Azure Active Directory is the identity and directory management service that combines basic directory services, application access management, and identity protection in a single solution.
Wazuh also allows to monitor services such as Azure Active Directory using the Azure Active Directory Graph REST API, which provides access to Azure AD through REST API endpoints. Applications can use the Azure AD Graph API to perform read operations on directory data and objects.
We’re going to configure an application from the Microsoft Azure portal to be able to use the Azure Active Directory Graph REST API.
The process explained below details the configuration of an application that will use the Active Directory Graph REST API. You can also create a new application, as the creation process is similar to the application for Azure Log Analytics.
1.1 - In the
Azure Active Directory section, select the option
App registrations and once inside, select
New application registration.
1.2 - Access the
Settings section. Save the
application id for later authentication.
1.3 - In the
Required permissions section select the
1.4 - Select the API by searching for “Microsoft Graph”.
1.5 - Select the permissions that adapt to our infrastructure.
1.6 - Select
Next we will see the options we have for configuring the integration.
When we choose to use a file for authentication, its content must be
field = value. For example:
application_id = 8b7...c14 application_key = w22...91x
3.1 - We opted for the following example configuration. The integration will be executed every Friday at 12:00. Authentication will be carried out by reading the file containing the credentials. We add a representative
tag and set the search for the
activities/audit?api-version=beta query to give us the results of the previous day.
<wodle name="azure-logs"> <disabled>no</disabled> <wday>Friday</wday> <time>12:00</time> <run_on_start>no</run_on_start> <graph> <auth_path>/home/manager/Azure/graph_auth.txt</auth_path> <tenantdomain>wazuh.onmicrosoft.com</tenantdomain> <request> <tag>azure-active_directory</tag> <query>activities/audit?api-version=beta</query> <time_offset>1d</time_offset> </request> </graph> </wodle>
You can see the wodle reference here.
tenantdomain is necessary and we can obtain it easily. In the azure portal, we can see it leaving the cursor in the upper right corner.
Using the configuration prepared above, we will show an example of use.
As the records are in
.json format, with this rule, already included in the integration, we can start generating alerts:
<rule id="87802" level="3"> <decoded_as>json</decoded_as> <field name="azure_tag">azure-ad-graph</field> <description>Azure: AD $(activity)</description> </rule>
Proceed to create a new user. If the creation is successful, a log will be written to reflect it.
Azure Active Directory entry select the
Audit logs entry and we can see the creation of our user.