A recent enhancement to the Diagnostic Settings for Azure AD allows you to add the AD FS sign-in information to be used in your Azure Sentinel environment. This is a long awaited capability.
To enable the ADFSSignInLogs to be available in your Azure Sentinel environment, modify the Diagnostic Setting for Azure AD that was created when you enabled the Azure Sentinel Data Connector for Azure Active Directory. Enable the ADFSSignInLogs log collection as shown in the example.
The current data columns available are shown in the table just below, but you can always find the latest in the Azure Monitor reference.
| TenantId |
| SourceSystem |
| TimeGenerated |
| OperationName |
| OperationVersion |
| Category |
| ResultType |
| ResultSignature |
| ResultDescription |
| DurationMs |
| CorrelationId |
| ResourceGroup |
| Identity |
| Level |
| Location |
| AlternateSignInName |
| AppDisplayName |
| AppId |
| AuthenticationDetails |
| AuthenticationProcessingDetails |
| AuthenticationRequirement |
| AuthenticationRequirementPolicies |
| ConditionalAccessPolicies |
| ConditionalAccessStatus |
| CreatedDateTime |
| DeviceDetail |
| IsInteractive |
| Id |
| IPAddress |
| NetworkLocationDetails |
| OriginalRequestId |
| ProcessingTimeInMs |
| ResourceDisplayName |
| ResourceIdentity |
| ResourceTenantId |
| Requirement |
| Status |
| TokenIssuerName |
| TokenIssuerType |
| UserAgent |
| UserDisplayName |
| UserId |
| UserPrincipalName |
| Type |
=========================
[Want to discuss this further? Hit me up on Twitter or LinkedIn]
[Subscribe to the RSS feed for this blog]
[Subscribe to the Weekly Azure Sentinel Newsletter]
