Fortinet white logo
Fortinet white logo

External Systems Configuration Guide

Microsoft Entra Identity Protection

Microsoft Entra Identity Protection

Microsoft Entra ID Protection uses advanced machine learning to identify sign-in risks and unusual user behavior to block, challenge, limit, or allow access. For more information, see here.

Support Added: FortiSIEM 6.6.0

Vendor Version Tested: Not Provided

Vendor: Microsoft

Product: Entra Identity Protection

Product Information: https://www.microsoft.com/en-us/security/business/identity-access/microsoft-entra-id-protection

FortiSIEM supports ingesting data from the Microsoft Graph List Risky Users API using the FortiSIEM "HTTPS Advanced" credential type, also known as the Generic Log API Poller feature from FortiSIEM 6.6.0 and later. See Configuring Microsoft Graph List Risky Users API using Generic HTTPS Poller for details.

Configuration

Configuring Microsoft Graph List Risky Users API using Generic HTTPS Poller

To configure Microsoft Graph List riskyUsers API, you will need to perform setup in Entra and in FortiSIEM by taking the following steps.

Notes:

  • Using the riskyUsers API requires a Microsoft Entra ID P2 license.

  • The availability of risky user data is governed by the Microsoft Entra data retention policies.

References:

What is Microsoft Entra Identity Protection

Overview of Graph List riskyUsers API

Overview of the FortiSIEM HTTPS Advanced (Generic Log API Poller) no-code feature for ingesting third party JSON APIs

Setup in Entra

Configuring Microsoft Entra ID (Formerly Azure AD) Application for access to Graph APIs

  1. Follow the guide for the Office 365 integration here, which also includes the necessary permissions for accessing the List Risky Users API.

    Note: Most Entra ID (Formerly Azure AD) customers are also users of Office 365. If so, follow the entire guide here and you can use the same credential for both Office 365 and List Risky Users API integrations.

If you do not need the Office 365 integration, you can instead just create the below credential with the necessary Graph API permissions.

Note: Information for Microsoft configuration here is taken from https://learn.microsoft.com/en-us/azure/app-service/configure-authentication-provider-aad?tabs=workforce-tenant.

Create Office 365 Credential

  1. Login to the Azure portal.

  2. From the portal menu, select Microsoft Entra ID (Formerly Azure AD).

  3. From the left navigation, select App registrations > New registration.

  4. In the Name field, enter "FortiSIEM App".

  5. From Supported Account Types, select Accounts in this organizational directory only (<domain> only – single tenant).

  6. Leave Redirect URI (optional) blank.

  7. Click Register.

  8. On the redirected page showing your registration details, record the following for later.

    • Application (client) ID

    • Directory (tenant) ID

Generate Secret Key

To generate a secret key, take the following steps:

  1. From the left navigation, select Certificates & secrets > Client secrets > New client secret.

  2. In the right side panel, enter the following information:

  3. In the Description field, enter "FortiSIEM Secret Key".

  4. From the Expires drop-down list, select 730 days (24 months), or your desired expiration.

    Note: You must update the key in FortiSIEM configuration BEFORE it expires by creating a new key before retiring the old one.

  5. Click Add.

  6. Record the new API Key secret value at the bottom of the page. You can only view this once, so store the information in a secure location for configuration later.

Configure API Permissions for Application Registration

  1. From the left navigation, select API permissions > Add a permission.

  2. Select Microsoft Graph.

  3. Select Application permissions.

  4. Select the following permissions:

    • IdentityRiskyUser.Read.All

    • IdentityRiskEvent.Read.All

    • IdentityRiskyServicePrincipal.Read.All

    • IdentityRiskyUser.Read.All

  5. Save your configuration.

Administrator Consent

  1. Click the Grant admin consent for <tenant> after saving.

  2. When prompted with: Do you want to grant consent for the requested permissions for all accounts in your_organization? alert, select Yes. This will update any existing admin consent records this application already has to match what has been configured.

Setup FortiSIEM Credential to call the List riskyUsers API Endpoint

Setup in FortiSIEM for a new integration using the Generic Log API Poller can be broken down into the following general steps:

After testing the credential, you can search for Risky User events. More information on parsing of new events is here.

To configure the Microsoft List riskyUsers API to FortiSIEM, take the following steps.

Create a New Device/Application

Note: If this device type already exists, you can skip this step, and proceed to Create the Credentials Configuration.

  1. Navigate to ADMIN > Device Support > Devices/Apps.

  2. Click New.

  3. From the Device/Application Type Definition dialog box, take the following steps.

    1. From the Category drop-down list, select Application.

    2. In the Vendor field, enter "Microsoft".

    3. In the Model field, enter "Graph API Platform".

    4. In the Version field, enter "ANY".

    5. From the Device/App Group drop-down list, select

      Applications > Infrastructure App > Security Mgmt Server

      Applications > Infrastructure App > Cloud Mgmt

    6. Leave Biz Service Group blank.

    7. From the Access Protocol drop-down list, remove SSH, SNMP, and TELNET.

    8. From the Access Protocol drop-down list, select HTTPS Advanced.

    9. Leave App Package Group blank.

    10. Click Save.

Create the Credentials Configuration

  1. Navigate to ADMIN > Setup > Credentials.

  2. Under Step 1: Enter Credentials, click New.

  3. In the Name field, enter a name, for example "Graph_Risky_Users".

  4. From the Device Type drop-down list, select Microsoft Graph.

  5. From the Access Protocol drop-down list, select HTTPS Advanced.

  6. Download the following file: Microsoft_Graph_List_Risky_Users.json

  7. Click Import Definition.

  8. Select the file you just downloaded from step 6, and click Import.

  9. Click Yes to overwrite.

  10. Click the Authentication Parameters icon, and take the following steps.

    1. With the General tab selected, take the following steps.

      1. In the Access Token URL field, replace "xxxxx" with your Directory (tenant) ID that you recorded earlier.

        https://login.microsoftonline.com/<your-tenant-id>/oauth2/v2.0/token

      2. In the Client Id field, enter the Application (client) ID you recorded earlier.

      3. In the Client Secret field, enter the client secret you recorded earlier.

      4. Click OK.

    2. Click Save.

Create the Credentials Mapping

  1. Under Step 2: Enter IP Range to Credential Associations, click New.

  2. From the Device Credential Mapping Definition dialog box, take the following steps.

    1. From the Credentials drop-down list, select the credential you just created (Graph_Risky_Users).

    2. Click Save.

Test the Credential

  1. Ensure the credentials mapping you just created is selected. If not, select it.

  2. Under Step 2: Enter IP Range to Credentials Association, click the Test drop-down list, and select Test Connectivity without Ping.

    If successful, it should take about 5 minute before the first pull job is complete. Click the Pull Events tab to view the status.

    Icon

    Description

    Yellow Star Job is queued, has not started yet. Typically, a job takes 5 minutes to complete.
    Green Check Most recent event pull of the pull job succeeded.
    Yellow Triangle with Exclamation Point Error occurred during the most recent event pull. Hover over the icon to get more information.

    If you encounter an error, refer to Common Errors for additional information that may help you resolve the issue.

Searching for List riskyUsers Graph API events

Navigate to Analytics, click on the Edit Filters and Time Range... search field,

and run the following query, by first selecting Filter By: Event Attribute, then entering/selecting the following:

Attribute Operator

Value

Raw Event Log CONTAIN graph_risky_users

When done, click Apply & Run.

Sample Event

Nov 02 12:38:10 2023 graph.microsoft.com 192.0.20.0 graph_risky_users: {"id": "123456", "isDeleted": false, "isProcessing": false, "riskLevel": "none", "riskState": "dismissed", "riskDetail": "adminDismissedAllRiskForUser", "riskLastUpdatedDateTime": "2023-11-01T15:57:37.5356848Z", "userDisplayName": "example user", "userPrincipalName": "exampleUser"}

Parsing of New Events

For new integrations, a parser will not exist for these events. All events will come in as unknown until a custom parser is created. See Creating a Custom Parser for more information. For this particular integration, the parser is pre-defined.

Microsoft Entra Identity Protection

Microsoft Entra Identity Protection

Microsoft Entra ID Protection uses advanced machine learning to identify sign-in risks and unusual user behavior to block, challenge, limit, or allow access. For more information, see here.

Support Added: FortiSIEM 6.6.0

Vendor Version Tested: Not Provided

Vendor: Microsoft

Product: Entra Identity Protection

Product Information: https://www.microsoft.com/en-us/security/business/identity-access/microsoft-entra-id-protection

FortiSIEM supports ingesting data from the Microsoft Graph List Risky Users API using the FortiSIEM "HTTPS Advanced" credential type, also known as the Generic Log API Poller feature from FortiSIEM 6.6.0 and later. See Configuring Microsoft Graph List Risky Users API using Generic HTTPS Poller for details.

Configuration

Configuring Microsoft Graph List Risky Users API using Generic HTTPS Poller

To configure Microsoft Graph List riskyUsers API, you will need to perform setup in Entra and in FortiSIEM by taking the following steps.

Notes:

  • Using the riskyUsers API requires a Microsoft Entra ID P2 license.

  • The availability of risky user data is governed by the Microsoft Entra data retention policies.

References:

What is Microsoft Entra Identity Protection

Overview of Graph List riskyUsers API

Overview of the FortiSIEM HTTPS Advanced (Generic Log API Poller) no-code feature for ingesting third party JSON APIs

Setup in Entra

Configuring Microsoft Entra ID (Formerly Azure AD) Application for access to Graph APIs

  1. Follow the guide for the Office 365 integration here, which also includes the necessary permissions for accessing the List Risky Users API.

    Note: Most Entra ID (Formerly Azure AD) customers are also users of Office 365. If so, follow the entire guide here and you can use the same credential for both Office 365 and List Risky Users API integrations.

If you do not need the Office 365 integration, you can instead just create the below credential with the necessary Graph API permissions.

Note: Information for Microsoft configuration here is taken from https://learn.microsoft.com/en-us/azure/app-service/configure-authentication-provider-aad?tabs=workforce-tenant.

Create Office 365 Credential

  1. Login to the Azure portal.

  2. From the portal menu, select Microsoft Entra ID (Formerly Azure AD).

  3. From the left navigation, select App registrations > New registration.

  4. In the Name field, enter "FortiSIEM App".

  5. From Supported Account Types, select Accounts in this organizational directory only (<domain> only – single tenant).

  6. Leave Redirect URI (optional) blank.

  7. Click Register.

  8. On the redirected page showing your registration details, record the following for later.

    • Application (client) ID

    • Directory (tenant) ID

Generate Secret Key

To generate a secret key, take the following steps:

  1. From the left navigation, select Certificates & secrets > Client secrets > New client secret.

  2. In the right side panel, enter the following information:

  3. In the Description field, enter "FortiSIEM Secret Key".

  4. From the Expires drop-down list, select 730 days (24 months), or your desired expiration.

    Note: You must update the key in FortiSIEM configuration BEFORE it expires by creating a new key before retiring the old one.

  5. Click Add.

  6. Record the new API Key secret value at the bottom of the page. You can only view this once, so store the information in a secure location for configuration later.

Configure API Permissions for Application Registration

  1. From the left navigation, select API permissions > Add a permission.

  2. Select Microsoft Graph.

  3. Select Application permissions.

  4. Select the following permissions:

    • IdentityRiskyUser.Read.All

    • IdentityRiskEvent.Read.All

    • IdentityRiskyServicePrincipal.Read.All

    • IdentityRiskyUser.Read.All

  5. Save your configuration.

Administrator Consent

  1. Click the Grant admin consent for <tenant> after saving.

  2. When prompted with: Do you want to grant consent for the requested permissions for all accounts in your_organization? alert, select Yes. This will update any existing admin consent records this application already has to match what has been configured.

Setup FortiSIEM Credential to call the List riskyUsers API Endpoint

Setup in FortiSIEM for a new integration using the Generic Log API Poller can be broken down into the following general steps:

After testing the credential, you can search for Risky User events. More information on parsing of new events is here.

To configure the Microsoft List riskyUsers API to FortiSIEM, take the following steps.

Create a New Device/Application

Note: If this device type already exists, you can skip this step, and proceed to Create the Credentials Configuration.

  1. Navigate to ADMIN > Device Support > Devices/Apps.

  2. Click New.

  3. From the Device/Application Type Definition dialog box, take the following steps.

    1. From the Category drop-down list, select Application.

    2. In the Vendor field, enter "Microsoft".

    3. In the Model field, enter "Graph API Platform".

    4. In the Version field, enter "ANY".

    5. From the Device/App Group drop-down list, select

      Applications > Infrastructure App > Security Mgmt Server

      Applications > Infrastructure App > Cloud Mgmt

    6. Leave Biz Service Group blank.

    7. From the Access Protocol drop-down list, remove SSH, SNMP, and TELNET.

    8. From the Access Protocol drop-down list, select HTTPS Advanced.

    9. Leave App Package Group blank.

    10. Click Save.

Create the Credentials Configuration

  1. Navigate to ADMIN > Setup > Credentials.

  2. Under Step 1: Enter Credentials, click New.

  3. In the Name field, enter a name, for example "Graph_Risky_Users".

  4. From the Device Type drop-down list, select Microsoft Graph.

  5. From the Access Protocol drop-down list, select HTTPS Advanced.

  6. Download the following file: Microsoft_Graph_List_Risky_Users.json

  7. Click Import Definition.

  8. Select the file you just downloaded from step 6, and click Import.

  9. Click Yes to overwrite.

  10. Click the Authentication Parameters icon, and take the following steps.

    1. With the General tab selected, take the following steps.

      1. In the Access Token URL field, replace "xxxxx" with your Directory (tenant) ID that you recorded earlier.

        https://login.microsoftonline.com/<your-tenant-id>/oauth2/v2.0/token

      2. In the Client Id field, enter the Application (client) ID you recorded earlier.

      3. In the Client Secret field, enter the client secret you recorded earlier.

      4. Click OK.

    2. Click Save.

Create the Credentials Mapping

  1. Under Step 2: Enter IP Range to Credential Associations, click New.

  2. From the Device Credential Mapping Definition dialog box, take the following steps.

    1. From the Credentials drop-down list, select the credential you just created (Graph_Risky_Users).

    2. Click Save.

Test the Credential

  1. Ensure the credentials mapping you just created is selected. If not, select it.

  2. Under Step 2: Enter IP Range to Credentials Association, click the Test drop-down list, and select Test Connectivity without Ping.

    If successful, it should take about 5 minute before the first pull job is complete. Click the Pull Events tab to view the status.

    Icon

    Description

    Yellow Star Job is queued, has not started yet. Typically, a job takes 5 minutes to complete.
    Green Check Most recent event pull of the pull job succeeded.
    Yellow Triangle with Exclamation Point Error occurred during the most recent event pull. Hover over the icon to get more information.

    If you encounter an error, refer to Common Errors for additional information that may help you resolve the issue.

Searching for List riskyUsers Graph API events

Navigate to Analytics, click on the Edit Filters and Time Range... search field,

and run the following query, by first selecting Filter By: Event Attribute, then entering/selecting the following:

Attribute Operator

Value

Raw Event Log CONTAIN graph_risky_users

When done, click Apply & Run.

Sample Event

Nov 02 12:38:10 2023 graph.microsoft.com 192.0.20.0 graph_risky_users: {"id": "123456", "isDeleted": false, "isProcessing": false, "riskLevel": "none", "riskState": "dismissed", "riskDetail": "adminDismissedAllRiskForUser", "riskLastUpdatedDateTime": "2023-11-01T15:57:37.5356848Z", "userDisplayName": "example user", "userPrincipalName": "exampleUser"}

Parsing of New Events

For new integrations, a parser will not exist for these events. All events will come in as unknown until a custom parser is created. See Creating a Custom Parser for more information. For this particular integration, the parser is pre-defined.