_max_seconds_value>
      alerts_v2:
        request_period_in_seconds: <request_period_in_seconds_value>
        start_time_in_utc: <start_time_in_utc_value>
        additional_filter: <additional_filter_value>
        override_tag: <override_tag_value>
        override_query_window_max_seconds: <override_query_window_max_seconds_value>

Config file changes

  • The URL endpoints (override_base_url_main, override_base_url_vendor, override_base_url_vendor_with_sub_provider , override_login_url) have been moved from the individual services to the global configuration section.

  • override_base_url_main has been renamed to override_base_url.

  • tag_version has been removed.

  • pull_sliding_window_timespan_period has been removed.

  • reset_persistence_auth has been removed.

  • override_time_delta_in_days has been removed.

  • ms_365_environment has been replaced by override_top_level_domain. GCC High Gov should use us in the override_top_level_domain. Alternatively, users can use override_base_url to specify the GCC High Gov base URL.

  • additional_filter has been added to all services. Users can use this field to specify additional filters that will be applied when querying the Microsoft Graph API.

  • The collector can use new services from Graph (beta endpoint in Graph), that services, that use to be in a separate service for each type, have been consolidated into one service called signIns_v2. Users should remove all three services from their config and use only the signIns_v2 service.

  • start_time has been renamed to start_time_in_utc.

Persistence changes

The persistence object consists of the following fields: persistence_version, last_event_time_in_utc, last_ids, and next_link.

...