| Table of Contents | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Purpose
Use Entra ID logs to detect malicious authentication and privilege changes.
The Entra ID brand has replaced the Azure Active Directory brand.
The Entra ID collector works with over 2000 applications, including any application that supports a standard authentication method. Typically Entra ID is used with Microsoft’s cloud and on-premise products.
Authorize it
First, authorize an event hub. Then add Entra ID to the event hub.
...
| Code Block |
|---|
from cloud.azure.ad.signin_all where not eq(risk_state,"none"), isnotnull(risk_state) group by user, risk_state, risk_detail |
Monitor It
Create an inactivity alert to detect interruptions of transfer of data from the source to the event hub using the query
| Code Block |
|---|
from cloud.azure.ad.signin_all
where eq(action,"LOGIN"),isnotnull(application)
//Divide the applications into a few simple, but subjective, categories
select peek(application,"(?i)Azure|Office|Sharepoint|Windows|Microsoft") as application_category
where isnotnull(application_category)
//Create an inactivity alert to detect an interruption to logins
select split(hostchain,"-",1)+" "+application_category as monitor_collector_and_application_category |
Set the inactivity alert to keep track of the monitor_collector_and_application_category. The alert will trigger if a particular collector no longer obtains login events for popular applications such as Office. This can occur if Office authentication is broken or if all users are on holiday.