Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
Azure Active Directory audit logs now available in Advanced Hunting (public preview)
Published Dec 17 2020 01:15 PM 10.8K Views
Microsoft

We are happy to announce the availability of a new data source in Microsoft 365 Defender Advanced Hunting.

We have just enabled streaming of Azure Active Directory audit logs into Advanced Hunting, already available for all customers in public preview.

These logs provide traceability for all changes done by various features within Azure AD. Examples of audit logs include changes made to any resources within Azure AD like adding or removing users, apps, groups, roles and policies.

 

At the moment, the data ingestion has a dependency on MCAS, so customers that have MCAS with the Office365 connector connected will be able to see this data. Our intent is to expand availability to more Microsoft 365 Defender customers going forward.

 

The new log data is available in the CloudAppEvents table:

 

CloudAppEvents
| where Application == "Office 365"

and contains activity logs useful for investigating and finding related activities.

We are publishing a handful of relevant queries to our Git as they can assist with recent nation state attack investigation.

 

Here’s an example query that helps you see when credentials were added to an Azure AD application after 'Admin Consent' permissions were granted:

 

CloudAppEvents
| where Application == "Office 365"
| where ActionType == "Consent to application."
| where RawEventData.ModifiedProperties[0].Name == "ConsentContext.IsAdminConsent" and RawEventData.ModifiedProperties[0].NewValue == "True"
| extend spnID = tostring(RawEventData.Target[3].ID)
| parse RawEventData.ModifiedProperties[4].NewValue with * "=> [[" dummpy "Scope: " After "]]" *
| extend PermissionsGranted = split(After, "]",0)
| project ConsentTime = Timestamp , AccountDisplayName , spnID , PermissionsGranted
| join (
CloudAppEvents
| where Application == "Office 365"
| where ActionType == "Add service principal credentials." or ActionType == "Update application – Certificates and secrets management "
| extend spnID = tostring(RawEventData.Target[3].ID)
| project AddSecretTime = Timestamp, AccountDisplayName , spnID
) on spnID
| where ConsentTime < AddSecretTime and AccountDisplayName <> AccountDisplayName1

 

Keep watching for our updates, we will publish more information and guidance on how to leverage Microsoft 365 Defender for investigations of this evolving advanced threat soon!

3 Comments
Brass Contributor

Thank you @Tali Ash  for this improvement

Microsoft

Will this AAD Audit data be consumable by Azure Sentinel?

Copper Contributor

Has the log flow been changed since this article is publicated? I can't find many events in the CloudAppEvents but there are two new tables tagged BETA for AAD authentication events.

Version history
Last update:
‎Dec 17 2020 02:05 PM
Updated by: