Side note! Microsoft has some impressive numbers going on and believe me, they use the knowledge gained from those events also to your benefit with their security products! Yes, most of the the advanced features are behind a pay wall but most of the times it makes sense to pay and not to be sorry afterwards.
That’s it folks, the last section to my SC-300 study guide will cover the following:
- analyze and investigate sign-in logs to troubleshoot access issues
- review and monitor Azure AD audit logs
- enable and integrate Azure AD diagnostic logs with Log Analytics / Azure Sentinel
- export sign-in and audit logs to a third-party SIEM
- review Azure AD activity by using Log Analytics / Azure Sentinel, excluding KQL use
- analyze Azure Active Directory workbooks / reporting
- configure notifications
Table of Contents
Analyze and investigate sign-in logs to troubleshoot access issues
Where do I access?
Access sign-in logs from https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/SignIns
Who can access?
To access the sign-ins log, you need to be:
- A global administrator
- A user in one of the following roles:
- Security administrator
- Security reader
- Global reader
- Reports reader
Different types of logs
Data Source | Description |
Azure AD – Sign-In Logs | All the sign-in events for users |
Azure AD – Audit Logs | All the activities in Azure AD |
Microsoft 365 – Unified Audit Logs | All activities in M365 such as Exchange, SharePoint, and Teams. Azure AD logs are also included. |
Views
From Sign-in logs You can find interactive and non-interactive sign-ins but also Service principal and Managed identity sign-ins.
You can filter these logs with multiple attributes
And see more information on the login.
Especially I like the Conditional Access reporting pane. It makes life so much easier.
In the report only You can see the policies that are in Report only mode.
If You have any error codes for the logins, You can debug them here https://login.microsoftonline.com/error
Retain logs
Activity reports
Report | Azure AD Free | Azure AD Premium P1 | Azure AD Premium P2 |
---|---|---|---|
Sign-ins | Seven days | 30 days | 30 days |
Azure AD MFA usage | 30 days | 30 days | 30 days |
Download sign-in logs
With Portal
Click the Download option to create a CSV or JSON file of the most recent 250,000 records. Start with download the sign-ins data if you want to work with it outside the Azure portal.
Or with PowerShell
Review and monitor Azure AD audit logs
Where do I access?
Access audit logs from https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Audit
Who can access?
To access the sign-ins log, you need to be:
- A global administrator
- A user in one of the following roles:
- Security administrator
- Security reader
- Global reader
- Reports reader
Enable Audit logs
Audit log search is turned on by default for Microsoft 365 and Office 365 enterprise organizations. To verify that audit log search is turned on, you can run the following command in Exchange Online PowerShell:
1 |
Get-AdminAuditLogConfig | FL UnifiedAuditLogIngestionEnabled |
The value of True
for the UnifiedAuditLogIngestionEnabled property indicates that audit log search is turned on. For more information, see Turn audit log search on or off.
Detailed properties in the Audit log
Retain logs
Activity reports
Report | Azure AD Free | Azure AD Premium P1 | Azure AD Premium P2 |
---|---|---|---|
Audit logs | Seven days | 30 days | 30 days |
Azure AD MFA usage | 30 days | 30 days | 30 days |
For users assigned an Office 365 E5 or Microsoft 365 E5 license (or users with a Microsoft 365 E5 Compliance or Microsoft 365 E5 eDiscovery and Audit add-on license), audit records for Azure Active Directory, Exchange, and SharePoint activity are retained for one year by default. Organizations can also create audit log retention policies to retain audit records for activities in other services for up to one year.
For users assigned any other (non-E5) Office 365 or Microsoft 365 license, audit records are retained for 90 days.
Views
When you browse thru Audit logs, you will in example find changes to tenant core settings, like naming.
But also for resource management, like PIM modifications
Download audit logs
With Portal
Click the Download option to create a CSV or JSON file of the most recent 250,000 records. Start with download the sign-ins data if you want to work with it outside the Azure portal.
Or with PowerShell
Unified audit logs
Activating Unified audit
Checking if it’s enabled
1 |
Get-AdminAuditLogConfig | FL UnifiedAuditLogIngestionEnabled |
Enabling with PowerShell
1 |
Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true |
If you prefer GUI
Open https://security.microsoft.com/auditlogsearch
What is supported by Unified Audit?
Microsoft 365 service or feature | Record types |
---|---|
Azure Active Directory | AzureActiveDirectory, AzureActiveDirectoryAccountLogon, AzureActiveDirectoryStsLogon |
Azure Information Protection | AipDiscover, AipSensitivityLabelAction, AipProtectionAction, AipFileDeleted, AipHeartBeat |
Communication compliance | ComplianceSuperVisionExchange |
Content explorer | LabelContentExplorer |
Data loss prevention (DLP) | ComplianceDLPSharePoint, ComplianceDLPExchange, DLPEndpoint |
Dynamics 365 | CRM |
eDiscovery | Discovery, AeD |
Exact Data Match | MipExactDataMatch |
Exchange Online | ExchangeAdmin, ExchangeItem, ExchangeItemAggregated |
Forms | MicrosoftForms |
Information barriers | InformationBarrierPolicyApplication |
Microsoft 365 Defender | AirInvestigation, AirManualInvestigation, AirAdminActionInvestigation, MS365DCustomDetection |
Microsoft Teams | MicrosoftTeams |
MyAnalytics | MyAnalyticsSettings |
OneDrive for Business | OneDrive |
Power Apps | PowerAppsApp, PowerAppsPlan |
Power Automate | MicrosoftFlow |
Power BI | PowerBIAudit |
Quarantine | Quarantine |
Retention policies and retention labels | MIPLabel, MipAutoLabelExchangeItem, MipAutoLabelSharePointItem, MipAutoLabelSharePointPolicyLocation |
Sensitive information types | DlpSensitiveInformationType |
Sensitivity labels | MIPLabel, SensitivityLabelAction, SensitivityLabeledFileAction, SensitivityLabelPolicyMatch |
SharePoint Online | SharePoint, SharePointFileOperation,SharePointSharingOperation, SharePointListOperation, SharePointCommentOperation |
Stream | MicrosoftStream |
Threat Intelligence | ThreatIntelligence, ThreatIntelligenceUrl, ThreatFinder, ThreatIntelligenceAtpContent |
Workplace Analytics | WorkplaceAnalytics |
Yammer | Yammer |
Time limits
It will take some time for the different sources to start providing information for Unified logs
Search logs
Once logs have been enabled You can search from straight from the portal.
And export all the results
Search-UnifiedAuditLog
Cmdlet used to search the audit log is an Exchange Online cmdlet, which is Search-UnifiedAuditLog. That means you can use this cmdlet to search the audit log instead of using the search tool on the Audit page in the Microsoft 365 compliance center. You have to run this cmdlet in Exchange Online PowerShell. For more information, see Search-UnifiedAuditLog.For information about exporting the search results returned by the Search-UnifiedAuditLog cmdlet to a CSV file, see the “Tips for exporting and viewing the audit log” section in Export, configure, and view audit log records.
- If you want to programmatically download data from the audit log, we recommend that you use the Office 365 Management Activity API instead of using a PowerShell script. The Office 365 Management Activity API is a REST web service that you can use to develop operations, security, and compliance monitoring solutions for your organization. For more information, see Office 365 Management Activity API reference.
- Azure Active Directory (Azure AD) is the directory service for Microsoft 365. The unified audit log contains user, group, application, domain, and directory activities performed in the Microsoft 365 admin center or in the Azure management portal. For a complete list of Azure AD events, see Azure Active Directory Audit Report Events.
- It can take up to 30 minutes or up to 24 hours after an event occurs for the corresponding audit log record to be returned in the results of an audit log search.
Audit logging for Power BI isn’t enabled by default. To search for Power BI activities in the audit log, you have to enable auditing in the Power BI admin portal. For instructions, see the “Audit logs” section in Power BI admin portal.
Enable and integrate Azure AD diagnostic logs with Log Analytics / Azure Sentinel
Enable Log analytics
You can use Log analytics to retain logs longer than 90days. By default it isn’t enabled.
To enable open Diagnostics settings and add a diagnostics setting
From here You can add both logs to Log analytics or archive them to and Storage account.
When You choose either one, you don’t have any limit on the retention.
Enable Microsoft Sentinel
First you have to enable Microsoft Sentinel and you can do it from
For setup choose the Log analytics that we provisioned in the last steps. You can get a free trial for 31 days.
Once done, open Sentinel by clicking the name of Log analytics
And you will the you have free trial activated, 10gb for free!
And we will see the data populating thru Log analytics
In the connectors page you can see currently only Azure AD
Export sign-in and audit logs to a third-party SIEM
Creating Event hub
Third-party SIEM could be Splunk and for that one you need to provision Event hub
For my demo I will use Public, don’t do it for production environments.
Now you have a namespace, then to create Event hub under that namespace
Create new SAS-keys or use the root ones. You need Manage, Send and Listen.
Add diagnostic settings
Then back Azure Ad blade ad create a new diagnostic setting, just this time send it to Event hub.
Splunk
And here are the instructions for Splunk integration
Review Azure AD activity by using Log Analytics / Azure Sentinel, excluding KQL use
MustLearnKQL
Dou, excluding KQL, well you can learn this from Rod Trent at MustLearnKQL
How to review activity from Log analytics?
First enable activity logs
And connect
Using Log analytics
You have ready templates for your disposal
In example for Inactive Service Principals
With Sentinel
In Sentinel you also have ready templates to use, click Audit logs in the main page
And it will open a KQL query
Analyze Azure Active Directory workbooks / reporting
Usage & Insights
To access the data from the usage and insights report, you need:
- An Azure AD tenant.
- An Azure AD premium (P1/P2) license to view the sign-in data.
- A user in the Global Administrator, Security Administrator, Security Reader or Report Reader roles. In addition, any user (non-admins) can access their own sign-ins.
Open Enterprise applications and you will find Usage & Insights
Under that you can see the individual activity logs
And under that you will see the individual applications and logs
Configure notifications
Email sender will be azure-noreply@microsoft.com
Email notification overview
To alert you of issues with a managed domain, you can configure email notifications. These email notifications specify the managed domain that the alert is present on, and they provide the time of detection and a link to the health page in the Azure portal. You can then follow the provided troubleshooting advice to resolve the issues.
Why would I receive email notifications?
Azure AD DS sends email notifications for important updates about the managed domain. These notifications are only for urgent issues that impact the service and should be addressed immediately. Each email notification is triggered by an alert on the managed domain. The alerts also appear in the Azure portal and can be viewed on the Azure AD DS health page.
When will I receive email notifications?
A notification is sent immediately when a new alert is found on a managed domain. If the alert isn’t resolved, additional email notifications are sent as a reminder every four days.
Who should receive the email notifications?
The list of email recipients for Azure AD DS should be composed of people who are able to administer and make changes to the managed domain. This email list should be thought of as your “first responders” to any alerts and issues.
You can add up to five additional recipients for email notifications. If you want more than five recipients, create a distribution list and add that to the notification list instead.
You can also choose to have all Global Administrators of the Azure AD directory and every member of the AAD DC Administrators group receive email notifications. Azure AD DS only sends notification to up to 100 email addresses, including the list of Global Administrators and AAD DC Administrators.
Things to remember
Sign-in and audit logs
Where and how to enable audit logs.
When enabled, it can take up-to 24hrs to activate.
To access the audit log, you need to be:
- A global administrator
- A user in one of the following roles:
- Security Administrator
- Security Reader
- Report Reader
- Global Reader
Retention times
Report | Azure AD Free | Azure AD Premium P1 | Azure AD Premium P2 |
---|---|---|---|
Sign-ins | Seven days | 30 days | 30 days |
Audit logs | Seven days | 30 days | 30 days |
Azure AD MFA usage | 30 days | 30 days | 30 days |
Report | Azure AD Free | Azure AD Premium P1 | Azure AD Premium P2 |
---|---|---|---|
Risky users | No limit | No limit | No limit |
Risky sign-ins | 7 days | 30 days | 90 days |
When does Azure AD start collecting data?
Azure AD Edition | Collection Start |
---|---|
Azure AD Premium P1 Azure AD Premium P2 | When you sign up for a subscription |
Azure AD Free | The first time you open the Azure Active Directory blade or use the reporting APIs |
And for longer storing time You can use Log analytics or Storage Accounts.
You can download Sign-in and Audit logs in CSV or JSON file of the most recent 250,000 records.
Log analytics and Sentinel
Where and how to enable.
How to export data to Log analytics
External SIEM
You need Event hub and Azure monitor to export logs to external SIEM.
Notifications
You can choose to have all Global Administrators of the Azure AD directory and every member of the AAD DC Administrators group receive email notifications. Azure AD DS only sends notification to up to 100 email addresses, including the list of Global Administrators and AAD DC Administrators.
Thank you!
For this last post I will like to thank You all for reading and supporting. All the feedback is welcome from my audience because you are the ones that this these post are for. Raising the community, because the community raised me!
And then to the next humongous topic series! But next I will finish my AZ-500 which will by the way updated on second of may!
and then moving to the next one, still didn’t decide which one, could be one of the following.
In the meantime you can book time with me for MVP or technical mentoring, many have already done so. See here for more info.
#Azure #Identity #Security #sharingiscaring #Neverstoplearning