Versions Compared

Version Old Version 8 New Version Current
Changes made by

Laszlo Frazer

Virginia Camuñas Núñez

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents
minLevel1
maxLevel6
outlinefalse
stylenone
typeflat
printabletrue

Purpose

Use Entra ID logs An analyst wants to detect detect malicious authentication and privilege changes.  Using the Entra ID collector to send identity and access logs to Devo, the analyst will find privilege escalation events.  As a result, the analyst will remove malicious accounts, preventing them from disabling or modifying Entra ID resources.

The Entra ID brand has replaced the Azure Active Directory brand. The Entra ID collector works with over 2000 2,000 applications, including any application that supports support a standard authentication method.

Typically, Entra ID is used with Microsoft’s cloud and on-premise products.premises products.

Example tables

Table

Description

cloud.azure.ad.*

Entra ID identity and access management logs.

cloud.azure.ad.signin_all

This union table combines all the different Entra ID authentication logs.

auth.all

Authentication logs, including Entra ID.

Authorize it

First, authorize an event hub. Then add Entra ID to the event hub.

  1. Open Entra.

  2. Switch to the directory.

...

  1. Add your Entra ID diagnostic settings. Devo recommends enabling all log options.

Run it

The Entra ID collector is run the same way as an Event Hub Azure collector.

Example tables

Table

Description

cloud.azure.ad.*

Entra ID identity and access management logs.

cloud.azure.ad.signin_all

This union table combines all the different Entra ID authentication logs.

auth.all

Authentication logs, including Entra ID.

Secure it

...

Secure it

Devo Exchange provides different Alerts Packs to help you monitor Entra ID data:

Data destruction attempt

Find privilege escalation, including roles, groups, and administrative units. Unexpected privilege escalation may indicate a user intends to exfiltrate or destroy data.

Code Block
from cloud.azure.ad.audit 
where startswith(operationName,"Add"), toktains(operationName,"member to")
group by operationName as escalation_type, 
properties_initiatedBy_user_displayName as actor, 
properties_targetResources as target

Identity compromise

A password reset or change may occur when an account is compromised.

Code Block
from cloud.azure.ad.audit 
where eq(operationName,"User started password reset") or 
(weakhas(operationName,"change") and has(operationName,"password")) or 
startswith(operationName,"Reset password")

Authentication risk

Get authentication risks detected by Microsoft.

...

Set the inactivity alert to keep track of the monitor_collector_and_application_category. The alert will trigger if a particular collector no longer obtains stops receiving login events for from popular applications such as Office. This can occur if Office authentication is broken or if all users are on holiday.