Azure Sentinel can now Analyze All Available Azure Active Directory Log Files

Over the past several weeks there’s a been a mighty movement in the Data Connector blade of Azure Sentinel, resulting in lots of new Data Connectors. As easy as it is (or not) to notice when new Data Connectors are available, it’s difficult to know when existing ones are updated. Once such recent update is valuable enough to take a look at today.

The Azure Active Directory Data Connector has been updated to include the ability to choose the following additional logs:

  • Non-interactive user sign-in Log (Preview)
  • Service principal sign-in logs (Preview)
  • Managed Identity Sign-in logs (Preview)
  • Provisioning logs (Preview)
Enable extra logs

To enable the additional ingest, open the specific Azure Active Directory Data Connector, place a checkmark beside the newly offered log files, and then click the Apply Changes button.

The ability to enable these as part of the Data Connector is excellent value. Prior to this capability, you could still enable the logs, you’d just need to do it through the Diagnostic Setting for the service. This makes it a lot easier.

There’s a couple blog posts I know of that speak specifically to monitoring Service Principal activity. In the following resource links, you can skip the instructions about the Diagnostic Setting and just start utilizing the KQL goodness provided:

DISCLAIMER: This feature enhancement is in Preview – meaning that things can change between Preview and Release. Take care when relying on Preview features in production.

Additionally, you may also notice that there is no longer need for any kind of AAD license (P1/P2) for Sentinel customers to stream AAD logs.

=========================

[Want to discuss this further? Hit me up on Twitter or LinkedIn]

Author