Getting Data In

Azure AD Add-on for MS Office 365 questions

adamblock2
Path Finder

I am in the process of trying to configure a Tenant in this add-on.  Some of the required values are available in the Azure AD integration application.  There are a number of others that I have not been able to find values for.

The first 3 items I have values for, the last 3 I do not.  Assistance with this would be appreciated.

  • Tenant ID is the Directory ID from Azure Active Directory.
  • Client ID is the Application ID from the registered application within the Azure Active Directory.
  • Client Secret is the registered application key for the corresponding application.
  • Cloud Application Security Token is the registered application key for the corresponding tenant.
  • Tenant Subdomain is the first component of the Cloud App Security Portal URL. For example, https://<tenant_subdomain>.<tenant_datacenter>.portal.cloudappsecurity.com.
  • Tenant Data Center is the second component of the Cloud App Security Portal URL. For example, https://<tenant_subdomain>.<tenant_datacenter>.portal.cloudappsecurity.com.
     
     
Labels (2)
Tags (1)

jconger
Splunk Employee
Splunk Employee

TL;DR = the last three parameters (Cloud App Security Token, Tenant Subdomain, and Tenant Data Center) are only used by the Cloud Application Security Input.  If you do not plan on using that input in the add-on, you can leave those fields blank.  If you do plan on using that input, here is a quick how-to about getting the needed values:

  • Log on to the Cloud App Security portal https://portal.cloudappsecurity.com/
  • Once logged in, go to Settings > Security extensions
  • Click the Add token button
  • Give the token a name and click Generate
  • The token will be displayed.  This is the only time the token will be displayed by the way.
  • Copy the token, tenant subdomain (splunkpartner in my case), and data center (us3 in my case).

image.pngimage (1).png

 

The first three parameters (Tenant ID, Client ID, and Client Secret) are used by the following inputs:

  • Management Activity
  • Service Status
  • Service Message
  • Graph API

The Microsoft 365 App has a good walkthrough about creating the Azure AD application registration and assigning the necessary permissions (it is in the Help > Setup Guide menu in the app).  If you are configuring additional Microsoft Cloud add-ons, here is a good reference for the necessary permissions needed along with sourcetypes and APIs used => http://bit.ly/Splunk_Azure_Permissions

 

jwalzerpitt
Influencer

Thx for posting @jconger as followed the instructions you laid out and was able to add a few Defender for Cloud App inputs - alerts and policies

0 Karma

jadengoho
Builder

Hi @adamblock2 
Where can we see the "Cloud App Security Token"

0 Karma

jconger
Splunk Employee
Splunk Employee

In the screenshot above, the API token is the value to use for the "Cloud App Security Token".

marcluescher
Explorer

I am exactly in the same situation.

To get a token for value 4 we followed the following steps and used curl to get a token, unfortunately that token does not pass Splunk addon validation but passed ms validation as valid token .

https://docs.microsoft.com/en-us/defender-cloud-apps/api-authentication

We then tested the token with jwt.ms and it comes back as valid with proper roles.

For step 5 and 6 we used our assigned cloudapps url

like https://tenant.portal.cloudappsecurity.com .

 

But still no luck. Since the app is Splunk built I hope they can help here.

 

 

Tags (1)
0 Karma

adamblock2
Path Finder

We recently had a conversation with a MS support engineer who suggested that since we are just reading the logs, the Cloud Application Security Token, Tenant Subdomain,  and Tenant Data Center values may not be required.

I have not had an opportunity to test this yet, but I would suggest giving that a try.

0 Karma

aplackemeier
Explorer

I believe the last 3 are only needed in a multi tenant situation. Ran across this when ours expired and we had to update. 

https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-convert-app-to-be-multi-tenant

Submit a ticket to support asking them to update and clarify the documentation. That is the only way it will get changed. 

0 Karma

marcluescher
Explorer

its the same outcome with or without those URL's is the token validation part which seems either broken or needs something different.

I wish they had a better documentation for this new requirement of a secret and cloud token.

 

Many customers will run into this once the secrets expire.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...