How to Add ADFSSignInLogs to Azure Sentinel

A recent enhancement to the Diagnostic Settings for Azure AD allows you to add the AD FS sign-in information to be used in your Azure Sentinel environment. This is a long awaited capability.

To enable the ADFSSignInLogs to be available in your Azure Sentinel environment, modify the Diagnostic Setting for Azure AD that was created when you enabled the Azure Sentinel Data Connector for Azure Active Directory. Enable the ADFSSignInLogs log collection as shown in the example.

Adjust Diag Setting

The current data columns available are shown in the table just below, but you can always find the latest in the Azure Monitor reference.

TenantId
SourceSystem
TimeGenerated
OperationName
OperationVersion
Category
ResultType
ResultSignature
ResultDescription
DurationMs
CorrelationId
ResourceGroup
Identity
Level
Location
AlternateSignInName
AppDisplayName
AppId
AuthenticationDetails
AuthenticationProcessingDetails
AuthenticationRequirement
AuthenticationRequirementPolicies
ConditionalAccessPolicies
ConditionalAccessStatus
CreatedDateTime
DeviceDetail
IsInteractive
Id
IPAddress
NetworkLocationDetails
OriginalRequestId
ProcessingTimeInMs
ResourceDisplayName
ResourceIdentity
ResourceTenantId
Requirement
Status
TokenIssuerName
TokenIssuerType
UserAgent
UserDisplayName
UserId
UserPrincipalName
Type

=========================

[Want to discuss this further? Hit me up on Twitter or LinkedIn]

[Subscribe to the RSS feed for this blog]

[Subscribe to the Weekly Azure Sentinel Newsletter]

Author

Leave a Reply