Importing Azure AD information into your SIEM solution:

Written by Kevin Saye

Overview:

When leveraging cloud solutions, security organizations are concerned about losing visibility to security and events.

With “Azure Active Directory Reporting API”, discussed here: http://azure.microsoft.com/en-us/documentation/articles/active-directory-reporting-api-getting-started/, organizations can have full, API level access to SIEM level events.

This blog illustrates how to integrate your existing SIEM solution with Azure Active Directory Reporting API by exporting events to text/json/xml files.

Delegating Access in Azure AD:

In order to authenticate to the Reporting API, we must use the OAuth flow, which requires us to register an application with Azure AD.

Create an application

• Navigate to the Azure Management Portal

• Navigate into your directory

• Navigate into applications

• On the bottom bar, click "Add". ◦Click "Add an application my organization is developing".

  • Name: Any name is fine. Something like "Reporting API Application" is recommended.

  • Type: Select "Web application and/or Web API"

  • Click the arrow to move to the next page

  • Sign-on URL: http://localhost

  • App ID URI: http://localhost

  • Click the checkmark to finish adding the application.

Give your application permission to use the API

• Navigate to the Applications tab.

• Navigate to your newly created application.

• Navigate to the Configure tab.

• In the "Permissions to Other Applications" section: ◦Add Windows Azure Active Directory > Application Permissions > enable "Read directory data"

  • Add Windows Azure Service Management API > Delegated Permissions > enable "Access Azure Service Management"

• Click "Save" on the bottom bar.

Get your directory ID, client ID, and client secret

Find your application's client ID and client secret.  You will also need to know your tenant name, it can be either your *.onmicrosoft.com or a custom domain name.  Copy these into a separate place; you'll use them to modify the script.

Application Client ID

• Navigate to the Applications tab.

• Navigate to your newly created application.

• Navigate to the Configure tab.

• Your application's client ID is listed on the Client ID field.

Application Client Secret

• Navigate to the Applications tab.

• Navigate to your newly created application.

• Navigate to the Configure tab.

• Generate a new secret key for your application by selecting a duration in the "Keys" section.

• The key will be displayed upon saving. Make sure to copy it, because there is no way to retrieve it later.

Modifying the Script:

The PowerShell script is illustrated below.  Replace $ClientID, $ClientSecret and $tenantdomain with the correct values from “Delegating Access in Azure AD”.

<Code>

 # This script will require the Web Application and permissions setup in Azure Active Directory

$ClientID      = "<< Your Client ID Here>>"               # Should be a ~35 character string insert your info here

$ClientSecret  = "<< Your Client Secret Here >>"          # Should be a ~44 character string insert your info here

$loginURL      = "https://login.windows.net"

$tenantdomain  = "<< Your Tenant Domain Here>>"

# Get an Oauth 2 access token based on client id, secret and tenant domain

$body          = @{grant_type="client_credentials";resource=$resource;client_id=$ClientID;client_secret=$ClientSecret}

$oauth         = Invoke-RestMethod -Method Post -Uri $loginURL/$tenantdomain/oauth2/token?api-version=1.0 -Body $body

if ($oauth.access_token -ne $null) {

    $headerParams  = @{'x-ms-version'='2013-08-01';'Authorization'="$($oauth.token_type) $($oauth.access_token)"}

    # Returns a XML document containing all the reports, not used, but for reference

    #$allReports = (Invoke-WebRequest -Headers $headerParams -Uri "https://graph.windows.net/$DirectoryID/reports/`$metadata")

    #$allReports.Content | Out-File AllReports.xml

    # Returns a JSON document for the "accountProvisioningEvents" report

    $myReport = (Invoke-WebRequest -Headers $headerParams -Uri "https://graph.windows.net/$tenantdomain/reports/accountProvisioningEvents?api-version=beta")

    Write-host $myReport.Content

    # to output the JSON use following line

    $myReport.Content | Out-File -FilePath accountProvisioningEvents.json -Force

    # to output the content to a name value list

    ($myReport.Content | ConvertFrom-Json).value | Out-File -FilePath accountProvisioningEvents.txt -Force

    # to output the content in XML use the following line

    (($myReport.Content | ConvertFrom-Json).value | ConvertTo-Xml).InnerXml | Out-File -FilePath accountProvisioningEvents.xml -Force

} else {

    Write-Host "ERROR: No Access Token"

}

</Code>

Executing the Script:

Comment out the file formats you do not want and schedule the code to run as needed.  Once the files are created, configure your SIEM solution to include these files.