Configuring Azure Sentinel to capture and monitor Azure AD logs

As a follow up to my previous post:

Monitoring, Alerting, Reporting Azure AD logins and login failures with Log Analytics and Logic Apps
https://blog.terenceluk.com/2022/02/monitoring-alerting-reporting-azure-ad.html

If your organization already uses Azure Sentinel as a (SIEM Security information and event management), it would be preferred to use the Azure Active Directory Data Connector available in Sentinel to capture and monitor Azure AD logs. This post serves to demonstrate how to achieve the same results by leveraging Azure Sentinel to capture and query the Azure AD events.

Create Log Analytics Workspace

Begin by creating a Log Analytics Workspace that will store the Azure Sentinel streamed Active Directory Domain Controller logs:

83

Add Microsoft Sentinel to the new Log Analytics Workspace

With the Domain Controllers added to the Log Analytics Workspace, proceed to create and add a new Microsoft Sentinel with the Log Analytics Workspace:

82

Configure Azure Sentinel Data Connector to collect Windows Security events

Navigate to Data Connectors, type in Azure Active Directory in the filter text field, select Azure Active Directory then click on Open connector page:

81

The type of Azure AD logs that Microsoft Sentinel can capture are listed in the connector page. Note that in order to export Sign-in data, your organization needs Azure AD P1 or P2 license.

81

Detailed information about the options can be found here:

Connect Azure Active Directory (Azure AD) data to Microsoft Sentinel
https://docs.microsoft.com/en-us/azure/sentinel/connect-azure-active-directory

You can use Microsoft Sentinel’s built-in connector to collect data from Azure Active Directory and stream it into Microsoft Sentinel. The connector allows you to stream the following log types:

  • Sign-in logs, which contain information about interactive user sign-ins where a user provides an authentication factor.

The Azure AD connector now includes the following three additional categories of sign-in logs, all currently in PREVIEW:

  • Audit logs, which contain information about system activity relating to user and group management, managed applications, and directory activities.
  • Provisioning logs (also in PREVIEW), which contain system activity information about users, groups, and roles provisioned by the Azure AD provisioning service.

The options:

  • ADFS Sign-In Logs (Preview)
  • User Risk Events (Preview)
  • Risk Users (Preview)

… are new sources that Microsoft has released after the initial options.

 

ADFS Sign-In Logs requires Azure AD Connect Health to correlate Event IDs from AD FS to provide information about the request and error details if the request fails. More information about ADFS Sign-In Logs can be found here:

AD FS sign-ins in Azure AD with Connect Health – preview
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-health-ad-fs-sign-in

What is Azure AD Connect Health?
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/whatis-azure-ad-connect#what-is-azure-ad-connect-health

Download Azure AD Connect Health Agent for AD FS
https://portal.azure.com/#blade/Microsoft_Azure_ADHybridHealth/AadHealthMenuBlade/QuickStart

User Risk Events (Preview) and Risk Users (Preview) pertain to Azure Identity Protection, which are made available with the Azure Premium P2 licenses. More information about the details of these events can be found here: https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks and more information about the type of risk data that can be queried can be found here: https://docs.microsoft.com/en-gb/azure/active-directory/identity-protection/howto-export-risk-data

80

For the purpose of this example, we’ll select

  • Sign-in logs
  • Audit logs
  • Non-interactive user sign-in logs
  • Service principal sign-in logs
  • Managed Identity sign-in logs
  • Provisioning logs

79

Note that you may need to wait upwards to 30 minutes before the connector’s status switches from Not connected to Connected and the Data types begin to be highlighted in green:

78

77

Once connected, you should see the following tables under Log Management:

  • SigninLogs
  • AuditLogs
  • AADNonInteractiveUserSignInLogs
  • AADServicePrincipalSignInLogs
  • AADManagedIdentitySignInLogs
  • AADProvisioningLogs

From here, the sky is really the limit as we have access to various logs and able to query for any type of information we want with Kusto. One of the examples I demonstrated in my previous post is the following which would look for failed sign-ins from within the SigninLogs:

SigninLogs

| where Status.errorCode != 0

| extend City=LocationDetails.city, State=LocationDetails.state, Country=LocationDetails.countryOrRegion, Error_Code=Status.errorCode, Failure_Reason=Status.failureReason

| project TimeGenerated, UserDisplayName, AppDisplayName, IPAddress, City, State, Country, AuthenticationRequirement, Failure_Reason, ConditionalAccessStatus, ConditionalAccessPolicies, Error_Code

76

With Azure Sentinel configured for the Azure AD logs, we can configure Logic Apps to send out daily reports or other automation tasks for alerting. Please see my previous post for configuration demonstration.

Monitoring, Alerting, Reporting Azure AD logins and login failures with Log Analytics and Logic Apps
https://blog.terenceluk.com/2022/02/monitoring-alerting-reporting-azure-ad.html