topic Re: Add-on for MS Office 365 question in Getting Data In

Azure AD Add-on for MS Office 365 questions

adamblock2 — Tue, 01 Mar 2022 16:47:58 GMT

I am in the process of trying to configure a Tenant in this add-on. Some of the required values are available in the Azure AD integration application. There are a number of others that I have not been able to find values for.

The first 3 items I have values for, the last 3 I do not. Assistance with this would be appreciated.

Tenant ID is the Directory ID from Azure Active Directory.
Client ID is the Application ID from the registered application within the Azure Active Directory.
Client Secret is the registered application key for the corresponding application.
Cloud Application Security Token is the registered application key for the corresponding tenant.
Tenant Subdomain is the first component of the Cloud App Security Portal URL. For example, https://<tenant_subdomain>.<tenant_datacenter>.portal.cloudappsecurity.com.
Tenant Data Center is the second component of the Cloud App Security Portal URL. For example, https://<tenant_subdomain>.<tenant_datacenter>.portal.cloudappsecurity.com.

Re: Add-on for MS Office 365 question

marcluescher — Wed, 08 Dec 2021 22:38:45 GMT

I am exactly in the same situation.

To get a token for value 4 we followed the following steps and used curl to get a token, unfortunately that token does not pass Splunk addon validation but passed ms validation as valid token .

https://docs.microsoft.com/en-us/defender-cloud-apps/api-authentication

We then tested the token with jwt.ms and it comes back as valid with proper roles.

For step 5 and 6 we used our assigned cloudapps url

like https://tenant.portal.cloudappsecurity.com .

But still no luck. Since the app is Splunk built I hope they can help here.

Re: Add-on for MS Office 365 question

adamblock2 — Wed, 08 Dec 2021 22:47:51 GMT

We recently had a conversation with a MS support engineer who suggested that since we are just reading the logs, the Cloud Application Security Token, Tenant Subdomain, and Tenant Data Center values may not be required.

I have not had an opportunity to test this yet, but I would suggest giving that a try.

Re: Add-on for MS Office 365 question

marcluescher — Wed, 08 Dec 2021 22:54:19 GMT

its the same outcome with or without those URL's is the token validation part which seems either broken or needs something different.

I wish they had a better documentation for this new requirement of a secret and cloud token.

Many customers will run into this once the secrets expire.

Re: Add-on for MS Office 365 question

aplackemeier — Wed, 22 Dec 2021 18:45:25 GMT

I believe the last 3 are only needed in a multi tenant situation. Ran across this when ours expired and we had to update.

https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-convert-app-to-be-multi-tenant

Submit a ticket to support asking them to update and clarify the documentation. That is the only way it will get changed.

Re: Add-on for MS Office 365 question

jconger — Wed, 26 Jan 2022 18:34:01 GMT

TL;DR = the last three parameters (Cloud App Security Token, Tenant Subdomain, and Tenant Data Center) are only used by the Cloud Application Security Input. If you do not plan on using that input in the add-on, you can leave those fields blank. If you do plan on using that input, here is a quick how-to about getting the needed values:

Log on to the Cloud App Security portal https://portal.cloudappsecurity.com/
Once logged in, go to Settings > Security extensions
Click the Add token button
Give the token a name and click Generate
The token will be displayed. This is the only time the token will be displayed by the way.
Copy the token, tenant subdomain (splunkpartner in my case), and data center (us3 in my case).

The first three parameters (Tenant ID, Client ID, and Client Secret) are used by the following inputs:

Management Activity
Service Status
Service Message
Graph API

The Microsoft 365 App has a good walkthrough about creating the Azure AD application registration and assigning the necessary permissions (it is in the Help > Setup Guide menu in the app). If you are configuring additional Microsoft Cloud add-ons, here is a good reference for the necessary permissions needed along with sourcetypes and APIs used => http://bit.ly/Splunk_Azure_Permissions

Re: Add-on for MS Office 365 question

jadengoho — Tue, 01 Mar 2022 03:04:17 GMT

Hi @adamblock2
Where can we see the "Cloud App Security Token"

Re: Add-on for MS Office 365 question

jconger — Tue, 01 Mar 2022 14:15:22 GMT

In the screenshot above, the API token is the value to use for the "Cloud App Security Token".

Re: Add-on for MS Office 365 question

jwalzerpitt — Thu, 23 Jun 2022 14:24:34 GMT

Thx for posting @jconger as followed the instructions you laid out and was able to add a few Defender for Cloud App inputs - alerts and policies