Azure Activities

Onboard the Azure Activities data feed.

In this guide, you will set up Azure Activity to forward subscription-level events to Radiant. These events are used to facilitate threat detection and incident response by enabling correlation with other security solutions.

At the end of this configuration, you will provide Radiant with the following values:

Application (client) ID
Directory (tenant) ID
Client Secret Value
Subscription ID (One for each subscription)

Prerequisites

Admin access in your Azure tenant.

Register the application with Azure AD

In this step, you'll register a new application with Azure AD. The application will pull user and group data on a semi-regular basis.

Note: Make sure to save the Application (client) ID and Directory (tenant) ID values. You will need to provide them to Radiant Security at the end of the configuration.

Log in to the Microsoft Azure Portal.
From the left side menu, navigate to Microsoft Entra ID.
From the left menu, navigate to App Registrations.
Click + New Registration.
Update the application Name to radiantsecurity-connector and leave all default settings unchanged.
Click Register to save the changes.
On the newly registered application page, copy the following values:
- Application (client) ID
- Directory (tenant) ID
On the same page, click the link for Add a certificate or secret.
In the Add a client window, click + New Client Secret.
Set the client secret as:
- Description: Radiant Security Connector
- Expires: 12 months

Click Add.
The client secrets page will automatically open.
Copy the Value (not the Secret ID field).

Important note: Ensure you copy the Client secret value now as you won't be able to look it up again later. You will need to provide it to Radiant Security at the end of the configuration.

Grant the newly registered application the appropriate permissions

On the left sidebar menu, click API Permissions.
Click + Add a permission.
From the pop-out menu, select Azure Service Management.
Select the permission user_impersonation.
Click the Add Permission button.

The pop-out menu should now retreat and the selected permission should appear on the Configured permissions list.

Assign Reader Role for each subscription

Radiant allow for each subscription to be monitored independently. So, you can repeat these steps for each desired subscription.

Access the Subscriptions page and select the desired subscription.

From the left menu, click Access control (IAM).
Click + Add and select Add role assignment.

On the Role page, in the search bar, search for and select Reader. Click Next.

On the Members page, click + Select members and search for <app_name>.

Click on the application and click Select on the bottom of the page.
Click Next and Review + Assign to confirm the role.
Repeat steps 1 to 7 for each subscription.

Important note: If you already have the Microsoft O365 connector enabled, skip the next step and go straight to Enable the Azure Activities data feed.

Add the data connector in Radiant Security

Log in to Radiant Security.
From the navigation menu, click Settings > Data Connectors and click + Add Connector.
Search for and select the Microsoft O365 option and then click Data Feeds.
Select the Azure Activities data feed.
Add the following values you saved from the previous steps:
- Application (client) ID
- Directory (tenant) ID
- Client Secret Value
- Subscription IDs (separated by commas, with no spaces after the commas)
Click Add Connector to save the connector configuration.

Enable the Azure Activities data feed

Log in to Radiant Security.
From the navigation menu, click Settings > Data Connectors and find the Microsoft O365 connectors.
Scroll down until you can see the Disabled data feeds.
Hover your cursor over the Azure Activities data feed and click the Enable button on the right side.

PreviousTest GuardDuty’s integration with Radiant NextBarracuda Email Gateway Defense

Last updated 2 days ago