TABLE OF CONTENTS

• 1. Microsoft Azure
• 2. Requirements
• 3. CCE

The ARIA™ Cybersecurity Solutions Advanced Detection and Remediation (ADR) platform integrates with Microsoft® Azure®. When configured, Microsoft logs, including email information, are sent to the Control and Collections Engine (CCE). You can then configure the CCE to generate alerts when suspected activity occurs. This document provides the steps required to configure Microsoft Azure and the CCE.

Note: Before you begin, open a text editor such as Notepad. Several steps require you to copy information for later use.

1. Microsoft Azure

To configure Microsoft Azure, follow the directions below:

1. Log into the Microsoft Azure portal (portal.azure.com).
   Figure 1: Azure Login
2. Click the menu icon () and select Microsoft Entra ID.
   Figure 2: Select Microsoft Entra ID
   
   
3. Copy the Primary domain value to a text editor. This information is required for a later step.
   Figure 3: Copy Primary Domain
   
   
4. Click Users.
   Figure 4: Click Users
   
   
5. Search for the Admin email address and copy the domain to a text editor.
   Figure 5: Copy Domain from Email Address
   
   
6. Click App registrations then New registration to add a new application.
   Figure 6: New Registration
   
   
7. Complete the following fields and click Register in the Register an application page:
   • Name: Enter a name for the application.
   • Supported account type: Select Accounts in this organizational directory only.
   • Redirect URI: Select Web and enter a URL with your primary domain from Step 3.

     Example: https://MyCompany.onmicrosoft.com
     Figure 7: Register Application

     
     

8. Copy the client and tenant IDs to a text editor then click the Redirect URIs link.
   Figure 8: Copy IDs
   
   
9. Make sure ID tokens is checked and click Save.
   Figure 9: Select ID Tokens
   
   
10. Select Certificates & secrets.
    Figure 10: Select Certificates & Secrets
    
    
11. Click New client secret to add a new secret.
    Figure 11: Add New Secret
    
    
12. Enter a description “ARIA Client Secret” and use the drop-down box to select the number of months the secret is valid, e.g. 24 months, then click Add.
    Figure 12: Enter Secret Description and Expiration Time
    
    
13. Use the copy button to copy the client secret Value and save it in a text editor. The Secret ID is not used.

    Note: This value will no longer be available once you navigate away from the page.
    

    Figure 13: Copy Secret Value
    
    

14. Select API permissions.
    Figure 14: Select API Permissions
    
    
15. Click Add a permission.
    Figure 15: Add a Permission
    
    
16. Click Microsoft Graph.
    Figure 16: Click Microsoft Graph
    
    
17. Click Application permissions.
    Figure 17: Click Application Permissions
    
    
18. Select each of the following permissions via the filter box. After all 10 have been selected, click Add permissions.
    • Application.Read.All
    • AuditLog.Read.All
    • Device.Read.All
    • Files.Read.All
    • Mail.ReadBasic.All
    • MailboxSettings.Read
    • SecurityEvents.Read.All
    • Sites.Read.All
    • User.Read.All
    • UserAuthenticationMethod.Read.All

      Figure 18: Add Audit Permissions
      
      

19. Click Add a permission again then click Office 365 Management APIs.
    Figure 19: Click Office 365 Management APIs
    
    
20. Click Application permissions.
    Figure 20: Click Application Permissions for Office 365
    
    
21. Select ActivityFeed.Read and click Add permissions.
    Figure 21: Add Activity Feed Permissions
    
    
22. Click Grant admin consent. If you are prompted with additional consent dialogs, click them to continue.
    Figure 22: Click Grant Admin Consent
    
    
23. Confirm the status of all permissions contains a checkmark, indicating the permissions are granted.
    Figure 23: Permissions Granted

2. Requirements

Before you configure the CCE to collect the Microsoft logs, make sure you have the following information:

• Tenant Domain (Primary Domain) from Step 3 or Step 5
  Note: If the values are different, use the domain with onmicrosoft.com as part of the name.
• Client ID (Application ID) from Step 8
• Tenant ID (Directory ID) from Step 8
• Client Secret Value from Step 13

In addition, your firewall must allow the following URLs:

• graph.microsoft.com 
• manage.office.com 
• login.microsoftonline.com 
• login.windows.net 

3. CCE

To configure the CCE:

1. Log in and access the tenant that will collect the Microsoft logs.
2. Select Provisioning > Cloud Devices > Azure Configuration.
3. Click Add under the Azure AD/ Office 365 (E1 or E3) section.
   Figure 24: Add Cloud Configuration
   
   
4. Provide the information copied from Azure, enter the CCE IP address, and check all three boxes, as shown below.
   Figure 25: Configure Cloud Service
   
   
5. Click Save.