Log Analytics
12 TopicsAzure Monitor Reporting on App and Enterprise Applications/Registration
Hello everyone, I would like to leverage the usage of Azure Monitor, and build a report across the estate with any and all Enterprise Application and App registrations that have or don't have activity in the last 30-90 days. e.g interactive and non interactive sign ins and other things relevat for someone to identify if those are being active/used or not. Any suggestion that can leverage az monitor or some sort of reporting using native tools, instead of using scripts?516Views0likes0CommentsExisting application Adding itself as Service Principal?
Hello All, I keep coming across entries in our Azure Audit Logs off the Entra ID portal showing that existing applications in our environment are creating events showing that it's adding itself as a service principal. For Example. We have had the 'Microsoft Managed Policy Manager' application in our environment for quite some time, yet I recently came across an entry in the Audit Log showing the name andGUID for 'Microsoft Managed Policy Manager' in the 'ActorServicePrincipalID' & 'ActorServicePrincipalName'; moreover, the details in the target fields were all related to 'Microsoft Managed Policy Manager' and it's subsequent details. I'm looking for some guidance on how to track down what might be going on with this Audit Log or if this is normal/expected behaviour...557Views0likes0CommentsMicrosoft Entra ID: Advanced Threat Hunting - AzureADRecon and Microsoft Sentinel
Dear Microsoft Entra ID Friends: This article is about collecting information with the AzureADRecon tool. We use this information to investigate a hypothesis and start the hunt with the help of Microsoft Sentinel. I always start with a list ofMITRE ATT&CK techniques. Initial Access: Drive-by Compromise https://attack.mitre.org/techniques/T1189/ Exploit Public-Facing Application https://attack.mitre.org/techniques/T1190/ External Remote Services https://attack.mitre.org/techniques/T1133/ Phishing https://attack.mitre.org/techniques/T1566/ Phishing: Spearphishing Link https://attack.mitre.org/techniques/T1566/002/ Valid Accounts https://attack.mitre.org/techniques/T1078/ Execution: Command and Scripting Interpreter https://attack.mitre.org/techniques/T1059/ Persistence: Account Manipulation https://attack.mitre.org/techniques/T1098/ Create Account https://attack.mitre.org/techniques/T1136/ Office Application Startup https://attack.mitre.org/techniques/T1137/ Credential Access: Brute Force https://attack.mitre.org/techniques/T1110/ Discovery: Permission Groups Discovery https://attack.mitre.org/techniques/T1069/ We start by collecting the information with the AzureADRecon tool. Note: The AzureADRecon tool is provided by Prashant Mahajan (@prashant3535), thanks for that! https://github.com/adrecon/AzureADRecon Installing: Download the tool, the easiest way is to save the .zip file right away. Note: Attention: It is possible that the antimalware program reacts during the download!! If you have git installed, you can start by cloning the repository: git clone https://github.com/adrecon/AzureADRecon.git If you downloaded the tool using a zip file, extract the zip file and place it in a location that you can easily find again. If you cloned the repository, a folder was created directly.Now launch PowerShell or Windows Terminal, whichever you prefer, and navigate to the extract/clone folder. In order to get started we need one more prerequisite, in my case the PowerShell AzureAD module. However, you are welcome to work with the Microsoft Graph, but this requires additional preparations afterwards. Install the AzureAD Module: Install-Module AzureAD -Verbose -Force -Allowclobber Don't forget we need to adjust the execution policy in PowerShell! Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope CurrentUser Note: In order to work with this tool, you need to work with an account that has sufficient rights in Entra ID. To run AzureADRecon (will prompt for credentials): PS C:\AzureADRecon-master> .\AzureADRecon.ps1 However, you can also work with variables first. PS C:\AzureADRecon-master> $username = "your user principal name" PS C:\AzureADRecon-master> $passwd = ConvertTo-SecureString "your password" -AsPlainText -Force PS C:\AzureADRecon-master> $creds = New-Object System.Management.Automation.PSCredential ($username, $passwd) PS C:\AzureADRecon-master> .\AzureADRecon.ps1 -Credential $creds Note: To get the report as a spreadsheet, Excel must be installed on the system. The report is created in the same folder: Now open the report and start the investigation and analysis! User Stats: Users: Directory Roles: Directory Roles Members: Devices: Advanced Hunting with Microsoft Sentinel! Now we have detailed information from the Microsoft client. The information was not collected just like that, but because there was a suspicion. Now we continue with advanced hunting in Microsoft Sentinel. In Microsoft Sentinel, we can directly access the incidents from the overview. List of incidents: View full incident details: Now the deep dive into the incident: Investigate each incident: HAPPY INVESTIGATING! I am of course fully aware that this is not a complete and conclusive investigation. My aim in this article was to "give"/describe a good starting point. Thank you for taking the time to read the article. Best regards, Tom Wechsler P.S. All scripts (#PowerShell, Azure CLI, #Terraform, #ARM) that I use can be found on GitHub! https://github.com/tomwechsler4.9KViews0likes0CommentsAzure Active Directory | Workbooks | Sign-In Analysis (Preview: AAD & AD FS)
This workbook will help you analyze your organization's sign-ins for both Azure AD and AD FS Sign-Ins This workbook will show you the General Analysis and Error Analysis. General Analysis: :pushpin: Sign-in Activity Summary :pushpin: Sign-in Analysis by Location :pushpin: Sign-in Analysis by Device Error Analysis: :pushpin: Sign-in Activity Summary :pushpin: Top Sign-In Errors by User or IP1.3KViews0likes0CommentsNotifications for AAD user phone number changes
Our organization would like to setup some system for notifications when a user changes their phone #. When phone #'s are changed in AAD, they need to be updated in another system we have. Any recommendations on how to do this? The notification needs to have the user's name, the old #, and the new #. The notification could be an email, a teams message, or any other mechanism really. There will be a human receiving the notification and making the # change in our other system. I just want to avoid a manual process where the changes need to be queried into a report each day. Thanks in advance.1.9KViews0likes1CommentAzure Activity Log confusion
All, This might be obvious, but I have questions regarding Azure Activity Logs. Could I please ask someone to review the following and let me know whether me reasoning is accurate ? - Azure Activity log events are retained in Azure for 90 days and then deleted by default. - When I browse the Activity Log tab on a given subscription, I’ll get insight into operation on each Azure resource in that subscription from the management plane. - When I browse a resource, say Key Vault in that subscription, and view the Activity Log tab from within the resource, I would get events narrowed down to this very specific Key Vault (but I would find the same events for this Key Vault in the Activity Log tab on subscription level). - The Activity Log events are retained in Azure for 90 days and then deleted by default. - If I want to store the Activity Log events beyond 90 days, I could export them to a Log Analytics workspace ( Iknow of Storage Account and Event Hub). - I can export the Activity Log events to a Log Analytics workspace to store the vents beyond the 90 days. - I can export the Activity Log events from subscription (Activity Log -> Export Activity Logs). If I do so, the exported data will contain ALL the Activity Log events from ALL resources in the given subscription. - Since there’s a single activity log for each Azure subscription, I would have to perform the step above for each single subscription. What if I export the Activity Log events from a resource in a subscription, rather than the subscription itself (will it only export events for the given resource)? Thanks a lot!1.1KViews0likes2CommentsSignInLogs are not showing in Log Analytics / Azure Monitor
I have followed the steps to create an Log Analytics workspace, and configured the Diagnostic Settings in Azure AD to send the SignInLogs and AuditLogs to LogAnalytics. However, I cannot see theSignInLogs; Ionly see events from AuditLogs available in Log Analytics. I believe I have met the prerequisites on licensing by means of a trial of Azure AD Premium P2 license. Does anybody know why it's only sending out the AuditLogs and not the SignInLogs to Log Analytics?19KViews2likes27CommentsAAD Sign-in logs not sending to Log Analytics Workspace on 3 different tenants and subscriptions.
For some weeks now I noticed that when having a paid (not trial) P1 or P2 licensed AAD tenant and setting up sign-in logs to be sent to a Log Analytics Workspace the result is nothing shows up. The only tables that are created are "AuditLogs" and "Usage". At first I thought it was a matter of time, but I'm waiting 3 weeks now on one tenant and still not a single sign-in log has been streamed. These are all Western EU tenants/subscriptions. I feel like there's something more general going on but all services indicate being healthy. It's as if they are not recognized anymore as paid P1 or P2 tenants. Can someone confirm this issue?618Views0likes0Comments