Skip to end of metadata
Go to start of metadata

You are viewing an old version of this content. View the current version.

Compare with Current View Version History

« Previous Version 7 Current »

Purpose

Use Entra ID logs to detect malicious authentication and privilege changes.

The Entra ID brand has replaced the Azure Active Directory brand.

The Entra ID collector works with over 2000 applications, including any application that supports a standard authentication method. Typically Entra ID is used with Microsoft’s cloud and on-premise products.

Authorize it

First, authorize an event hub. Then add Entra ID to the event hub.

  1. Open Entra.

  2. Switch to the directory.

    image-20250211-222523.png

  3. Add your Entra ID diagnostic settings. Devo recommends enabling all log options.

Run it

The Entra ID collector is run the same way as an Event Hub Azure collector.

Example tables

Table

Description

cloud.azure.ad.*

Entra ID identity and access management logs.

cloud.azure.ad.signin_all

This union table combines all the different Entra ID authentication logs.

auth.all

Authentication logs, including Entra ID.

Secure it

The Authentication alert pack works with Entra ID data.

Find privilege escalation, including roles, groups, and administrative units. Unexpected privilege escalation may indicate a user intends to exfiltrate or destroy data.

from cloud.azure.ad.audit 
where startswith(operationName,"Add"), toktains(operationName,"member to")
group by operationName as escalation_type, 
properties_initiatedBy_user_displayName as actor, 
properties_targetResources as target

A password reset or change may occur when an account is compromised.

from cloud.azure.ad.audit 
where eq(operationName,"User started password reset") or 
(weakhas(operationName,"change") and has(operationName,"password")) or 
startswith(operationName,"Reset password")

Get authentication risks detected by Microsoft.

from cloud.azure.ad.signin_all 
where not eq(risk_state,"none"), isnotnull(risk_state) 
group by user, risk_state, risk_detail

Monitor It

Create an inactivity alert to detect interruptions of transfer of data from the source to the event hub using the query

from cloud.azure.ad.signin_all 
where eq(action,"LOGIN"),isnotnull(application)

//Divide the applications into a few simple, but subjective, categories
select peek(application,"(?i)Azure|Office|Sharepoint|Windows|Microsoft") as application_category 
where isnotnull(application_category)

//Create an inactivity alert to detect an interruption to logins
select split(hostchain,"-",1)+" "+application_category as monitor_collector_and_application_category

Set the inactivity alert to keep track of the monitor_collector_and_application_category. The alert will trigger if a particular collector no longer obtains login events for popular applications such as Office. This can occur if Office authentication is broken or if all users are on holiday.

  • No labels