Using Microsoft Graph

Learn how to configure an application from the Microsoft Azure portal to be able to use the Microsoft Graph REST API. In this section you will find:

In order to know how the ThreatLockDown Azure module works in conjunction with the Microsoft Graph REST API, it is important to understand first what are the Microsoft Entra ID activity reports and what kind of information they provide. ThreatLockDown can process the logs from the following Microsoft Entra ID activity reports, each one of them requiring a different query to be executed:

Report type

Query

Directory audits

auditLogs/directoryaudits

Sign-ins

auditLogs/signIns

Provisioning

auditLogs/provisioning

Azure configuration

Creating the application

This section explains the creation of an application that will use the Azure Log Analytics REST API. It is also possible to configure an existing application. If this is the case, skip this step.

In the Microsoft Entra ID panel, select the option App registrations. Then, select New registration.

Giving permissions to the application

  1. Go to the Overview section and save the Application (client) ID for later authentication.

  2. Go to the API permissions section and select the Add a permission option.

  3. Select the API by searching for "Microsoft Graph".

  4. Select the permissions in Applications permissions that adapt to our infrastructure. In this case, AuditLog permissions will be granted. Then, click Add permissions.

  5. Grant admin consent for the tenant domain used for the permission added in the previous step. This must be done by an admin user.

Obtaining the application key for authentication

Select Certificates & secrets and fill in the Description and Expires fields. Copy the value once the key is saved. This is required to authenticate the application in order to use the Log Analytics API.

ThreatLockDown configuration

azure-logs module configuration

Proceed with configuring the azure-logs module in the local configuration (ossec.conf). The key and ID of the application saved during the previous steps will be used here. In this case, both fields were saved in a file for authentication.

Here is an example of how to get the audit log of the Microsoft Entra ID using Microsoft Graph. This example configuration includes a representative tag and is scheduled for every Monday at 02:00, using an offset of one day, which means only the log data from the last day is parsed:

<wodle name="azure-logs">

    <disabled>no</disabled>
    <wday>Monday</wday>
    <time>2:00</time>
    <run_on_start>no</run_on_start>

    <graph>

        <auth_path>/var/ossec/wodles/azure/credentials</auth_path>
        <tenantdomain>wazuh.onmicrosoft.com</tenantdomain>

        <request>
            <tag>microsoft-entra_id</tag>
            <query>auditLogs/directoryAudits</query>
            <time_offset>1d</time_offset>
        </request>

    </graph>

</wodle>

Check the azure-logs module reference for more information about how to use the different parameters available.

Note

If an authentication file is used, as in this example, its content must follow the format field = value. Here is an example of this format:

application_id = 317...764
application_key = wUj...9cj

Warning

The field tenantdomain is mandatory. It can be obtained from the Overview section in Microsoft Entra ID.

Microsoft Graph use case

Here is an example of monitoring Microsoft Entra ID activity using the configuration described above.

ThreatLockDown Rules

In this example, the records are in .json format. The following rules are already included in ThreatLockDown which means alerts will be generated for the logs in this example.

<rule id="87802" level="3">
    <decoded_as>json</decoded_as>
    <field name="azure_tag">azure-ad-graph</field>
    <description>Azure: AD $(activity)</description>
</rule>

Create a new user

Create a new user in Azure. If the creation is successful, a log will be written to reflect it. This log can be retrieved using the auditLogs/directoryAudits query.

Azure portal visualization

The resulting log from the user creation can be checked in the Audit logs section of Microsoft Entra ID.

ThreatLockDown dashboard visualization

Once the integration is running, the results will be available in the ThreatLockDown dashboard.