TODO: Stream additional logs from Azure AD for optimal visibility

Azure Active Directory

Over the past six months, I’ve shown you ways to get to know the devices that people in your organization use App Passwords on, set an alert to notify when an additional person is assigned the Azure AD Global Administrator role and set an alert to notify when an Azure AD emergency access account is used. For all these purposes, I leveraged the ability to send logs from Azure Active Directory to Azure Log Analytics and process the information there through Azure Monitor.

 

Supported log streaming solutions

Azure Log Analytics is just one of the three supported destinations. You can:

  • Send to Log Analytics workspace
  • Archive to a storage account
  • Stream to an event hub

The latter two options allow organizations with on-premises Security Incident and Event Monitoring (SIEM) solutions to correlate the contents of the logs to achieve the same information, and thus visibility. The storage account option seems to be the popular choice for many of these organizations.

 

Supported logs

Per October 2020, the logs that are supported, however, have changed. There’s two reasons for this:

1. New logs

The Azure AD team reports on additional events, beyond the AuditLogs and SignInLogs:

  • NonInteractiveUserSignInLogs
  • ServicePrincipalSignInLogs
  • ManagedIdentitySignInLogs
These new log types provide visibility into sign-ins by service principals, managed identities and into non-interactive sign-ins. These types of sign-ins are typically not covered by Conditional Access, so ability to audit and visibility into usage are key.

2. Additional logs

The ProvisioningLogs is a new kind of log, but with specific information. As mentioned in the October 2020 Release notes for Azure Active Directory, provisioning events regarding the SCIM provisioning service will be removed from AuditLogs and published solely to provisioning logs.

Note:
This change isn't planned for the calendar year 2020.

Activity by the SCIM provisioning service is logged in both ProvisioningLogs and AuditLogs. In the future, these events will only be published in the ProvisioningLogs.

 

This is the way

It may be considered counter-intuitive that Microsoft introduces new log information and doesn’t automatically switch it on. The reasons for this are clear:

  • Not every organization has the capability to act on the new log information, and thus does not need the log information. As the log streaming destinations are often charged by data ingestion, merely enabling the logs you care about saves money.
  • As on-premises SIEM solutions may not have functionality to provide information for the new log information, an organization may choose to stream some log types to the on-premises solution, and other log types to Azure Log Analytics and possibly Azure Sentinel.

 

Call to action

For optimal visibility, I urge organizations to stream the NonInteractiveUserSignInLogs, ServicePrincipalSignInLogs and ManagedIdentitySignInLogs to one or more appropriate storage and analysis solutions, like an Azure Log Analytics workspace, or an on-premises SIEM solution connected to a storage account or Azure Event Hub:

  • Sign into the Azure Portal with an account that has the Global Administrator role.
  • Click on Azure Active Directory in the left navigation menu.
  • Select Diagnostic settings in Azure AD’s navigation menu.
  • In the main pane, click Add diagnostic setting.
    The Diagnostic settings blade appears.
  • On the Diagnostic settings blade, click the name of the previously configured diagnostic setting.
  • Do either or both of the following:
    • To send Provisioning logs, select the ProvisioningLogs check box.
    • To send the logs for non-interactive sign-ins, select the NonInteractiveSignInLogs check box.
    • To send the logs for sign-ins by managed identities, select the ManagedIdentitySignIns check box.
    • To send the logs for sign-ins by service principals, select the ServicePrincipalSignIns check box.
  • Select Save on top of the blade to save the diagnostic setting.

The first thing organizations gain this way is retention beyond the default 30-day retention period for these events. Then, organizations can create the appropriate actions to (automatically) act on unwanted situations.

Further reading

Sign-in logs and auditing of Managed Identities and Service Principals
Calculating your Azure Log Analytics bill when you stream your Azure AD logs to it
Getting to know the devices that people in your organization use App Passwords on
HOWTO: Set an alert to notify when an Azure AD emergency access account is used
HOWTO: Set an alert to notify when an additional person is assigned the Azure AD Global Administrator role

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.