Monitoring Services

Azure Active Directory is the identity and directory management service that combines basic directory services, application access management, and identity protection in a single solution.

Wazuh also allows to monitor services such as Azure Active Directory using the Azure Active Directory Graph REST API, which provides access to Azure AD through REST API endpoints. Applications can use the Azure AD Graph API to perform read operations on directory data and objects.

Using Azure Active Directory Graph

We're going to configure an application from the Microsoft Azure portal to be able to use the Azure Active Directory Graph REST API.

Note

The process explained below details the configuration of an application that will use the Active Directory Graph REST API. You can also create a new application, as the creation process is similar to the application for Azure Log Analytics.

1. Giving permissions to the application

1.1 - In the Azure Active Directory section, select the option App registrations and once inside, select New application registration.

1.2 - Access the Settings section. Save the application id for later authentication.

1.3 - In the Required permissions section select the Add option.

1.4 - Select the API by searching for "Microsoft Graph".

1.5 - Select the permissions that adapt to our infrastructure.

1.6 - Select Done.

1.7 - Back to the Azure Active Directory section, select the option Enterprise applications and once inside, select the newly created app. Open Permissions and click Grant Admin Consent for the application. In the popup window that appears, review the permissions are appropriate, and select Accept.

2. Obtaining the application key for authentication

2.1 - Select Keys and fill in the DESCRIPTION and EXPIRES fields. Once we save the key we will get its value. This will be the key with which we will authenticate our application in order to use the API.

Wazuh configuration

Next we will see the options we have for configuring the integration.

3. azure-logs module configuration

Note

When we choose to use a file for authentication, its content must be field = value. For example:

application_id = 8b7...c14
application_key = w22...91x

3.1 - We opted for the following example configuration. The integration will be executed every Friday at 12:00. Authentication will be carried out by reading the file containing the credentials. We add a representative tag and set the search for the activities/audit?api-version=beta query to give us the results of the previous day.

<wodle name="azure-logs">

    <disabled>no</disabled>
    <wday>Friday</wday>
    <time>12:00</time>
    <run_on_start>no</run_on_start>

    <graph>

        <auth_path>/home/manager/Azure/graph_auth.txt</auth_path>
        <tenantdomain>wazuh.onmicrosoft.com</tenantdomain>

        <request>
            <tag>azure-active_directory</tag>
            <query>activities/audit?api-version=beta</query>
            <time_offset>1d</time_offset>
        </request>

    </graph>

</wodle>

You can see the wodle reference here.

The field tenantdomain is necessary and we can obtain it easily. In the azure portal, we can see it leaving the cursor in the upper right corner.

Azure Active Directory Graph Use Case

Using the configuration prepared above, we will show an example of use.

Wazuh Rules

As the records are in .json format, with this rule, already included in the integration, we can start generating alerts:

<rule id="87802" level="3">
        <decoded_as>json</decoded_as>
        <field name="azure_tag">azure-ad-graph</field>
        <description>Azure: AD $(activity)</description>
</rule>

Create a new user

Proceed to create a new user. If the creation is successful, a log will be written to reflect it.

Azure portal visualization

From the Azure Active Directory entry select the Audit logs entry and we can see the creation of our user.

Kibana visualization

When our integration performs the query, we will be able to see the results in Kibana. As we can see through the rule 87802 the dates of the events coincide (taking into consideration the time difference between computers).