Real-time Monitoring with Azure AD Auditing: SIEM/ Analytics Tools. Enabling Entra ID (AzureAD) logging is crucial for securing your identities. Doing only that however wont improve your incident response. Companies should instead look to ingest these logs into their current security operations center (SOC) model. In most cases, this means feeding the logs into their security information and event management (SIEM) with the aim to have all logging centralized.
In doing so, you are enabling your security teams to view the full attack chain during security events and incidents. Without those logs, it may increase manual effort and displacement of logs. This may result in slower response times, or the effectiveness of your SOC.
Another use case to ingest logs into your SIEM would be for retention. In most cases, SIEM solutions offer retention as part of the package, so that you comply with your governance and compliance logging requirements.
Real-time Monitoring with Azure AD Auditing:
Entra ID Logging Retention
By default, logging retention for Entra ID is as followed:
- Free and Basic tiers: Retained for 30 days.
- Premium P1 and P2 tiers: Retained for 90 days.
- Azure AD P2 and Azure AD P3 tiers: Retained for 180 days.
- Enterprise Agreement (EA) or Azure AD Premium P3 with an EA add-on: Can retain sign-in logs for up to 730 days using Azure Log Analytics service.
- Free license SKU: Retained for 7 days.
- P1 and P2 licenses: Retained for 30 days.
- Interactive retention period can be increased up to 730 days using the Analytics log data plan, provided the user has an Enterprise E5 subscription and an add-on license.
- To retain audit logs for longer than 90 days (and up to 1 year), a user needs to be assigned an Office 365 E5 or Microsoft 365 E5 license or have a Microsoft 365 E5 Compliance or E5 eDiscovery and Audit add-on license.
- Can be stored for 30+ days using Azure Monitoring.
- The article suggests that provisioning logs can be stored for longer periods by integrating them with Azure Monitor logs, which allows for the creation of custom queries, alerts, and dashboards to manage the logs.
To lean more click here
Key Benefits of SIEM Integration
SIEM solutions are only as good as the logs that are feeding into them. With Entra ID, you are feeding your identity logs into a central repository. Depending on your solution, the SIEM then correlates events to give a greater level of insight during security events.
A perfect example is a phishing campaign. If your company is hit with a phishing campaign, you hope that your email protection solution such as Defender for O365 would alert and protect you. In some cases, however, these attacks pass through so it’s important for your SOC to have the logs to be able to assess the impact.
If a user has clicked the link, or attachment, you want to be able to have the telemetry to understand what happened next. In most cases, credentials are stolen, used or sold. This is where the Entra logs come into play. If your SOC has your email security solution, endpoint protection and identity logs ingesting into your SIEM, you are assured that your SOC has a better chance at seeing the full attack chain. This includes post-attacks such as brute force, or using compromised credentials.
The quicker they do this, the faster the response. If they are having to look for logs in multiple places, and having to search one by one, they are likely to miss something, or be too late.
Integrating Entra ID (Azure AD) with your SIEM
SIEM solutions vary, however integration paths are often repeated. During this post, I show how to ingest logs into Azures native solution: Sentinel.
If you are not running Sentinel, your SIEM solution has documentation on how to ingest logs. In most cases, this is via Graph API, or EventHUB. I will touch more on these options later.
Before you ingest Entra logs into Sentinel confirm you have the following:
- A Microsoft Entra ID P1 or P2 license is required to ingest sign-in logs into Microsoft Sentinel. Any Microsoft Entra ID license (Free/O365/P1 or P2) is sufficient to ingest the other log types.
- Your user must be assigned the Microsoft Sentinel Contributor role on the workspace.
- Your user must be assigned the Global Admin or Security Admin roles on the tenant you want to stream the logs from.
Your user must have read and write permissions to the Microsoft Entra ID diagnostic settings in order to be able to see the connection status.
Integrate Entra (Azure AD) With Microsoft Sentinel
If you are not running Sentinel, but wish to follow along, you can easily create an instance via the Azure portal.
First, login to the Azure Portal, and search for Sentinel. Notice that your instance gets a 31-day free trail.
If you haven’t created a log analytics workspace already, you can do by clicking the Create A New Workspace button. Next, enter your values and click Tags.
Aftering filling in your tags, hit Next and if happy; Create.
This takes you back to the Sentinel pane where you select your workspace. To do so, select the workspace and click Add at the bottom left corner.
Once complete, you have your Sentinel instance:
Try our Active Directory & Office 365 Reporting & Auditing Tools
Try us out for Free. 100’s of report templates available. Easily customise your own reports on AD, Azure AD & Office 355.
Connecting Azure Active Directory
Now we have a Sentinel instance, we ingest our Entra ID (Azure AD) logs. For Sentinel, ingestion is done via Data Connectors. To enable these, browse Content Hub. Because the backend of Sentinel is a Log Analytics Workspace, Integration support is often an option for most third-party solutions.
For anything Native, Microsoft have created these connectors already, and have listed them under Content Hub. In this walkthrough, we are looking at Entra ID logs, so we can load Content Hub and search Azure Active Directory. As you can see below, the provider is Microsoft.
Once selected, we review the right hand pane to see what we are getting, the release notes and what is actually going to be created:
Once complete, Install changes to Manage, which you click. The reason being is that it won’t send all logs by default
Select those that you require and hit apply changes. Remember that the more data the SIEM has, the greater level of correlation it performs, and insight it has. Log storage however comes with cost, so it’s worth finding the right balance.
Once done, the status changes to Green:
Searching The Logs
You can now query these logs, by selecting Logs. Below is a simple query to view failed logins:
| where ResultType != 0
| project TimeGenerated, UserPrincipalName, ResultType, ResultDescription, Location, IPAddress
You could then dive further, by looking at those that may be malicious. You can do this by clicking the filter icon on the column ResultDescription or expanding your Kusto query.
Third Party Solutions
Following on article Real-time Monitoring with Azure AD Auditing: SIEM/ Analytics Tools the third-party SIEM solutions may have different integration paths. For the majority of solutions, this is either via Log Analytic feeds, EventHub or Graph API. For the first two, these settings are found under the Entra ID Portal > Monitoring & Health > Diagnostic Settings.
Here you can click Add Diagnostic Settings and select your options:
For API integrations, you are most likely have to create an Application Registration that has read access to the necessary logs. This works by querying the logs using the identity of the Service Principal.
Real-time Monitoring with Azure AD Auditing: SIEM/ Analytics Tools Conclusion
Whilst getting the logs into your SIEM is the first step, it requires you to fine-tune your solution to get the most out of it. Entra ID logs without context are just logs. It requires further fine-tuning, automation and alerting in order for the logs to be worth it.
Additional native features, such as Identity Governance Logs (Risky users) also helps to boost the usefulness of these logs by highlighting identities that may be at risk, or compromised.
Whichever method you choose, make sure that this is reviewed on a frequent basis. Microsoft is constantly changing the Graph API integration around Entra ID, and this may have a knock-on effect to your log ingestion. Whilst some managed SIEM providers may alert you directly, it’s worth monitoring Microsoft’s feature updates.
Try InfraSOS for FREE
Try InfraSOS Active Directory, Azure AD & Office 365 Reporting & Auditing Tool