There are three new logs available for Azure Active Directory, but only two are currently populating data. Once enabled they will generate the following new tables:
AADServicePrincipalRiskEvents – Logs generated by identity protection for Azure AD service principal risk events.
AADRiskyServicePrincipals – Logs generated by identity protection for Azure AD risky service principals.
NetworkAccessTrafficLogs – details still being surfaced – check back
To enable these for access in Microsoft Sentinel…
- Locate the Diagnostic Settings section in the Azure Active Directory service.
- Find the Diagnostic Setting that is pointing to the Log Analytics workspace for your Microsoft Sentinel environment.
- Edit the current Diagnostic Setting and enable the three new logs.
=========================
[Want to discuss this further? Hit me up on Twitter or LinkedIn]
[Subscribe to the RSS feed for this blog]
[Subscribe to the Weekly Microsoft Sentinel Newsletter]
[Subscribe to the Weekly Microsoft Defender Newsletter]
[Learn KQL with the Must Learn KQL series and book]