...
The Entra ID brand has replaced the Azure Active Directory brand.To collect Microsoft Entra ID logs, stream the logs to an Event Hub and use the Azure Event Hub
Authorize it
First, authorize an event hub. Then add Entra ID to the event hub.
Switch to the directory.
Add your Entra ID diagnostic settings. Devo recommends enabling all log options.
Run it
The Entra ID collector is run the same way as an Event Hub Azure collector.
Example tables
Table | Description |
|---|---|
cloud.azure.ad.* | Entra ID identity and access management logs. |
cloud.azure.ad.signin_all | This union table combines all the different Entra ID authentication logs. |
Authentication logs, including Entra ID. |
Secure it
The Authentication alert pack works with Entra ID data.
Find privilege escalation, including roles, groups, and administrative units. Unexpected privilege escalation may indicate a user intends to exfiltrate or destroy data.
| Code Block |
|---|
from cloud.azure.ad.audit
where startswith(operationName,"Add"), toktains(operationName,"member to")
group by operationName as escalation_type,
properties_initiatedBy_user_displayName as actor,
properties_targetResources as target |
A password reset or change may occur when an account is compromised.
| Code Block |
|---|
from cloud.azure.ad.audit
where eq(operationName,"User started password reset") or
(weakhas(operationName,"change") and has(operationName,"password")) or
startswith(operationName,"Reset password") |
Get authentication risks detected by Microsoft.
| Code Block |
|---|
from cloud.azure.ad.signin_all where not eq(risk_state,"none"), isnotnull(risk_state) group by user, risk_state, risk_detail |