Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Microsoft Azure Security Center

The JSA DSM for Microsoft Security Center collects JSON events from a Microsoft Azure Security Center by using the Microsoft Graph Security API protocol.

To integrate Microsoft Azure Active Directory with JSA, complete the following steps:

  1. If automatic updates are not enabled, download and install the most recent version of the following RPMs on your JSA console:

    • Microsoft Azure Security Center DSM RPM

    • Microsoft Graph Security API Protocol DSM

  2. Configure Microsoft Azure Security Center to send events to JSA.

    Note:

    JSA supports events only from the Microsoft Azure Security Center provider. Events sent to JSA must have "provider:ASC" or "provider":"Azure Security Center" in the payload.

  3. Add a Microsoft Azure Security Center log source on the JSA Console.

Microsoft Azure Security Center DSM Specifications

When you configure the Microsoft Azure Security Center, understanding the specifications for the Microsoft Azure Security Center DSM can help ensure a successful integration. For example, knowing what event format is supported for Microsoft Azure Security Center before you begin can help reduce frustration during the configuration process.

The following table describes the specifications for the Microsoft Azure Security Center DSM.

Table 1: Microsoft Azure Security Center DSM Specifications

Specification

Value

Manufacturer

Microsoft

DSM name

Microsoft Azure Security Center

RPM file name

DSM-MicrosoftAzureSecurity Center-JSA-version-Build_number.noarch.rpm

Protocol

Microsoft Graph Security API

Event format

JSON

Recorded event types

Security alert

Automatically discovered?

No

Includes identity?

No

Includes custom properties?

No

More information

Security alerts - a reference guide

Microsoft Graph Security API Protocol Log Source Parameters for Microsoft Azure Security Center

Add a Microsoft Azure Security Center log source on the JSA Console by using the Microsoft Graph Security API protocol.

The following table describes the parameters that require specific values to collect Microsoft Graph Security API events from Microsoft Azure Security Center:

Table 2: Microsoft Graph Security API log source parameters for the Microsoft Azure Security Center DSM

Parameter

Value

Log Source type

Microsoft Azure Security Center

Protocol Configuration

Microsoft Graph Security API

Log Source Identifier

A unique identifier for the log source.

The Log Source Identifier can be any valid value, including the same value as the Log Source Name parameter, and doesn't need to reference a specific server. If you configured multiple Microsoft Azure Security Center log sources, you might want to identify the first log source as MASC-1 the second log source as MASC-2, and the third log source as MASC-3.

Tenant ID

To find the Tenant ID parameter value, log in to Microsoft Azure Security Center, and then select Azure Active Directory > Overview or select Azure Active Directory > App registration > Microsoft Graph Security App > Overview.

Client ID

To find the Client ID parameter value, log in to Microsoft Azure Security Center, and then select Azure Active Directory > App registration > Microsoft Graph Security App > Overview.

Client Secret

To find the Client Secret parameter value, log in to Microsoft Azure Security Center, and then select Azure Active Directory > App registration > Microsoft Graph Security App > Certificates and secrets > Client secrets. If there is no client secret, you can create one there.

Microsoft Azure Security Center Sample Event Message

Use these sample event messages as a way of verifying a successful integration with JSA.

Note:

Due to formatting, paste the message formats into a text editor and then remove any carriage return or line feed characters.

Mirosoft Azure Security Center sample message when you use the Microsoft Graph Security API protocol

Table 3: Highlighted fields

JSA field name

Highlighted payload field name

Event Categtory

category

logsource time

eventDateTime

Username

accountName

Source IP

publicIpAddress