Preparing Azure AD (Office 365) for SIEM Integration – Part 1

Office 365 (O365) allows customers to host their Office solution in the Microsoft cloud. With the proper credentials and configuration, it’s possible for the LogRhythm System Monitor to collect O365 management events from the following applications through the Office 365 Management Activity API:

  • SharePoint
  • OneDrive
  • Exchange
  • Azure Active Directory (Azure AD)

For a while now, I had tried to get LogRhythm SIEM to integrate with Office 365 and Azure to leverage visibility across the cloud services.

After spending a couple of days and collecting information from different sites and the LogRhythm help, I was finally successful.

In this first part we will focus on the Azure part of the integration which is more or less vendor agnostic and can be used for general integration with Azure. We will also collect the information needed for part 2 of the guide, where we will connect LogRhythm to Azure.

Microsoft Office 365 Log Collection

Prerequisites

Before starting to configure collection from O365, you must do the following:

  • Ensure you have an O365 account with admin access
  • Ensure you have an Azure AD account with admin access that is tied to the O365 account

Configuration Overview

This section provides a summary of the procedures required to configure collection from O365.

Enable Auditing

Enable Auditing for SharePoint, OneDrive, and Azure AD
  1. Go to the Office 365 portal (https://portal.office.com)
  2. Log in with your O365 administrator account
  3. Click the Admin app
  4. On the left-side menu, click Admin centers, and then click Security & Compliance
  5. On the left-side menu, click Search & investigation, and then click Audit log search
  6. Under the Audit log search heading, click the Start recording user and admin activities link
  7. In the Start recording user and admin activities dialog box, click Turn On
    An additional dialog box may appear requiring you to update your organization, click Yes


    Note: If you do not see the Start recording user and admin activities link, then auditing for SharePoint, OneDrive, and Azure AD has already been enabled.
Enable Auditing for Exchange
  1. Open Windows PowerShell on your local system, and then run the following command:
    $UserCredential = Get-Credential
  2. In the Windows PowerShell Credential Request dialog box, type your O365 user name and password, and then click OK
  3. To open the credentials prompt for O365, run the following commands:
    $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
    
    Import-PSSession $Session
  4. To enable the admin audit log, run the following command:
    Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true
  5. To get all mailboxes, run the following command:
    $Mailboxes = (Get-Mailbox)
  6. To group mailboxes by what is enabled, run the following commands:
    $Group = $Mailboxes | Group-Object AuditEnabled,AuditDelegate | Select-Object "Name","Count",@{Name="Account"; Expression={ $_.Group.Identity }}
    
    $Group | Format-Table -AutoSize
  7. To audit everything from every mailbox, run the following command:
    (Get-Mailbox).Identity | % { Set-Mailbox -Identity $_ -AuditDelegate SendAs,SendOnBehalf,Create,Update,SoftDelete,HardDelete -AuditEnabled $true }
    

    Note: Larger enterprises may want to filter the target mailbox into smaller batches.

Important: When you’re finished, disconnect the remote PowerShell session by running the following command:

Remove-PSSession $Session

Failure to disconnect could use up all your available remote PowerShell sessions, forcing you to wait for the sessions to expire.

Register an Application with Azure AD

Open the Azure AD Portal

Note: These steps reference the version of the Azure AD portal released in 2016. If you are still using the older version of the Azure portal, please refer to https://msdn.microsoft.com/EN-US/library/dn707383.aspx for more information on registering your application.

  1. On the left-side menu in the Office 365 portal Admin app, click Admin centers, and then click Azure AD
  2. On the left-side menu, click Azure Active Directory then App registrations.
    In the top menu click New application registration
Create an Application
  1. Complete the fields on the right side of the page:
    • Name the application
    • (Optional) Select an application type from the drop-down menu
    • Provide a sign-on URL – for example, https://logrhythm.com/
      (the URL is not used by the API so it can be set to anything)
  2. Click Create

Your new application should appear under the Display Name header

Add O365 Management API Permissions

  1. Click the name of your application under the Display Name header
  2. Click Setting or All settings
  3. Under the API Access header, click Required permissions
  4. Click Add
  5. Under Add API access, click Select an API

  6. Under Select an API, click Office 365 Management APIs, and then click Select

  7. Under both Application Permissions and Delegated Permissions, select the following check boxes:
    • Read DLP policy events including detected sensitive data
    • Read activity data for your organization
    • Read service health information for your organization
  8. Click Select, and then click Done

  9. Verify that your changes have been saved on the Required permissions page
  10. Still on the Required permissions page, click Grant Permissions
  11. Click Yes to apply the permissions to the application

Generate Keys

  1. On the Settings page, under API Access, click Keys

  2. Name your key in the Description box, and then select an expiration preference from the Expires drop-down menu
  3. Click Save
  4. Drag the pointer to select the newly generated key value, right-click the selection, and then click Copy

Grant Tenant Admin Consent

Note: Before you begin these steps, copy the URL of your application’s home page into Notepad—for instance:

https://login.windows.net/common/oauth2/authorize?response_type=code&resource=https%3A%2F%2Fmanage.office.com&client_id=&redirect_uri=&prompt=admin_consent

It’s possible to just copy the URL above and alter it, but you can construct it by using the oAuth 2.0 Endpoint Authorization URL with some parameters.

Here is how to find the URL

  1. On the left-side menu, click Azure Active Directory then App registrations.
    In the top menu click Endpoints

  2. Copy the URL listed under OAUTH 2.0 AUTHORIZATION ENDPOINT

Now you can construct the complete URL by appending the following parameters:

response_type=code&resource=https%3A%2F%2Fmanage.office.com&client_id=&redirect_uri=&prompt=admin_consent

The last thing is to insert the client_id and the redirect_uri values into the string. Here is how to find the values.

  1. Click the name of your application under the Display Name header
  2. Click Settings or All settings

  3. Under the Essentials header, copy your Application ID

  4. In Notepad, paste your application ID—also known as your client ID—into your application URL after client_id=
  5. Under the Essentials header, copy your Home page

  6. In Notepad, paste your home page into your application URL after redirect_uri=
    Note: You must URL-encode the special characters in your home page URL, such as : and /. In this case, https://logrhythm.com becomes https%3A%2F%2Flogrhythm.com
  7. Paste the new URL into your browser, and then hit Enter
    Note: Make sure that your browser is signed in to the O365 and Azure AD portals with your admin account.
  8. In the application permission dialog box, click Accept

    The browser loads an error page—this is expected. You should see a reply code in the browser URL after code=. If there is an error in the redirected URL—for instance, error=access_denied or error=unsupported_response_type—then O365 Management Activity API permissions may be improperly assigned.

Configure the X.509 Certificate

Download Manifest File from Azure AD
  1. Click the name of your application under the Display Name header
  2. Click Manifest

  3. From the Edit manifest screen, click Download, and then click Download

Create Self-Signed Certificate or Obtain Cert Signed by Trusted Authority

It’s possible to use a signed Certificate obtained by a Trusted Authority or use a self-signed certificate.

There a several options available when generation a self-signed Certificate – it’s possible to use either of the two examples given below.

Issue a self-signed Certificate using OpenSSL
  1. Download OpenSSL – https://openssl.org/
    (Windows binaries can be found here: https://wiki.openssl.org/index.php/Binaries)
  2. Install/Extract to location on the local drive (i.e. C:\OpenSSL-Win32)
  3. Run the following from the Command Line:
    <OpenSSL file location>openssl req -config openssl.cfg -newkey rsa:2048 -nodes -keyout certificate.key -x509 -days 1095 -sha256 -out certificate.crt -subj "/C=US/ST=Washington/L=Redmond/O=Contoso Ltd./CN=LogRhythm"
    • -config Location of the openssl.cfg file – usually in the same directory as the program
    • -newkey generate a new RSA key of ‘bits’ in size
    • -nodes don’t encrypt the output key
    • -keyout file to send the key to
    • -x509 output a x509 structure instead of a cert. req.
    • -days number of days a certificate generated by -x509 is valid for
    • -sha256 to use the sha256 message digest algorithm
    • -out output file-subj set or modify request subject
  4. Run the following from the Command Line
    <OpenSSL file localtion>openssl pkcs12 -inkey certificate.key -in certificate.crt -export -out certificate.p12
    • -inkey input private key
    • -in input file
    • -export output PKCS12 file
  5. When prompted, choose a password to protect the exported certificate
Issue a self-signed Certificate using MakeCert
  1. Open MakeCert from the \Bin folder of the Microsoft Windows Software Development Kit (SDK), which you can download at http://go.microsoft.com/fwlink/p/?linkid=84091
  2. Run the following from the Command Line:
    <MakeCert file location>makecert -r -pe -n <Cert Name> -b <MM/DD/YYYY> -e <MM/DD/YYYY> –ss my –len 2048
    • -r -pe: Self-signed exportable cert
    • -n: <Cert Name>: “CN=[Tenant Name] [Application Name] Cert”
      For example, “CN=MyOrganization TrainingApp Cert”
    • -b: Begin time stamp
      If possible, make this the current date
    • -e: End time stamp
      Unless otherwise necessary, make this two years from the current date
    • -ss my: Certificate store (personal)
    • -len 2048: Cert key length is 2048 bits (the minimum required by O365)

Note: For these commands, you must use the minus key (-) at the top of the keyboard—between the zero key (0) and the equals key (=)—rather than the minus key on the numeric keypad.

Export Cert in .cer Format
  1. Run the Certification Manager from the Command Line:
    <MakeCert file location>certmgr.msc
  2. From the left-side menu, click Certificates – Current User
  3. Under Logical Store Name, click Personal
  4. Under Object Type, click Certificates
  5. Select your cert from the list, right-click it, click All Tasks, and then click Export
    The Certificate Export Wizard appears
  6. In the Export Private Key dialog box, click Next, select the No, do not export the private key button, and then click Next
  7. Select the Base-64 encoded X.509 (.CER) button, and then click Next
  8. In the File to Export dialog box, click Browse, and then save the .cer file to your system
  9. Click Next, click Finish, and then click OK
Export Cert in .pfx Format
  1. Repeat steps 2–5 of the Export Cert in .cer Format section
  2. In the Export Private Key dialog box, click Next, select the Yes, export the private key button, and then click Next
  3. Ensure that the Personal Information Exchange – PKCS #12 (.PFX) button is selected, and that the Include all certificates in the certification path if possible check box is selected, and then click Next
  4. In the Security dialog box, select the Password check box, enter and confirm a private key password, and then click Next
    Note:
     This password goes into the office365.ini file after being encrypted with lrcrypt. Refer to LogRhythm Password Encryption for more information.
  5. In the File to Export dialog box, click Browse, and then save the .pfx file to your system
    Note: You will add a reference to this .pfx file and file path in your office365.ini file
  6. Click Next, click Finish, and then click OK
Replace Cert Details in Downloaded Manifest File

To import the cert values into the manifest file, paste the script below into a new .ps1 file and run it from an administrative PowerShell console (requires PowerShell 3). These commands:

Tell PowerShell where to find the cert you exported and the manifest file you downloaded in the previous steps, as well as where to save the updated manifest file

  • Load the cert and get the Base64Thumbprint and a random GUID
  • Read your current manifest file, modify the .json file, and then save it to a new file
  • Output the Certificate thumbprint for later use in the LogRhythm configuration file
  • The script accepts the following parameters:
    • -certPath The full path to the certificate file
    • -manifestPath The full path to the manifest file
param([String]$certPath,[String]$manifestPath)

if(!$certPath) {
     $certPath = Read-Host "Enter full certificate path (.cer or .crt) i.e. c:\my.crt"
}

if(!$manifestPath) {
     $manifestPath = Read-Host "Enter full manifest path (.json) i.e. c:\manifest.json"
}

$manifestPathNew = $manifestPath -replace "(.*).json(.*)", '$1_ready.json'

$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2

$cert.Import($certPath)

$base64Value = [System.Convert]::ToBase64String($cert.GetRawCertData())
$base64Thumbprint = [System.Convert]::ToBase64String($cert.GetCertHash())
$keyId = [System.Guid]::NewGuid().ToString()
$json = (Get-Content $manifestPath) -join "`n" | ConvertFrom-Json

if ($json.keyCredentials.length -le 0) {
     $json.keyCredentials = ,@{
          "customKeyIdentifier" = $base64Thumbprint;
          "value" = $base64Value;
          "keyId" = $keyId ;
          "usage" = "Verify";
          "type" = "AsymmetricX509Cert"
     }
} else {
     $json.keyCredentials | %{$_.customKeyIdentifier = $base64Thumbprint }
     $json.keyCredentials | %{$_.value = $base64Value }
     $json.keyCredentials | %{$_.keyId = $keyId }
     $json.keyCredentials | %{$_.startDate = $cert.GetEffectiveDateString() }
     $json.keyCredentials | %{$_.endDate = $cert.GetExpirationDateString() }
}

$json | ConvertTo-Json –depth 100 | out-file $manifestPathNew

Write-Host "New Manifest file created:" $manifestPathNew
Write-Host "Certificate Thumbprint:" $cert.Thumbprint
Upload New Manifest File to Azure AD App
  1. Click the name of your application under the Display Name header
  2. Click Manifest

  3. On the Edit manifest page, click Upload

  4. Select your _ready.json file created in the Replace Cert Details in Downloaded Manifest File section

Locating your Tenant ID in the Azure AD portal

The final step is to locate the Tenant ID for your environment. There are two ways to obtain this:

  • Click Properties on Azure Active Directory in the admin center and copy the Directory ID value

Or

  1. In the Azure AD portal, click the help icon on the top menu, and then click Show diagnostics

  2. Open the retrieved file and search for tenants
  3. Under the “tenants” object, copy the Tenant ID from the “id” field

Ensure the required information has been collected

To continue with the next steps, we need to ensure that the following information is available:

  • Application ID
  • Tenant ID
  • Certificate Thumbprint
  • Exported Certificate file (.p12 or .pfx) and matching password

Next Step

Now we have the information required for setting up integration with LogRhythm SIEM.

Continue with the configuration in part two, Integrating LogRhythm SIEM with Azure AD (Office 365)

Azure, LogRhythm, o365, SIEM

Comments (4)

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.