In order for the Orchestrator to request information from Azure AD via MS Graph API, a sequence of steps are necessary:
If you have already set up an Azure Application Registration with Directory.Read.All permission, then you'll have the required permissions for Real-Time integration. If this is the case, then skip to Step 4 below, xxxx to Configure the SafeTitan portal.
Create an application registration in Azure AD. Refer to the details provided in Register an Application in the Microsoft Azure App Registration Portal.
Create an application secret. After you've created an Application Registration in Azure AD, you'll need to generate an application secret. Your SafeTitan instance will use this value to prove its identity when connecting to Azure. See Create an Application Secret for help.
Configure Permissions for Microsoft Graph After you have generated an application secret, you'll need to configure the permission granted to the SafeTitan App, which is: Directory.Read.All access. You can follow the steps in Configure Permissions Required by SafeTitan, but note that for Real-Time integration, only Directory.Read.All is required.
Configure the SafeTitan portal. After you've configured permissions for Microsoft Graph on your app, you can update your Orchestrator configuration in the SafeTitan portal.
After you've configured permissions for Microsoft Graph on your app, you can update your Orchestrator configuration in the SafeTitan portal.
Go to your SafeTitan portal, and select Real-Time Integrations > Orchestrator Settings.
Select Generate Orchestration Package, which will add a new Orchestrator configuration to the list.
Select the Edit button next to the Orchestrator package that was generated.
In the window that opens, complete the following fields:
Name: Enter a label for the Orchestrator. This can be a useful identifier in a multi-orchestrator setup.
Tenant ID: Enter the name or ID of your Azure Tenant.
Application ID: Enter the value that was provided for your Application ID when you created your application registration in Azure, step 5.
Application Secret: Enter the value that was provided during the generation of your Application Secret, step 3.
Event Grid Endpoint: This is a pre-populated field containing the endpoint used by the Orchestrator to forward events to SafeTitan cloud platform.
Event Grid Shared Access Signature: This is a pre-populated field that is used to authenticate connections to the Event Grid endpoint.
AD Identifier: The default value here is mail. Instead, enter the Azure AD attribute that houses the user's SafeTitan username.
Next, you need to integrate your chosen SIEM / Network monitoring application.