Solved: Facing issues setting up Azure AD Feed Connector

AfvanJaffer · 10-01-2024 06:38 AM

Hello folks,

I have been getting an 'internal error' from the chronicle siem feed creation to collect Azure AD Logs.

I have tested the credentials required for the connection with postman - and works perfectly.

I don't know why the chronicle feed is throwing this error, could anyone please help ?

jstoner

Not sure if this will solve it but here are a few things to review.

I believe Microsoft expects that E5 customers are the ones who can move data of this sort, I had tested an E3 instance a few months back and didn't have any luck but perhaps something has changed there. That would be the first thing that jumps to mind. A close second is that entra ID sign-in events are being logged (can't think of a reason why they would not be, but figured I would mention it).

If you are meeting the bar there, then I would validate the tenant ID, application ID and secret are all correct, no leading or trailing spaces in the feed manager (just in case) and permissions for the Graph API are set.

When you initially set up the feed, and enable it, let it sit for a little bit, not hours, but 15-30 min to let it work through and start pulling data. I have on occasion been quick with the toggle and a refresh and find sometimes that I get an error on a feed because I wasn't letting it finish it's pull.

If one of the above were incorrect, I would expect that you might get a 400 or 403 or 404 message, not internal error which isn't super helpful. If all of the above is validated, I would probably suggest opening a ticket with tech support.

View solution in original post

jstoner

Not sure if this will solve it but here are a few things to review.

I believe Microsoft expects that E5 customers are the ones who can move data of this sort, I had tested an E3 instance a few months back and didn't have any luck but perhaps something has changed there. That would be the first thing that jumps to mind. A close second is that entra ID sign-in events are being logged (can't think of a reason why they would not be, but figured I would mention it).

If you are meeting the bar there, then I would validate the tenant ID, application ID and secret are all correct, no leading or trailing spaces in the feed manager (just in case) and permissions for the Graph API are set.

When you initially set up the feed, and enable it, let it sit for a little bit, not hours, but 15-30 min to let it work through and start pulling data. I have on occasion been quick with the toggle and a refresh and find sometimes that I get an error on a feed because I wasn't letting it finish it's pull.

If one of the above were incorrect, I would expect that you might get a 400 or 403 or 404 message, not internal error which isn't super helpful. If all of the above is validated, I would probably suggest opening a ticket with tech support.

Webinar May 14th: Gemini's generative AI within Google SecOpsWebinar May 29th: Log Ingestion: Bindplane + Google SecOps

Facing issues setting up Azure AD Feed Connector

Webinar May 14th: Gemini's generative AI within Google SecOps
Webinar May 29th: Log Ingestion: Bindplane + Google SecOps