Overview & Use Case
Thanks to @Ofer_Shezaf and @Yaniv Shasha for the brainstorming, contributing and proof reading!
A multi-national organization having multiple branches with different identities across the globe, each branch have it's own separate tenant (AAD & O365) logs and the global SOC team are looking for a way on how to ingest these logs coming from all branches to their main parent tenant via Azure Sentinel.
While Azure Sentinel can’t natively do that using the out-of-the box data connectors (Office 365 / Azure AD), we cover your back with O365 & AAD Multi-Tenancy custom connector via an Azure Sentinel Playbook (Logic App) that invoke the Office 365 Management API & Graph API to read from multiple tenants and writes to a custom table in Sentinel, same can be done using Azure Function.
Implementation
With the help of Office 365 Management API & Microsoft Graph API we can invoke specific content types cross-tenants:
API | Content-Type / Activity Log |
Office 365 Management API | Audit.AzureActiveDirectory |
Office 365 Management API | Audit.Exchange |
Office 365 Management API | Audit.SharePoint |
Office 365 Management API | Audit.General (includes all other workloads not included in the previous content types) |
Office 365 Management API | DLP.All (DLP events only for all workloads) |
Graph API | audit-Logs |
Graph API | Sign-in Logs |
So, tell us more about the steps?
Assuming, we have a parent tenant (Pt) & a child tenant (Ct) and the requirements is to invoke the "Ct" tenant O365 Management API & Graph APIs to pull Office 365 & AAD logs and ingest at "Pt" ones.
Step(1): Prep & App Registration
Connect-AzAccount # connect via child "Pt" admin account
# Populate with App ID and Secret from your Azure AD app registration
$ClientID = "<Client_ID>"
$ClientSecret = "<Secret>"
$loginURL = "https://login.microsoftonline.com/"
$tenantdomain = "<tenant-domain>.onmicrosoft.com"
# Get the tenant GUID from Properties | Directory ID under the Azure Active Directory section
$TenantGUID = "<tenant_ID>"
$resource = "https://manage.office.com"
$body = @{grant_type="client_credentials";resource=$resource;client_id=$ClientID;client_secret=$ClientSecret}
$oauth = Invoke-RestMethod -Method Post -Uri $loginURL/$tenantdomain/oauth2/token?api-version=1.0 -Body $body
$headerParams = @{'Authorization'="$($oauth.token_type) $($oauth.access_token)"}
$publisher = New-Guid
Invoke-WebRequest -Method Post -Headers $headerParams -Uri "https://manage.office.com/api/v1.0/$tenantGuid/activity/feed/subscriptions/start?contentType=Audit.AzureActiveDirectory&PublisherIdentifier=$Publisher"
Invoke-WebRequest -Method Post -Headers $headerParams -Uri "https://manage.office.com/api/v1.0/$tenantGuid/activity/feed/subscriptions/start?contentType=DLP.ALL&PublisherIdentifier=$Publisher"
Invoke-WebRequest -Method Post -Headers $headerParams -Uri "https://manage.office.com/api/v1.0/$tenantGuid/activity/feed/subscriptions/start?contentType=Audit.General&PublisherIdentifier=$Publisher"
Invoke-WebRequest -Method Post -Headers $headerParams -Uri "https://manage.office.com/api/v1.0/$tenantGuid/activity/feed/subscriptions/start?contentType=Audit.Exchange&PublisherIdentifier=$Publisher"
Invoke-WebRequest -Method Post -Headers $headerParams -Uri "https://manage.office.com/api/v1.0/$tenantGuid/activity/feed/subscriptions/start?contentType=Audit.SharePoint&PublisherIdentifier=$Publisher"
Step(2): Cross-Tenants Custom Connector
Notes & Consideration
Get started today!
We encourage you to try it now!
You can also contribute new connectors, workbooks, analytics and more in Azure Sentinel. Get started now by joining the Azure Sentinel Threat Hunters GitHub community.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.