diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_1.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_1.png new file mode 100644 index 00000000000..0cda756d0e0 Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_1.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_10.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_10.png new file mode 100644 index 00000000000..837ce46d03a Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_10.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_11.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_11.png new file mode 100644 index 00000000000..86a3382e2d5 Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_11.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_12.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_12.png new file mode 100644 index 00000000000..85e3d9c7363 Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_12.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_2.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_2.png new file mode 100644 index 00000000000..24252ea46d0 Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_2.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_3.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_3.png new file mode 100644 index 00000000000..b19f0188291 Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_3.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_4.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_4.png new file mode 100644 index 00000000000..77fc381dcde Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_4.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_5.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_5.png new file mode 100644 index 00000000000..2863d1ac842 Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_5.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_6.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_6.png new file mode 100644 index 00000000000..d6b9217a233 Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_6.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_7.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_7.png new file mode 100644 index 00000000000..19bcf49c9bd Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_7.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_8.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_8.png new file mode 100644 index 00000000000..9ebea64504d Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_8.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_9.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_9.png new file mode 100644 index 00000000000..d6eb32c9f27 Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_9.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_1.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_1.png new file mode 100644 index 00000000000..63bf4b5f260 Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_1.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_10.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_10.png new file mode 100644 index 00000000000..f72b7e27ea7 Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_10.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_11.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_11.png new file mode 100644 index 00000000000..8ddbd7eb2cd Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_11.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_2.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_2.png new file mode 100644 index 00000000000..02a3429b4ad Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_2.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_3.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_3.png new file mode 100644 index 00000000000..627b0cb0228 Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_3.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_4.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_4.png new file mode 100644 index 00000000000..ec124b080e7 Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_4.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_5.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_5.png new file mode 100644 index 00000000000..7df564b46b6 Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_5.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_6.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_6.png new file mode 100644 index 00000000000..8dcb504eebc Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_6.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_7.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_7.png new file mode 100644 index 00000000000..ea41face2ac Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_7.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_8.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_8.png new file mode 100644 index 00000000000..fb02aeadd69 Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_8.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_9.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_9.png new file mode 100644 index 00000000000..4e21a9b4b19 Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_9.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Azure_Cloud_Shell_1.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Azure_Cloud_Shell_1.png new file mode 100644 index 00000000000..c5cecdfd905 Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Azure_Cloud_Shell_1.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Azure_Cloud_Shell_2.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Azure_Cloud_Shell_2.png new file mode 100644 index 00000000000..f818a4a5569 Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Azure_Cloud_Shell_2.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Azure_Cloud_Shell_3.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Azure_Cloud_Shell_3.png new file mode 100644 index 00000000000..8ad3c16d057 Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Azure_Cloud_Shell_3.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Endpoint_1.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Endpoint_1.png new file mode 100644 index 00000000000..1a8748f2ec3 Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Endpoint_1.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Endpoint_2.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Endpoint_2.png new file mode 100644 index 00000000000..3e23dc79086 Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Endpoint_2.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Endpoint_3.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Endpoint_3.png new file mode 100644 index 00000000000..782e9e39773 Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Endpoint_3.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Endpoint_4.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Endpoint_4.png new file mode 100644 index 00000000000..38da0ce277b Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Endpoint_4.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Endpoint_5.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Endpoint_5.png new file mode 100644 index 00000000000..29cc38bc626 Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Endpoint_5.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Endpoint_6.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Endpoint_6.png new file mode 100644 index 00000000000..ecdd091f1f0 Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Endpoint_6.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_1.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_1.png new file mode 100644 index 00000000000..e89e494578a Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_1.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_10.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_10.png new file mode 100644 index 00000000000..7bb0650ba55 Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_10.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_11.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_11.png new file mode 100644 index 00000000000..867ee398427 Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_11.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_12.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_12.png new file mode 100644 index 00000000000..051ef6ee199 Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_12.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_13.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_13.png new file mode 100644 index 00000000000..2484c113409 Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_13.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_14.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_14.png new file mode 100644 index 00000000000..8731f60625d Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_14.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_15.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_15.png new file mode 100644 index 00000000000..95cbb7a3e2a Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_15.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_2.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_2.png new file mode 100644 index 00000000000..db553f2fdc8 Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_2.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_3.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_3.png new file mode 100644 index 00000000000..3a778b991b1 Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_3.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_4.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_4.png new file mode 100644 index 00000000000..a830203d727 Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_4.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_5.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_5.png new file mode 100644 index 00000000000..d2cf64f8143 Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_5.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_6.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_6.png new file mode 100644 index 00000000000..8da7c2a0517 Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_6.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_7.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_7.png new file mode 100644 index 00000000000..d46f07773af Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_7.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_8.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_8.png new file mode 100644 index 00000000000..3b8e6678605 Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_8.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_9.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_9.png new file mode 100644 index 00000000000..d98ca5ce8da Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_9.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Demo_1.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Demo_1.png new file mode 100644 index 00000000000..95f67d803f7 Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Demo_1.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Demo_2.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Demo_2.png new file mode 100644 index 00000000000..40342d7a05d Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Demo_2.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Deploy_1.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Deploy_1.png new file mode 100644 index 00000000000..98306cb8fa3 Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Deploy_1.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Deploy_2.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Deploy_2.png new file mode 100644 index 00000000000..1c9beb01edc Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Deploy_2.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Deploy_3.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Deploy_3.png new file mode 100644 index 00000000000..2e79ba1093c Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Deploy_3.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Key_Vault_1.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Key_Vault_1.png new file mode 100644 index 00000000000..79149ee6e38 Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Key_Vault_1.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Key_Vault_2.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Key_Vault_2.png new file mode 100644 index 00000000000..254c2730ccd Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Key_Vault_2.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Key_Vault_Access_1.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Key_Vault_Access_1.png new file mode 100644 index 00000000000..e265f03f5bf Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Key_Vault_Access_1.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Key_Vault_Access_2.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Key_Vault_Access_2.png new file mode 100644 index 00000000000..39a2d12d311 Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Key_Vault_Access_2.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Logic_App_Enable_1.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Logic_App_Enable_1.png new file mode 100644 index 00000000000..a90000d0353 Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Logic_App_Enable_1.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Receiving_Key_Vault_1.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Receiving_Key_Vault_1.png new file mode 100644 index 00000000000..cd07848ab2c Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Receiving_Key_Vault_1.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Receiving_Key_Vault_2.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Receiving_Key_Vault_2.png new file mode 100644 index 00000000000..74b925f2766 Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Receiving_Key_Vault_2.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/README.md b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/README.md new file mode 100644 index 00000000000..ef805a11ddc --- /dev/null +++ b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/README.md @@ -0,0 +1,375 @@ + # AS-Microsoft-DCR-Log-Ingestion + +Author: Accelerynt + +For any technical questions, please contact info@accelerynt.com + +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAccelerynt-Security%2FAS-Microsoft-DCR-Log-Ingestion%2Fmain%2Fazuredeploy.json) +[![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAccelerynt-Security%2FAS-Microsoft-DCR-Log-Ingestion%2Fmain%2Fazuredeploy.json) + +This playbook is intended for multitenant organizations and is designed to run on a timed trigger and pull Microsoft Graph and Microsoft Office logs to Microsoft Sentinel using Data Collection Endpoints and Data Collection Rules. While Microsoft does have built in connectors for this, they do not support multitenant functionality. This playbook is configured to grab the following logs for a tenant of your choosing and send them to another tenant: +* [Microsoft Graph Sign-In Logs](https://learn.microsoft.com/en-us/graph/api/signin-get?view=graph-rest-1.0&tabs=http) +* [Microsoft Graph Audit Logs](https://learn.microsoft.com/en-us/graph/api/directoryaudit-get?view=graph-rest-1.0&tabs=http) +* [Microsoft Office Activity Logs](https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-reference). + +![DCRLogIngestion_Demo_1](Images/DCRLogIngestion_Demo_1.png) + +![DCRLogIngestion_Demo_2](Images/DCRLogIngestion_Demo_2.png) + +> [!NOTE] +> Estimated Time to Complete: 3 hours + +> [!TIP] +> Required deployment variables will be noted throughout the setup. It is recommended that you look at the deployment page and fill out the required fields as you go. + +# +### Requirements + +The following items are required under the template settings during deployment: + +* Note your [subscription ID](https://portal.azure.com/#view/Microsoft_Azure_Billing/SubscriptionsBladeV2) for the tenant that will be sending the data +* A Microsoft Entra [app registration](https://github.com/Accelerynt-Security/AS-Microsoft-DCR-Log-Ingestion#create-an-app-registration) to send data to the DCR with admin consent granted for "**AuditLog.Read.All**" and "**Activity.Feed.Read**" +* A Microsoft Entra [app registration](https://github.com/Accelerynt-Security/AS-Microsoft-DCR-Log-Ingestion#create-an-app-registration) in the receiving tenant where the DCR is located. This app registration must have the "**Monitoring Metrics Publisher**" role assigned from each DCR you create. +* [App Registration Azure key vault secrets](https://github.com/Accelerynt-Security/AS-Microsoft-DCR-Log-Ingestion#create-an-app-registration-azure-key-vault-secret) containing your app registration client secrets +* Note your [workspace location](https://portal.azure.com/#browse/Microsoft.OperationalInsights%2Fworkspaces) for the tenant that will be receiving data, as this will need to be the same for Data Collection Rules and Endpoints created in the steps below +* A [Microsoft Data Collection Endpoint](https://github.com/Accelerynt-Security/AS-Microsoft-DCR-Log-Ingestion#create-the-data-collection-endpoints) for each of the log sources +* A [Microsoft Data Collection Rule](https://github.com/Accelerynt-Security/AS-Microsoft-DCR-Log-Ingestion#create-the-data-collection-rules) for each of the log sources +* An [Azure key vault secret](https://github.com/Accelerynt-Security/AS-Microsoft-DCR-Log-Ingestion#create-an-azure-key-vault-secret) containing your client secret for each of your Data Collection Endpoints + +# +### Role Requirements + +If the user that will be performing the setup and deployment steps does not have "**Owner**" or "**Global Administrator**" assigned in both tenants, the following roles may be required: + +The following roles are required in the **sending tenant**: + +* The **Privileged Role Administrator** role will need to be assigned to the user from Entra ID. +* By default, any user can create an app registration, however, if this has been locked down, the "**Application Administrator**" role will need to be assigned from Entra ID. + +The following roles are required in the **receiving tenant**: + +* In order to create and manage secrets within the desired Key Vault, the **Key Vault Secrets Officer** role will need to be assigned to the user from the Key Vault Access control (IAM) page. +* In order to add role assignments to DCRs, the **User Access Admin** and "**Contributor**" roles will need to be assigned to the user from the resource group. + +# +### Setup + +#### Create an App Registration + +From the tenant you wish to **send the Microsoft Graph and Office data from**, navigate to the Microsoft Azure Active Directory app registration page: https://portal.azure.com/#view/Microsoft_AAD_RegisteredApps/ApplicationsListBlade + +Click "**New registration**". + +![DCRLogIngestion_App_Registration_1](Images/DCRLogIngestion_App_Registration_1.png) + +Enter "**AS-Send-Logs-to-DCR**" for the name and select "**Accounts in any organizational directory**" for "**Supported account types**. All else can be left as is. Click "**Register**" + +![DCRLogIngestion_App_Registration_2](Images/DCRLogIngestion_App_Registration_2.png) + +Once the app registration is created, you will be redirected to the "**Overview**" page. Under the "**Essentials**" section, take note of the "**Application (client) ID**" and the "**Directory (tenant) ID**", as both will be needed for deployment. + +![DCRLogIngestion_App_Registration_3](Images/DCRLogIngestion_App_Registration_3.png) + +Next, you will need to add permissions for the app registration to call the Microsoft Graph and Office 365 API endpoints. From the left menu blade, click "**API permissions**" under the "**Manage**" section. Then, click "**Add a permission**". + +![DCRLogIngestion_App_Registration_4](Images/DCRLogIngestion_App_Registration_4.png) + +From the "**Select an API**" pane, click the "**Microsoft APIs**" tab and select "**Microsoft Graph**". + +![DCRLogIngestion_App_Registration_5](Images/DCRLogIngestion_App_Registration_5.png) + +Click "**Application permissions**", then paste "**AuditLog.Read.All**" in the search bar. Click the option matching the search, then click "**Add permission**". + +![DCRLogIngestion_App_Registration_6](Images/DCRLogIngestion_App_Registration_6.png) + +This process will need to be repeated for the Office 365 API. Click "**Add a permission**" once again and from the "**Select an API**" pane, click the "**Microsoft APIs**" tab and select "**Office 365 Management APIs**". + +![DCRLogIngestion_App_Registration_7](Images/DCRLogIngestion_App_Registration_7.png) + +Click "**Application permissions**", then paste "**ActivityFeed.Read**" in the search bar. Click the option matching the search, then click "**Add permission**". + +![DCRLogIngestion_App_Registration_8](Images/DCRLogIngestion_App_Registration_8.png) + +Admin consent will be needed before your app registration can use the assigned permission. Click "**Grant admin consent for (name)**". + +![DCRLogIngestion_App_Registration_9](Images/DCRLogIngestion_App_Registration_9.png) + +Lastly, a client secret will need to be generated for the app registration. From the left menu blade, click "**Certificates & secrets**" under the "**Manage**" section. Then, click "**New client secret**". + +![DCRLogIngestion_App_Registration_10](Images/DCRLogIngestion_App_Registration_10.png) + +Enter a description and select the desired expiration date, then click "**Add**". + +![DCRLogIngestion_App_Registration_11](Images/DCRLogIngestion_App_Registration_11.png) + +Copy the value of the secret that is generated, as this will be needed for [Create an Azure Key Vault Secret](https://github.com/Accelerynt-Security/AS-Microsoft-DCR-Log-Ingestion#create-an-azure-key-vault-secret). + +![DCRLogIngestion_App_Registration_12](Images/DCRLogIngestion_App_Registration_12.png) + +#### Create an App Registration Azure Key Vault Secret + +The secret from the previous step will need to be stored in the **tenant that is to receive the data**, as this is where the logic app will be deployed. Navigate to the Azure key vaults page: https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults + +Navigate to an existing key vault or create a new one. From the key vault overview page, click the "**Secrets**" menu option, found under the "**Settings**" section. Click "**Generate/Import**". + +![DCRLogIngestion_Key_Vault_1](Images/DCRLogIngestion_Key_Vault_1.png) + +Choose a name for the secret, such as "**DCRLogIngestion-SendingAppRegClientSecret**", taking note of the value used, as it will be needed for deployment. Next enter the client secret copied in the [previous section](https://github.com/Accelerynt-Security/AS-Microsoft-DCR-Log-Ingestion#create-an-app-registration). All other settings can be left as is. Click "**Create**". + +![DCRLogIngestion_Key_Vault_2](Images/DCRLogIngestion_Key_Vault_2.png) + +#### Create the Data Collection Endpoints + +From the **tenant that is to receive the data**, navigate to the Microsoft Data Collection Endpoints page: https://portal.azure.com/#browse/microsoft.insights%2Fdatacollectionendpoints + +Click "**Create**". + +![DCRLogIngestion_Data_Collection_Endpoint_1](Images/DCRLogIngestion_Data_Collection_Endpoint_1.png) + +Enter "**EntraSignInLogsDCE**" as the Endpoint Name and select the Subscription and Resource Group. These should match the Subscription and Resource Group of the playbook you will deploy later. Ensure the Region location matches that of your workspace. Click "**Review + create**". + +![DCRLogIngestion_Data_Collection_Endpoint_2](Images/DCRLogIngestion_Data_Collection_Endpoint_2.png) + +Click "**Create**". + +![DCRLogIngestion_Data_Collection_Endpoint_3](Images/DCRLogIngestion_Data_Collection_Endpoint_3.png) + +Repeat this process for "**EntraAuditLogsDCE**". + +![DCRLogIngestion_Data_Collection_Endpoint_4](Images/DCRLogIngestion_Data_Collection_Endpoint_4.png) + +Repeat this process for "**OfficeActivityLogsDCE**". + +![DCRLogIngestion_Data_Collection_Endpoint_5](Images/DCRLogIngestion_Data_Collection_Endpoint_5.png) + +From each of the created Data Collection Endpoint overview pages, take note of the "**Logs Ingestion**" URLs, as they will be needed for deployment. + +![DCRLogIngestion_Data_Collection_Endpoint_6](Images/DCRLogIngestion_Data_Collection_Endpoint_6.png) + +#### Create the Data Collection Rules + +From the **tenant that is to receive the data**, navigate to the Microsoft Log Analytics Workspace page: https://portal.azure.com/#browse/Microsoft.OperationalInsights%2Fworkspaces + +Select the desired workspace. + +![DCRLogIngestion_Data_Collection_Rule_1](Images/DCRLogIngestion_Data_Collection_Rule_1.png) + +From the selected workspace, navigate to "**Tables**" located under settings, click "**Create**" and select "**New custom log (DCR based)**". + +![DCRLogIngestion_Data_Collection_Rule_2](Images/DCRLogIngestion_Data_Collection_Rule_2.png) + +First, click "**Create a new Data Collection Rule**" below the Data Collection Rule field. Then enter "**EntraSignInLogsDCR**" for the name in the window that appears on the right. Ensure the Subscription, Resource Group, and Region all look correct, then click "**Done**". + +![DCRLogIngestion_Data_Collection_Rule_3](Images/DCRLogIngestion_Data_Collection_Rule_3.png) + +Next enter "**EntraSignInLogs**" as the table name and select "**EntraSignInLogsDCE**" from the drop-down list. If this option is not populating, double check the region used for the Data Collection Endpoint created in the previous step. Click "**Next**". + +![DCRLogIngestion_Data_Collection_Rule_4](Images/DCRLogIngestion_Data_Collection_Rule_4.png) + +The next step will prompt you for a data sample. + +![DCRLogIngestion_Data_Collection_Rule_5](Images/DCRLogIngestion_Data_Collection_Rule_5.png) + +Upload the file content located at [Samples/SignInLogsSample.json](https://github.com/Accelerynt-Security/AS-Microsoft-DCR-Log-Ingestion/blob/main/Samples/SignInLogsSample.json), then click "**Next**". + +![DCRLogIngestion_Data_Collection_Rule_6](Images/DCRLogIngestion_Data_Collection_Rule_6.png) + +Click "**Create**". + +![DCRLogIngestion_Data_Collection_Rule_7](Images/DCRLogIngestion_Data_Collection_Rule_7.png) + +This process will need to be repeated for "**EntraAuditLogsDCR**". After creating the "**EntraAuditLogsDCR**" Data Collection Rule in the way that was shown for "**EntraSignInLogsDCR**", enter "**EntraAuditLogs**" as the table name and select "**EntraAuditLogsDCE**" from the drop-down list. + +![DCRLogIngestion_Data_Collection_Rule_8](Images/DCRLogIngestion_Data_Collection_Rule_8.png) + +Upload the file content located at [Samples/AuditLogsSample.json](https://github.com/Accelerynt-Security/AS-Microsoft-DCR-Log-Ingestion/blob/main/Samples/AuditLogsSample.json), then click "**Next**". + +![DCRLogIngestion_Data_Collection_Rule_9](Images/DCRLogIngestion_Data_Collection_Rule_9.png) + +Click "**Create**". + +![DCRLogIngestion_Data_Collection_Rule_10](Images/DCRLogIngestion_Data_Collection_Rule_10.png) + +This process will need to be repeated for "**OfficeActivityLogsDCR**". After creating the "**OfficeActivityLogsDCR**" Data Collection Rule in the way that was shown for “**EntraSignInLogsDCR**", enter "**OfficeActivityLogs**" as the table name and select "**OfficeActivityLogsDCE**" from the drop down list. + +![DCRLogIngestion_Data_Collection_Rule_11](Images/DCRLogIngestion_Data_Collection_Rule_11.png) + +Upload the file content located at [Samples/OfficeActivityLogsSample.json](https://github.com/Accelerynt-Security/AS-Microsoft-DCR-Log-Ingestion/blob/main/Samples/O365GeneralAuditLogsSample.json), then click "**Next**". + +![DCRLogIngestion_Data_Collection_Rule_12](Images/DCRLogIngestion_Data_Collection_Rule_12.png) + +Click "**Create**". + +![DCRLogIngestion_Data_Collection_Rule_13](Images/DCRLogIngestion_Data_Collection_Rule_13.png) + +From each of the created [Data Collection Rule overview pages](https://portal.azure.com/#browse/microsoft.insights%2Fdatacollectionrules), take note of the "**Immutable Id**" values, as they will be needed for deployment. + +![DCRLogIngestion_Data_Collection_Rule_14](Images/DCRLogIngestion_Data_Collection_Rule_14.png) + +Lastly, from each of the created Data Collection Rule data sources pages, take note of the "**Data source**" values, as they will be needed for deployment. + +![DCRLogIngestion_Data_Collection_Rule_15](Images/DCRLogIngestion_Data_Collection_Rule_15.png) + +#### Create an App Registration for the DCRs + +From the **tenant that is to receive the data**, navigate to the Microsoft Azure Active Directory app registration page: https://portal.azure.com/#view/Microsoft_AAD_RegisteredApps/ApplicationsListBlade + +Click "**New registration**". + +![DCRLogIngestion_App_Registration_DCR_1](Images/DCRLogIngestion_App_Registration_DCR_1.png) + +Enter "**DCRLogIngestionAppReg**" for the name and select "**Accounts in this organizational directory only**" for "**Supported account types**. All else can be left as is. Click "**Register**" + +![DCRLogIngestion_App_Registration_DCR_2](Images/DCRLogIngestion_App_Registration_DCR_2.png) + +Once the app registration is created, you will be redirected to the "**Overview**" page. Under the "**Essentials**" section, take note of the "**Application (client) ID**", as this will be needed for deployment. + +![DCRLogIngestion_App_Registration_DCR_3](Images/DCRLogIngestion_App_Registration_DCR_3.png) + +A client secret will need to be generated for the app registration. From the left menu blade, click "**Certificates & secrets**" under the "**Manage**" section. Then, click "**New client secret**”. Enter a description and select the desired expiration date, then click "**Add**". + +![DCRLogIngestion_App_Registration_DCR_4](Images/DCRLogIngestion_App_Registration_DCR_4.png) + +Copy the value of the secret that is generated, as this will be needed for [Create an Azure Key Vault Secret](https://github.com/Accelerynt-Security/AS-Microsoft-DCR-Log-Ingestion#create-an-azure-key-vault-secret). + +![DCRLogIngestion_App_Registration_DCR_5](Images/DCRLogIngestion_App_Registration_DCR_5.png) + +Next, IAM access for this App Registration will need to be added from each of the DCRs created in the previous step. Navigate to the Data Collection Rules page: https://portal.azure.com/#browse/microsoft.insights%2Fdatacollectionrules + +Select the "**EntraSignInLogsDCR**" and select "**Access control (IAM)**". Click "**Add**" and select "**Add role assignment**". + +![DCRLogIngestion_App_Registration_DCR_6](Images/DCRLogIngestion_App_Registration_DCR_6.png) + +Select "**Monitoring Metrics Publisher**" and click "**Next**". + +![DCRLogIngestion_App_Registration_DCR_7](Images/DCRLogIngestion_App_Registration_DCR_7.png) + +Select "**User, group, or service principal**" as the access option, then click "**Select members**". Paste "**DCRLogIngestionAppReg**" into the search bar at the top of the right pane and select the app registration that appears, then click "**Select**". + +![DCRLogIngestion_App_Registration_DCR_8](Images/DCRLogIngestion_App_Registration_DCR_8.png) + +Click "**Review + assign**". + +![DCRLogIngestion_App_Registration_DCR_9](Images/DCRLogIngestion_App_Registration_DCR_9.png) + +Repeat this process for the "**EntraAuditLogsDCR**". + +![DCRLogIngestion_App_Registration_DCR_10](Images/DCRLogIngestion_App_Registration_DCR_10.png) + +Lastly, repeat this process for "**OfficeActivityLogsDCR**". + +![DCRLogIngestion_App_Registration_DCR_11](Images/DCRLogIngestion_App_Registration_DCR_11.png) + +#### Create a Receiving App Registration Azure Key Vault Secret + +As before, secret from the previous step will need to be stored in the **tenant that is to receive the data**. Navigate to the Azure key vaults page: https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults + +Navigate to an existing key vault or create a new one. From the key vault overview page, click the "**Secrets**" menu option, found under the "**Settings**" section. Click "**Generate/Import**". + +![DCRLogIngestion_Key_Vault_1](Images/DCRLogIngestion_Receiving_Key_Vault_1.png) + +Choose a name for the secret, such as "**DCRLogIngestion-ReceivingAppRegClientSecret**", taking note of the value used, as it will be needed for deployment. Next enter the client secret copied in the [previous section](https://github.com/Accelerynt-Security/AS-Microsoft-DCR-Log-Ingestion#create-an-app-registration). All other settings can be left as is. Click "**Create**". + +![DCRLogIngestion_Key_Vault_2](Images/DCRLogIngestion_Receiving_Key_Vault_2.png) + +# +### Deployment + +To configure and deploy this playbook: + +Open your browser and ensure you are logged into your Microsoft Sentinel workspace from the **tenant that is to receive the data**. In a separate tab, open the link to our playbook on the Accelerynt Security GitHub repository: + +https://github.com/Accelerynt-Security/AS-Microsoft-DCR-Log-Ingestion + +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAccelerynt-Security%2FAS-Microsoft-DCR-Log-Ingestion%2Fmain%2Fazuredeploy.json) +[![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAccelerynt-Security%2FAS-Microsoft-DCR-Log-Ingestion%2Fmain%2Fazuredeploy.json) + +Click the "**Deploy to Azure**" button at the bottom and it will bring you to the custom deployment template. + +In the **Project Details** section: + +* Select the "**Subscription**" and "**Resource Group**" from the dropdown boxes you would like the playbook deployed to. + +In the **Instance Details** section: + +* **Playbook Name**: This can be left as "**AS-Microsoft-DCR-Log-Ingestion**" or you may change it. + +* **Sending App Registration Tenant Id**: Enter the Directory (tenant) Id of the App Registration that will be used to send data, referenced in [Create an App Registration](https://github.com/Accelerynt-Security/AS-Microsoft-DCR-Log-Ingestion#create-an-app-registration). + +* **Sending App Registration Client Id**: Enter the Application (client) ID of the App Registration that will be used to send data, referenced in [Create an App Registration](https://github.com/Accelerynt-Security/AS-Microsoft-DCR-Log-Ingestion#create-an-app-registration). + +* **Sending Tenant Subscription ID**: Enter the [subscription ID](https://portal.azure.com/#view/Microsoft_Azure_Billing/SubscriptionsBladeV2) of the tenant that will be sending the data. + +* **Receiving App Registration Client Id**: Enter the Application (client) ID of the App Registration that will be used to receive data, referenced in [Create an App Registration for the DCRs](https://github.com/Accelerynt-Security/AS-Microsoft-DCR-Log-Ingestion#create-an-app-registration-for-the-dcrs). + +* **Key Vault Name**: Enter the name of the key vault referenced in [Create an Azure Key Vault Secret](https://github.com/Accelerynt-Security/AS-Microsoft-DCR-Log-Ingestion#create-an-azure-key-vault-secret). + +* **Sending App Registration Key Vault Secret Name**: Name of Key Vault Secret that contains the sending App Registration client secret, created in [Create an App Registration Azure Key Vault Secret](https://github.com/Accelerynt-Security/AS-Microsoft-DCR-Log-Ingestion#create-an-app-registration-azure-key-vault-secret). + +* **Receiving App Registration Key Vault Secret Name**: Name of Key Vault Secret that contains the receiving App Registration client secret, created in [Create a Receiving App Registration Azure Key Vault Secret](https://github.com/Accelerynt-Security/AS-Microsoft-DCR-Log-Ingestion#create-a-receiving-app-registration-azure-key-vault-secret). + +* **Entra Sign In Logs Ingestion URL**: Enter the Logs Ingestion URL from the EntraSignInLogs DCE, referenced in [Create the Data Collection Endpoints](https://github.com/Accelerynt-Security/AS-Microsoft-DCR-Log-Ingestion#create-the-data-collection-endpoints). + +* **Entra Sign In Logs Immutable Id**: Enter the Logs Ingestion Immutable Id from the EntraSignInLogs DCR, referenced in [Create the Data Collection Rules](https://github.com/Accelerynt-Security/AS-Microsoft-DCR-Log-Ingestion#create-the-data-collection-rules). + +* **Entra Sign In Logs Data Source**: Enter the Logs Ingestion Data Source from the EntraSignInLogs DCR, referenced in [Create the Data Collection Rules](https://github.com/Accelerynt-Security/AS-Microsoft-DCR-Log-Ingestion#create-the-data-collection-rules). + +* **Entra Audit Logs Ingestion URL**: Enter the Logs Ingestion URL from the EntraAuditLogs DCE, referenced in [Create the Data Collection Endpoints](https://github.com/Accelerynt-Security/AS-Microsoft-DCR-Log-Ingestion#create-the-data-collection-endpoints). + +* **Entra Audit Logs Immutable Id**: Enter the Logs Ingestion Immutable Id from the EntraAuditLogs DCR, referenced in [Create the Data Collection Rules](https://github.com/Accelerynt-Security/AS-Microsoft-DCR-Log-Ingestion#create-the-data-collection-rules). + +* **Entra Audit Logs Data Source**: Enter the Logs Ingestion Data Source from the EntraAuditLogs DCR, referenced in [Create the Data Collection Rules](https://github.com/Accelerynt-Security/AS-Microsoft-DCR-Log-Ingestion#create-the-data-collection-rules). + +* **Office Activity Ingestion URL**: Enter the Logs Ingestion URL from the OfficeActivityLogs DCE, referenced in [Create the Data Collection Endpoints](https://github.com/Accelerynt-Security/AS-Microsoft-DCR-Log-Ingestion#create-the-data-collection-endpoints). + +* **Office Activity Immutable Id**: Enter the Logs Ingestion Immutable Id from the OfficeActivityLogs DCR, referenced in [Create the Data Collection Rules](https://github.com/Accelerynt-Security/AS-Microsoft-DCR-Log-Ingestion#create-the-data-collection-rules). + +* **Office Activity Data Source**: Enter the Logs Ingestion Data Source from the OfficeActivityLogs DCR, referenced in [Create the Data Collection Rules](https://github.com/Accelerynt-Security/AS-Microsoft-DCR-Log-Ingestion#create-the-data-collection-rules). + +Towards the bottom, click on "**Review + create**". + +![DCRLogIngestion_Deploy_1](Images/DCRLogIngestion_Deploy_1.png) + +Once the resources have validated, click on "**Create**". + +![DCRLogIngestion_Deploy_2](Images/DCRLogIngestion_Deploy_2.png) + +The resources should take around a minute to deploy. Once the deployment is complete, you can expand the "**Deployment details**" section to view them. +Click the one corresponding to the Logic App. + +![DCRLogIngestion_Deploy_3](Images/DCRLogIngestion_Deploy_3.png) + +# +### Granting Access to Azure Key Vault + +Before the Logic App can run successfully, the key vault connection created during deployment must be granted access to the key vault storing your app registration client secrets, located in the **tenant that is to receive the data**. + +From the Logic App menu blade, select the "**Identity**" tab, located under the "**Settings**" section. Click "**Azure role assignments**". + +![DCRLogIngestion_Key_Vault_Access_1](Images/DCRLogIngestion_Key_Vault_Access_1.png) + +Click "**Add role assignment**" then select "**Key Vault**" as the scope, select your Key Vault Name, then select "**Key Vault Secrets User**" for the role. Click "**Save**". + +![DCRLogIngestion_Key_Vault_Access_2](Images/DCRLogIngestion_Key_Vault_Access_2.png) + +# +### Ensuring your Subscription is Enabled + +To ensure the subscription is enabled for the app registration used to access the"**O365 Audit General Logs**", the [OfficeAuditSubscribtionEnable](https://github.com/Accelerynt-Security/AS-Microsoft-DCR-Log-Ingestion/blob/main/Scripts/OfficeAuditSubscribtionEnable.ps1) should be run from an [Azure Cloud Shell Window](https://learn.microsoft.com/en-us/azure/cloud-shell/new-ui-shell-window) from the tenant you wish to **send the Microsoft Graph and Office data from**. + +![DCRLogIngestion_Azure_Cloud_Shell_1](Images/DCRLogIngestion_Azure_Cloud_Shell_1.png) + +Click the "**PowerShell**" option, then select the appropriate subscription for the sending tenant. + +![DCRLogIngestion_Azure_Cloud_Shell_2](Images/DCRLogIngestion_Azure_Cloud_Shell_2.png) + +Copy and paste the script into the Azure Cloud Shell PowerShell window and hit enter. You will be prompted to enter your **sending** tenant, as well as the **sending** app registration client ID and client secret. + +![DCRLogIngestion_Azure_Cloud_Shell_3](Images/DCRLogIngestion_Azure_Cloud_Shell_3.png) + +# +### Enable the Logic App + +After all of the above steps are completed, from the Logic App Overview page, click "**Enable**". + +![DCRLogIngestion_Logic_App_Enable_1](Images/DCRLogIngestion_Logic_App_Enable_1.png) diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Samples/AuditLogsSample.json b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Samples/AuditLogsSample.json new file mode 100644 index 00000000000..4bf6318837a --- /dev/null +++ b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Samples/AuditLogsSample.json @@ -0,0 +1,278 @@ +[ + { + "id": "Directory_sample-id_1", + "category": "Device", + "correlationId": "sample-correlation-id-1", + "result": "success", + "resultReason": "", + "activityDisplayName": "Update device", + "activityDateTime": "2024-09-14T00:46:35.7046089Z", + "TimeGenerated": "2024-09-14T00:46:35.7046089Z", + "loggedByService": "Core Directory", + "operationType": "Update", + "initiatedBy": { + "user": null, + "app": { + "appId": null, + "displayName": "Device Registration Service", + "servicePrincipalId": "sample-service-principal-id-1", + "servicePrincipalName": null + } + }, + "targetResources": [ + { + "id": "sample-resource-id-1", + "displayName": "Device1234", + "type": "Device", + "userPrincipalName": null, + "groupType": null, + "modifiedProperties": [ + { + "displayName": "DeviceOSVersion", + "oldValue": "[\"10.0.19045.4651\"]", + "newValue": "[\"10.0.19045.4780\"]" + }, + { + "displayName": "Included Updated Properties", + "oldValue": null, + "newValue": "\"DeviceOSVersion\"" + }, + { + "displayName": "TargetId.DeviceId", + "oldValue": null, + "newValue": "\"sample-device-id-1\"" + }, + { + "displayName": "TargetId.DeviceOSType", + "oldValue": null, + "newValue": "\"Windows\"" + }, + { + "displayName": "TargetId.DeviceTrustType", + "oldValue": null, + "newValue": "\"ServerAd\"" + } + ] + } + ], + "additionalDetails": [ + { + "key": "DeviceId", + "value": "sample-device-id-1" + }, + { + "key": "DeviceOSType", + "value": "Windows" + }, + { + "key": "DeviceTrustType", + "value": "ServerAd" + }, + { + "key": "User-Agent", + "value": "Microsoft.OData.Client/7.12.5" + } + ] + }, + { + "id": "UserManagement_sample-id_2", + "category": "UserManagement", + "correlationId": "sample-correlation-id-2", + "result": "clientError", + "resultReason": null, + "activityDisplayName": "Invite external user", + "activityDateTime": "2024-09-14T00:46:19.8135019Z", + "TimeGenerated": "2024-09-14T00:46:19.8135019Z", + "loggedByService": "Invited Users", + "operationType": "Add", + "initiatedBy": { + "user": null, + "app": { + "appId": "sample-app-id-2", + "displayName": "Microsoft.Azure.SyncFabric", + "servicePrincipalId": null, + "servicePrincipalName": null + } + }, + "targetResources": [ + { + "id": "sample-resource-id-2", + "displayName": "John Doe (SUP)", + "type": "User", + "userPrincipalName": "john.doe_sample@domain.com", + "groupType": null, + "modifiedProperties": [] + } + ], + "additionalDetails": [ + { + "key": "oid", + "value": "sample-oid-1" + }, + { + "key": "tid", + "value": "sample-tid-1" + }, + { + "key": "ipaddr", + "value": "" + }, + { + "key": "wids", + "value": "sample-wids" + }, + { + "key": "InvitationId", + "value": "sample-invitation-id-1" + }, + { + "key": "invitedUserEmailAddress", + "value": "john.doe_sample@domain.com" + } + ] + }, + { + "id": "ProvisioningManagement_sample-id_3", + "category": "ProvisioningManagement", + "correlationId": "sample-correlation-id-3", + "result": "success", + "resultReason": "User 'sample.user@domain.com' was deleted in Microsoft Entra ID", + "activityDisplayName": "Export", + "activityDateTime": "2024-09-14T00:44:55.9931961Z", + "TimeGenerated": "2024-09-14T00:44:55.9931961Z", + "loggedByService": "Account Provisioning", + "operationType": "", + "initiatedBy": { + "user": null, + "app": { + "appId": null, + "displayName": "Azure AD Cloud Sync", + "servicePrincipalId": null, + "servicePrincipalName": null + } + }, + "targetResources": [ + { + "id": "sample-resource-id-3", + "displayName": "Sample cross-tenant", + "type": "ServicePrincipal", + "userPrincipalName": null, + "groupType": null, + "modifiedProperties": [] + }, + { + "id": null, + "displayName": "sample.user@domain.com", + "type": "User", + "userPrincipalName": null, + "groupType": null, + "modifiedProperties": [] + } + ], + "additionalDetails": [ + { + "key": "Details", + "value": "" + }, + { + "key": "ErrorCode", + "value": "" + }, + { + "key": "EventName", + "value": "EntryExportDelete" + }, + { + "key": "ipaddr", + "value": null + }, + { + "key": "JoiningProperty", + "value": "[Type: 5, Identity Provider: , Key: sample-key]" + }, + { + "key": "oid", + "value": null + }, + { + "key": "SourceAnchor", + "value": "sample-source-anchor" + }, + { + "key": "TargetAnchor", + "value": "sample-target-anchor" + }, + { + "key": "tid", + "value": null + }, + { + "key": "wids", + "value": null + } + ] + }, + { + "id": "ProvisioningManagement_sample-id_4", + "category": "ProvisioningManagement", + "correlationId": "sample-correlation-id-4", + "result": "failure", + "resultReason": "Failed to update User 'jane.doe@domain.com'; Error: The domain portion of the userPrincipalName property is invalid.", + "activityDisplayName": "Export", + "activityDateTime": "2024-09-14T00:44:54.7303184Z", + "TimeGenerated": "2024-09-14T00:44:54.7303184Z", + "loggedByService": "Account Provisioning", + "operationType": "", + "initiatedBy": { + "user": null, + "app": { + "appId": null, + "displayName": "Azure AD Cloud Sync", + "servicePrincipalId": null, + "servicePrincipalName": null + } + }, + "targetResources": [ + { + "id": "sample-resource-id-4", + "displayName": "Sample cross-tenant", + "type": "ServicePrincipal", + "userPrincipalName": null, + "groupType": null, + "modifiedProperties": [ + { + "displayName": "streetAddress", + "oldValue": null, + "newValue": "\"123 Sample St\"" + }, + { + "displayName": "city", + "oldValue": null, + "newValue": "\"Sample City\"" + }, + { + "displayName": "state", + "oldValue": null, + "newValue": "\"Sample State\"" + }, + { + "displayName": "postalCode", + "oldValue": null, + "newValue": "\"12345\"" + }, + { + "displayName": "companyName", + "oldValue": null, + "newValue": "\"Sample Company\"" + }, + { + "displayName": "jobTitle", + "oldValue": null, + "newValue": "\"Sample Title\"" + } + ] + } + ], + "additionalDetails": [] + } +] diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Samples/O365GeneralAuditLogsSample.json b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Samples/O365GeneralAuditLogsSample.json new file mode 100644 index 00000000000..7d8f5cf6aac --- /dev/null +++ b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Samples/O365GeneralAuditLogsSample.json @@ -0,0 +1,294 @@ +[ + { + "CreationTime": "2024-09-17T00:29:25", + "TimeGenerated": "2024-09-13T01:13:17Z", + "Id": "sample-id-1", + "Operation": "UserLoggedIn", + "OrganizationId": "sample-org-id-1", + "RecordType": 15, + "ResultStatus": "Success", + "UserKey": "sample-user-key-1", + "UserType": 0, + "Version": 1, + "Workload": "AzureActiveDirectory", + "ClientIP": "0.0.0.0", + "ObjectId": "Unknown", + "UserId": "sample.user@domain.com", + "AzureActiveDirectoryEventType": 1, + "ExtendedProperties": [ + { + "Name": "ResultStatusDetail", + "Value": "Success" + }, + { + "Name": "UserAgent", + "Value": "Apple-iPad14C6/2107.93" + }, + { + "Name": "UserAuthenticationMethod", + "Value": "4194304" + }, + { + "Name": "RequestType", + "Value": "OAuth2:Token" + } + ], + "ModifiedProperties": [], + "Actor": [ + { + "ID": "sample-user-key-1", + "Type": 0 + }, + { + "ID": "sample.user@domain.com", + "Type": 5 + } + ], + "ActorContextId": "sample-org-id-1", + "ActorIpAddress": "0.0.0.0", + "InterSystemsId": "sample-intersystems-id-1", + "IntraSystemId": "sample-id-1", + "SupportTicketId": "", + "Target": [ + { + "ID": "Unknown", + "Type": 0 + } + ], + "TargetContextId": "sample-org-id-1", + "ApplicationId": "00000002-0000-0ff1-ce00-000000000000", + "DeviceProperties": [ + { + "Name": "OS", + "Value": "Ios" + }, + { + "Name": "BrowserType", + "Value": "Other" + }, + { + "Name": "SessionId", + "Value": "sample-session-id-1" + } + ], + "ErrorNumber": "0" + }, + { + "CreationTime": "2024-09-17T00:30:25", + "TimeGenerated": "2024-09-13T01:13:17Z", + "Id": "sample-id-2", + "Operation": "UserLoggedIn", + "OrganizationId": "sample-org-id-1", + "RecordType": 15, + "ResultStatus": "Success", + "UserKey": "sample-user-key-2", + "UserType": 0, + "Version": 1, + "Workload": "AzureActiveDirectory", + "ClientIP": "0:0:0:0:0:0:0:0", + "ObjectId": "sample-object-id-2", + "UserId": "sample.user@domain.com", + "AzureActiveDirectoryEventType": 1, + "ExtendedProperties": [ + { + "Name": "ResultStatusDetail", + "Value": "Redirect" + }, + { + "Name": "UserAgent", + "Value": "Mozilla/5.0 (Windows NT 10.0; Win64; x64)" + }, + { + "Name": "RequestType", + "Value": "OAuth2:Authorize" + } + ], + "ModifiedProperties": [], + "Actor": [ + { + "ID": "sample-user-key-2", + "Type": 0 + }, + { + "ID": "sample.user@domain.com", + "Type": 5 + } + ], + "ActorContextId": "sample-org-id-1", + "ActorIpAddress": "0:0:0:0:0:0:0:0", + "InterSystemsId": "sample-intersystems-id-2", + "IntraSystemId": "sample-id-2", + "SupportTicketId": "", + "Target": [ + { + "ID": "sample-object-id-2", + "Type": 0 + } + ], + "TargetContextId": "sample-org-id-1", + "ApplicationId": "sample-application-id-2", + "DeviceProperties": [ + { + "Name": "OS", + "Value": "Windows10" + }, + { + "Name": "BrowserType", + "Value": "Edge" + }, + { + "Name": "SessionId", + "Value": "sample-session-id-2" + } + ], + "ErrorNumber": "0" + }, + { + "CreationTime": "2024-09-17T00:26:56", + "TimeGenerated": "2024-09-13T01:13:17Z", + "Id": "sample-id-3", + "Operation": "UserLoggedIn", + "OrganizationId": "sample-org-id-1", + "RecordType": 15, + "ResultStatus": "Success", + "UserKey": "sample-user-key-3", + "UserType": 0, + "Version": 1, + "Workload": "AzureActiveDirectory", + "ClientIP": "0:0:0:0:0:0:0:0", + "ObjectId": "Unknown", + "UserId": "sample.user@domain.com", + "AzureActiveDirectoryEventType": 1, + "ExtendedProperties": [ + { + "Name": "ResultStatusDetail", + "Value": "Success" + }, + { + "Name": "UserAgent", + "Value": "Apple-iPhone13C2/2107.93" + }, + { + "Name": "UserAuthenticationMethod", + "Value": "4194304" + }, + { + "Name": "RequestType", + "Value": "OAuth2:Token" + } + ], + "ModifiedProperties": [], + "Actor": [ + { + "ID": "sample-user-key-3", + "Type": 0 + }, + { + "ID": "sample.user@domain.com", + "Type": 5 + } + ], + "ActorContextId": "sample-org-id-1", + "ActorIpAddress": "0:0:0:0:0:0:0:0", + "InterSystemsId": "sample-intersystems-id-3", + "IntraSystemId": "sample-id-3", + "SupportTicketId": "", + "Target": [ + { + "ID": "Unknown", + "Type": 0 + } + ], + "TargetContextId": "sample-org-id-1", + "ApplicationId": "00000002-0000-0ff1-ce00-000000000000", + "DeviceProperties": [ + { + "Name": "OS", + "Value": "Ios" + }, + { + "Name": "BrowserType", + "Value": "Other" + }, + { + "Name": "SessionId", + "Value": "sample-session-id-3" + } + ], + "ErrorNumber": "0" + }, + { + "CreationTime": "2024-09-17T00:28:55", + "TimeGenerated": "2024-09-13T01:13:17Z", + "Id": "sample-id-4", + "Operation": "UserLoggedIn", + "OrganizationId": "sample-org-id-1", + "RecordType": 15, + "ResultStatus": "Success", + "UserKey": "sample-user-key-4", + "UserType": 0, + "Version": 1, + "Workload": "AzureActiveDirectory", + "ClientIP": "0:0:0:0:0:0:0:0", + "ObjectId": "Unknown", + "UserId": "sample.user@domain.com", + "AzureActiveDirectoryEventType": 1, + "ExtendedProperties": [ + { + "Name": "ResultStatusDetail", + "Value": "Success" + }, + { + "Name": "UserAgent", + "Value": "Apple-iPhone14C6/2107.93" + }, + { + "Name": "UserAuthenticationMethod", + "Value": "4194304" + }, + { + "Name": "RequestType", + "Value": "OAuth2:Token" + } + ], + "ModifiedProperties": [], + "Actor": [ + { + "ID": "sample-user-key-4", + "Type": 0 + }, + { + "ID": "sample.user@domain.com", + "Type": 5 + } + ], + "ActorContextId": "sample-org-id-1", + "ActorIpAddress": "0:0:0:0:0:0:0:0", + "InterSystemsId": "sample-intersystems-id-4", + "IntraSystemId": "sample-id-4", + "SupportTicketId": "", + "Target": [ + { + "ID": "Unknown", + "Type": 0 + } + ], + "TargetContextId": "sample-org-id-1", + "ApplicationId": "00000002-0000-0ff1-ce00-000000000000", + "DeviceProperties": [ + { + "Name": "OS", + "Value": "Ios" + }, + { + "Name": "BrowserType", + "Value": "Other" + }, + { + "Name": "SessionId", + "Value": "sample-session-id-4" + } + ], + "ErrorNumber": "0" + } +] diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Samples/SignInLogsSample.json b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Samples/SignInLogsSample.json new file mode 100644 index 00000000000..49818f544c4 --- /dev/null +++ b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Samples/SignInLogsSample.json @@ -0,0 +1,146 @@ +[ + { + "id": "SIGNIN_ID_PLACEHOLDER_1", + "createdDateTime": "2024-09-13T01:13:51Z", + "userDisplayName": "User Placeholder", + "userPrincipalName": "user@example.com", + "userId": "USER_ID_PLACEHOLDER_1", + "appId": "APP_ID_PLACEHOLDER_1", + "appDisplayName": "App Placeholder", + "ipAddress": "IP_ADDRESS_PLACEHOLDER", + "clientAppUsed": "Browser", + "correlationId": "CORRELATION_ID_PLACEHOLDER_1", + "conditionalAccessStatus": "success", + "isInteractive": true, + "riskDetail": "none", + "riskLevelAggregated": "none", + "riskLevelDuringSignIn": "none", + "riskState": "none", + "riskEventTypes": [], + "riskEventTypes_v2": [], + "resourceDisplayName": "Resource Placeholder", + "resourceId": "RESOURCE_ID_PLACEHOLDER", + "status": { + "errorCode": 0, + "failureReason": "Other.", + "additionalDetails": "MFA requirement satisfied by claim in the token" + }, + "TimeGenerated": "2024-09-13T01:13:17Z", + "deviceDetail": { + "deviceId": "DEVICE_ID_PLACEHOLDER_1", + "displayName": "Device Placeholder", + "operatingSystem": "Windows10", + "browser": "Edge 128.0.0", + "isCompliant": true, + "isManaged": true, + "trustType": "Azure AD joined" + }, + "location": { + "city": "City Placeholder", + "state": "State Placeholder", + "countryOrRegion": "Country Placeholder", + "geoCoordinates": { + "altitude": null, + "latitude": 0.00000, + "longitude": 0.00000 + } + }, + "appliedConditionalAccessPolicies": [] + }, + { + "id": "SIGNIN_ID_PLACEHOLDER_2", + "createdDateTime": "2024-09-13T01:13:48Z", + "userDisplayName": "User Placeholder", + "userPrincipalName": "user@example.com", + "userId": "USER_ID_PLACEHOLDER_1", + "appId": "APP_ID_PLACEHOLDER_1", + "appDisplayName": "App Placeholder", + "ipAddress": "IP_ADDRESS_PLACEHOLDER", + "clientAppUsed": "Browser", + "correlationId": "CORRELATION_ID_PLACEHOLDER_2", + "conditionalAccessStatus": "success", + "isInteractive": true, + "riskDetail": "none", + "riskLevelAggregated": "none", + "riskLevelDuringSignIn": "none", + "riskState": "none", + "riskEventTypes": [], + "riskEventTypes_v2": [], + "resourceDisplayName": "Resource Placeholder", + "resourceId": "RESOURCE_ID_PLACEHOLDER", + "status": { + "errorCode": 65001, + "failureReason": "The user or administrator has not consented to use the application with ID '{identifier}'{namePhrase}. Send an interactive authorization request for this user and resource.", + "additionalDetails": "MFA requirement satisfied by claim in the token" + }, + "TimeGenerated": "2024-09-13T01:13:17Z", + "deviceDetail": { + "deviceId": "DEVICE_ID_PLACEHOLDER_1", + "displayName": "Device Placeholder", + "operatingSystem": "Windows10", + "browser": "Edge 128.0.0", + "isCompliant": true, + "isManaged": true, + "trustType": "Azure AD joined" + }, + "location": { + "city": "City Placeholder", + "state": "State Placeholder", + "countryOrRegion": "Country Placeholder", + "geoCoordinates": { + "altitude": null, + "latitude": 0.00000, + "longitude": 0.00000 + } + }, + "appliedConditionalAccessPolicies": [] + }, + { + "id": "SIGNIN_ID_PLACEHOLDER_3", + "createdDateTime": "2024-09-13T01:13:20Z", + "userDisplayName": "User Placeholder", + "userPrincipalName": "user@example.com", + "userId": "USER_ID_PLACEHOLDER_1", + "appId": "APP_ID_PLACEHOLDER_1", + "appDisplayName": "App Placeholder", + "ipAddress": "IP_ADDRESS_PLACEHOLDER", + "clientAppUsed": "Browser", + "correlationId": "CORRELATION_ID_PLACEHOLDER_3", + "conditionalAccessStatus": "success", + "isInteractive": true, + "riskDetail": "none", + "riskLevelAggregated": "none", + "riskLevelDuringSignIn": "none", + "riskState": "none", + "riskEventTypes": [], + "riskEventTypes_v2": [], + "resourceDisplayName": "Resource Placeholder", + "resourceId": "RESOURCE_ID_PLACEHOLDER", + "status": { + "errorCode": 0, + "failureReason": "Other.", + "additionalDetails": "MFA requirement satisfied by claim in the token" + }, + "TimeGenerated": "2024-09-13T01:13:17Z", + "deviceDetail": { + "deviceId": "DEVICE_ID_PLACEHOLDER_1", + "displayName": "Device Placeholder", + "operatingSystem": "Windows10", + "browser": "Edge 128.0.0", + "isCompliant": true, + "isManaged": true, + "trustType": "Azure AD joined" + }, + "location": { + "city": "City Placeholder", + "state": "State Placeholder", + "countryOrRegion": "Country Placeholder", + "geoCoordinates": { + "altitude": null, + "latitude": 0.00000, + "longitude": 0.00000 + } + }, + "appliedConditionalAccessPolicies": [] + } +] diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Scripts/OfficeAuditSubscribtionEnable.ps1 b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Scripts/OfficeAuditSubscribtionEnable.ps1 new file mode 100644 index 00000000000..617f3bc6e48 --- /dev/null +++ b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Scripts/OfficeAuditSubscribtionEnable.ps1 @@ -0,0 +1,33 @@ +# Prompt for tenantId, clientId, and clientSecret +$tenantId = Read-Host -Prompt "Enter Tenant ID" +$clientId = Read-Host -Prompt "Enter Client ID" +$clientSecret = Read-Host -Prompt "Enter Client Secret Value" + +# Get an OAuth token for the API +$body = @{ + grant_type = "client_credentials" + resource = "https://manage.office.com" + client_id = $clientId + client_secret = $clientSecret +} + +$tokenResponse = Invoke-RestMethod -Method Post -Uri "https://login.microsoftonline.com/$tenantId/oauth2/token" -ContentType "application/x-www-form-urlencoded" -Body $body +$token = $tokenResponse.access_token + +# Check the subscription status +$headers = @{ + Authorization = "Bearer $token" +} + +$uri = "https://manage.office.com/api/v1.0/$tenantId/activity/feed/subscriptions/list" +$subscriptions = Invoke-RestMethod -Uri $uri -Headers $headers +$subscriptions + +# Define the URL for starting the subscription +$startUri = "https://manage.office.com/api/v1.0/$tenantId/activity/feed/subscriptions/start?contentType=Audit.AzureActiveDirectory" + +# Start the subscription +$startSubscription = Invoke-RestMethod -Uri $startUri -Headers $headers -Method POST + +# Output the result +$startSubscription diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/azuredeploy.json b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/azuredeploy.json new file mode 100644 index 00000000000..4fc210da162 --- /dev/null +++ b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/azuredeploy.json @@ -0,0 +1,482 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "title": "AS-Microsoft-DCR-Log-Ingestion", + "description": "This playbook is intended to be run ", + "preDeployment": ["App registration", "Data collection Endpoints", "Data Collection Rules", "Azure Keyvault Secret"], + "postDeployment": ["Access to the Azure Key Vault must be granted to the playbook"], + "lastUpdateTime": "2024-08-21T17:48:00Z", + "tags": ["Microsoft Graph", "Microsoft Office"], + "support": { + "tier": "partner" + }, + "author": { + "name": "Accelerynt" + } + }, + "parameters": { + "PlaybookName": { + "defaultValue": "AS-Microsoft-DCR-Log-Ingestion", + "type": "string", + "metadata": { + "description": "Name of the Logic App resource to be created" + } + }, + "SendingAppRegistrationTenantId": { + "type": "string", + "metadata" : { + "description" : "Enter the Directory (tenant) Id of the App Registration that will be used to send data" + } + }, + "SendingAppRegistrationClientID": { + "type": "string", + "metadata" : { + "description" : "Enter the Application (client) ID of the App Registration that will be used to send data" + } + }, + "SendingTenantSubscriptionID": { + "type": "string", + "metadata" : { + "description" : "Enter the subscription ID for the tenant that will send the data" + } + }, + "ReceivingAppRegistrationClientID": { + "type": "string", + "metadata" : { + "description" : "Enter the Application (client) ID of the App Registration that will be used to receive data" + } + }, + "KeyVaultName": { + "type": "string", + "metadata" : { + "description" : "Name of the Key Vault that stores the App Registration client secrets" + } + }, + "SendingAppRegistrationKeyVaultSecretName": { + "type": "string", + "metadata": { + "description": "Name of Key Vault Secret that contains the sending App Registration client secret" + } + }, + "ReceivingAppRegistrationKeyVaultSecretName": { + "type": "string", + "metadata": { + "description": "Name of Key Vault Secret that contains the receiving App Registration client secret" + } + }, + "EntraSignInLogsIngestionURL": { + "type": "string", + "metadata": { + "description": "Enter the Logs Ingestion URL from the EntraSignInLogs DCE" + } + }, + "EntraSignInLogsImmutableId": { + "type": "string", + "metadata": { + "description": "Enter the ImmutableId from the EntraSignInLogs DCR" + } + }, + "EntraSignInLogsDataSource": { + "type": "string", + "metadata": { + "description": "Enter the data source from the EntraSignInLogs DCR" + } + }, + "EntraAuditLogsIngestionURL": { + "type": "string", + "metadata": { + "description": "Enter the Logs Ingestion URL from the EntraAuditLogs DCE" + } + }, + "EntraAuditLogsImmutableId": { + "type": "string", + "metadata": { + "description": "Enter the ImmutableId from the EntraAuditLogs DCR" + } + }, + "EntraAuditLogsDataSource": { + "type": "string", + "metadata": { + "description": "Enter the data source from the EntraAuditLogs DCR" + } + }, + "OfficeActivityIngestionURL": { + "type": "string", + "metadata": { + "description": "Enter the Logs Ingestion URL from the OfficeActivty DCE" + } + }, + "OfficeActivtyImmutableId": { + "type": "string", + "metadata": { + "description": "Enter the ImmutableId from the OfficeActivty DCR" + } + }, + "OfficeActivtyDataSource": { + "type": "string", + "metadata": { + "description": "Enter the data source from the OfficeActivty DCR" + } + } + }, + "variables": { + "keyvault": "[concat('keyvault-', parameters('PlaybookName'))]" + }, + "resources": [ + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('keyvault')]", + "location": "[resourceGroup().location]", + "kind": "V1", + "properties": { + "displayName": "[parameters('PlaybookName')]", + "parameterValueType": "Alternative", + "alternativeParameterValues": { + "vaultName": "[parameters('KeyVaultName')]" + }, + "customParameterValues": { + }, + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/keyvault')]" + } + } + }, + { + "type": "Microsoft.Logic/workflows", + "apiVersion": "2017-07-01", + "name": "[parameters('PlaybookName')]", + "location": "[resourceGroup().location]", + "tags": { + "LogicAppsCategory": "security" + }, + "identity": { + "type": "SystemAssigned" + }, + "dependsOn": [ + "[resourceId('Microsoft.Web/connections', variables('keyvault'))]" + ], + "properties": { + "state": "Disabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "defaultValue": {}, + "type": "Object" + } + }, + "triggers": { + "Recurrence": { + "evaluatedRecurrence": { + "frequency": "Minute", + "interval": 5 + }, + "recurrence": { + "frequency": "Minute", + "interval": 5 + }, + "type": "Recurrence" + } + }, + "actions": { + "For_Each_-_O365_Audit_Logs": { + "actions": { + "For_each_-_Content_URI_Item": { + "actions": { + "HTTP_-_Send_Data_to_Office_Activity_Logs_Data_Collection_Endpoint": { + "inputs": { + "body": [ + "@items('For_each_-_Content_URI_Item')" + ], + "headers": { + "Authorization": "Bearer @{body('HTTP_-_Authenticate_to_OfficeActivityLogs_Data_Collection_Endpoint')?['access_token']}", + "Content-Length": "@{length(string(items('For_each_-_Content_URI_Item')))}", + "Content-Type": "application/json", + "Host": "[parameters('OfficeActivityIngestionURL')]" + }, + "method": "POST", + "uri": "[concat(parameters('OfficeActivityIngestionURL'), '/dataCollectionRules/', parameters('OfficeActivtyImmutableId'), '/streams/', parameters('OfficeActivtyDataSource'), '?api-version=2023-01-01')]" + }, + "runAfter": {}, + "type": "Http" + } + }, + "foreach": "@json(body('HTTP_-_Get_O365_Content'))", + "runAfter": { + "HTTP_-_Get_O365_Content": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "HTTP_-_Get_O365_Content": { + "inputs": { + "authentication": { + "audience": "https://manage.office.com", + "clientId": "[parameters('SendingAppRegistrationClientID')]", + "secret": "@{body('Get_Sending_App_Registration_Client_Secret')?['value']}", + "tenant": "[parameters('SendingAppRegistrationTenantId')]", + "type": "ActiveDirectoryOAuth" + }, + "method": "GET", + "uri": "@{items('For_Each_-_O365_Audit_Logs')?['contentUri']}" + }, + "runAfter": {}, + "type": "Http" + } + }, + "foreach": "@body('HTTP_-_Get_O365_Audit_General_Logs')", + "runAfter": { + "HTTP_-_Authenticate_to_OfficeActivityLogs_Data_Collection_Endpoint": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "For_each_-_Entra_Audit_Logs": { + "actions": { + "HTTP_-_Send_Data_to_Entra_Audit_Log_Data_Collection_Endpoint": { + "inputs": { + "body": [ + "@items('For_each_-_Entra_Audit_Logs')" + ], + "headers": { + "Authorization": "Bearer @{body('HTTP-_Authenticate_to_Entra_AuditLogs_Data_Collection_Endpoint')?['access_token']}", + "Content-Length": "@{length(string(items('For_each_-_Entra_Audit_Logs')))}", + "Content-Type": "application/json", + "Host": "[parameters('EntraAuditLogsIngestionURL')]" + }, + "method": "POST", + "uri": "[concat(parameters('EntraAuditLogsIngestionURL'), '/dataCollectionRules/', parameters('EntraAuditLogsImmutableId'), '/streams/', parameters('EntraAuditLogsDataSource'), '?api-version=2023-01-01')]" + }, + "runAfter": {}, + "type": "Http" + } + }, + "foreach": "@body('HTTP_-_Get_Entra_Audit_Logs')?['value']", + "runAfter": { + "HTTP-_Authenticate_to_Entra_AuditLogs_Data_Collection_Endpoint": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "For_each_-_Entra_Sign_in_Logs": { + "actions": { + "HTTP_-_Send_Data_to_SignInLog_Data_Collection_Endpoint": { + "inputs": { + "body": [ + "@items('For_each_-_Entra_Sign_in_Logs')" + ], + "headers": { + "Authorization": "Bearer @{body('HTTP_-_Authenticate_to_SignInLogs_Data_Collection_Endpoint')?['access_token']}", + "Content-Length": "@{length(string(items('For_each_-_Entra_Sign_in_Logs')))}", + "Content-Type": "application/json", + "Host": "[parameters('EntraSignInLogsIngestionURL')]" + }, + "method": "POST", + "uri": "[concat(parameters('EntraSignInLogsIngestionURL'), '/dataCollectionRules/', parameters('EntraSignInLogsImmutableId'), '/streams/', parameters('EntraSignInLogsDataSource'), '?api-version=2023-01-01')]" + }, + "runAfter": {}, + "type": "Http" + } + }, + "foreach": "@body('HTTP_-_Get_Entra_SignIn_Logs')?['value']", + "runAfter": { + "HTTP_-_Authenticate_to_SignInLogs_Data_Collection_Endpoint": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "HTTP-_Authenticate_to_Entra_AuditLogs_Data_Collection_Endpoint": { + "inputs": { + "body": "[concat('grant_type=client_credentials&client_id=', parameters('ReceivingAppRegistrationClientID'),'&client_secret=@{body(''Get_Receiving_App_Registration_Client_Secret'')?[''value'']}&scope=https://monitor.azure.com/.default')]", + "headers": { + "Content-Type": "application/x-www-form-urlencoded" + }, + "method": "POST", + "uri": "[concat('https://login.microsoftonline.com/', subscription().tenantId, '/oauth2/v2.0/token')]" + }, + "runAfter": { + "HTTP_-_Get_Entra_Audit_Logs": [ + "Succeeded" + ] + }, + "type": "Http" + }, + "HTTP_-_Authenticate_to_OfficeActivityLogs_Data_Collection_Endpoint": { + "inputs": { + "body": "[concat('grant_type=client_credentials&client_id=', parameters('ReceivingAppRegistrationClientID'),'&client_secret=@{body(''Get_Receiving_App_Registration_Client_Secret'')?[''value'']}&scope=https://monitor.azure.com/.default')]", + "headers": { + "Content-Type": "application/x-www-form-urlencoded" + }, + "method": "POST", + "uri": "[concat('https://login.microsoftonline.com/', subscription().tenantId, '/oauth2/v2.0/token')]" + }, + "runAfter": { + "HTTP_-_Get_O365_Audit_General_Logs": [ + "Succeeded" + ] + }, + "type": "Http" + }, + "HTTP_-_Authenticate_to_SignInLogs_Data_Collection_Endpoint": { + "inputs": { + "body": "[concat('grant_type=client_credentials&client_id=', parameters('ReceivingAppRegistrationClientID'),'&client_secret=@{body(''Get_Receiving_App_Registration_Client_Secret'')?[''value'']}&scope=https://monitor.azure.com/.default')]", + "headers": { + "Content-Type": "application/x-www-form-urlencoded" + }, + "method": "POST", + "uri": "[concat('https://login.microsoftonline.com/', subscription().tenantId, '/oauth2/v2.0/token')]" + }, + "runAfter": { + "HTTP_-_Get_Entra_SignIn_Logs": [ + "Succeeded" + ] + }, + "type": "Http" + }, + "HTTP_-_Get_Entra_Audit_Logs": { + "inputs": { + "authentication": { + "audience": "https://graph.microsoft.com", + "clientId": "[parameters('SendingAppRegistrationClientID')]", + "secret": "@{body('Get_Sending_App_Registration_Client_Secret')?['value']}", + "tenant": "[parameters('SendingAppRegistrationTenantId')]", + "type": "ActiveDirectoryOAuth" + }, + "headers": { + "Accept": "application/json", + "Content-Type": "application/json" + }, + "method": "GET", + "uri": "https://graph.microsoft.com/v1.0/auditLogs/directoryAudits?$filter=activityDateTime ge @{addMinutes(variables('UTCNow'), -5)}" + }, + "runAfter": { + "Get_Receiving_App_Registration_Client_Secret": [ + "Succeeded" + ] + }, + "type": "Http" + }, + "HTTP_-_Get_Entra_SignIn_Logs": { + "inputs": { + "authentication": { + "audience": "https://graph.microsoft.com", + "clientId": "[parameters('SendingAppRegistrationClientID')]", + "secret": "@{body('Get_Sending_App_Registration_Client_Secret')?['value']}", + "tenant": "[parameters('SendingAppRegistrationTenantId')]", + "type": "ActiveDirectoryOAuth" + }, + "headers": { + "Accept": "application/json", + "Content-Type": "application/json" + }, + "method": "GET", + "uri": "https://graph.microsoft.com/v1.0/auditLogs/signIns?$filter=createdDateTime ge @{addMinutes(variables('UTCNow'), -5)}" + }, + "runAfter": { + "For_each_-_Entra_Audit_Logs": [ + "Succeeded" + ] + }, + "type": "Http" + }, + "HTTP_-_Get_O365_Audit_General_Logs": { + "inputs": { + "authentication": { + "audience": "https://manage.office.com", + "clientId": "[parameters('SendingAppRegistrationClientID')]", + "secret": "@{body('Get_Sending_App_Registration_Client_Secret')?['value']}", + "tenant": "[parameters('SendingAppRegistrationTenantId')]", + "type": "ActiveDirectoryOAuth" + }, + "headers": { + "Accept": "application/json", + "Content-Type": "application/json" + }, + "method": "GET", + "uri": "[concat('https://manage.office.com/api/v1.0/', parameters('SendingTenantSubscriptionID'),'/activity/feed/subscriptions/content?contentType=Audit.AzureActiveDirectory&PublisherIdentifier=Microsoft?&startTime=@{addMinutes(variables(''UTCNow''), -5)}&endTime=@{variables(''UTCNow'')}')]" + }, + "runAfter": { + "For_each_-_Entra_Sign_in_Logs": [ + "Succeeded" + ] + }, + "type": "Http" + }, + "Initialize_variable_-_UTC_Now": { + "description": "Get the current time stamp so it is the same in all references", + "inputs": { + "variables": [ + { + "name": "UTCNow", + "type": "string", + "value": "@{utcNow()}" + } + ] + }, + "runAfter": {}, + "type": "InitializeVariable" + }, + "Get_Sending_App_Registration_Client_Secret": { + "runAfter": { + "Initialize_variable_-_UTC_Now": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['keyvault']['connectionId']" + } + }, + "method": "get", + "path": "[concat('/secrets/@{encodeURIComponent(''', parameters('SendingAppRegistrationKeyVaultSecretName'), ''')}/value')]" + } + }, + "Get_Receiving_App_Registration_Client_Secret": { + "runAfter": { + "Get_Sending_App_Registration_Client_Secret": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['keyvault']['connectionId']" + } + }, + "method": "get", + "path": "[concat('/secrets/@{encodeURIComponent(''', parameters('ReceivingAppRegistrationKeyVaultSecretName'), ''')}/value')]" + } + } + }, + "outputs": {} + }, + "parameters": { + "$connections": { + "value": { + "keyvault": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('keyvault'))]", + "connectionName": "[variables('keyvault')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId,'/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/keyvault')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + } + } + } + } + } + } + ] +}