Tag: Monitoring

Monitor sensitive accounts

Pre-requisites

A pre-requisites for monitoring sensitive accounts in Azure AD is to have setup a Log Analytics Workspace and your Azure AD logs sent to Log Analytics. If you want to know how that`s done then have a look at this blog post to se how easy it is to enable in your tenant “Monitor Azure AD”

Query

So to be able to monitor sensitive accounts we first need to locate/determine what accounts that you want to monitor. I always recommend to monitor the Break-the-glass administrator account so that you or your team is alerted whenever the account is used.

So in the Log Analytics query below here you see that we are searching the “SigninLogs” for a specific UserPrincipalName and we are only looking at ResultType 0. (ResultType 0 is equal for Success).

SigninLogs 
| where UserPrincipalName == "julian.rasmussen@idefix365.no"
| where ResultType == "0"

So with that in mind let`s create a Alert Rule from this query so that we are notified every time “julian.rasmussen@idefix365.no” doing a successful signin.

Log Analytics Workspace with query for a specific username and success login

So when clicking the “New Alert Rule” button we are headed into a new page with several settings. here I have changed only two tings;
Operator: Greater than or equal to
Threshold value: 1

Click Next to go to “Actions”

Action Group

An action group is how and who is getting notified when the alert is fired.
So we create a new action group for this scenario and setup a email warning to an administrator.

You can choose to also send a payload to a Azure Function, Webhook and more within the Action pane of the Action group – in this scenario we are only using the notification part so let`s skip to the “review and create” part and create the Action Group

Alert

We then give the alert a “Alert rule name” and a description. This is what`s in the email notification sent to the user or users in the Action group

Jump over to “Review + create” and create the Alert rule.

Conclusion and result

  • We have gained monitoring and notification by doing a Query in Log Analytics.
  • From the Logs pane we can easily create a new Alert rule
  • We created a Action Group where we spesified who and how to get notified

And the result looks like this when there is a sign-in from that account and the Alert rule is fired!

Monitor Azure AD

Main goal

Main goal for this blogpost is to gain more knowledge on how to collect logs from Azure AD. By default you`ll get 30 days audit and sign-in logs stored within Azure AD. To be able to interact / automate on the logs we need to move the logs to a Log Analytics Workspace. So by doing so we gain these and much more features on our log data:

  • Ability to automate actions based on logs
  • Increase retention time on logs
  • Connect Microsoft Sentinel

Speaking of retention time you can choose from 30, 31, 60, 90, 120, 180, 270, 365, 550, and 730 days within the Azure Portal on the Log Analytics Workspace.

Log Analytics

First of all you need to create a Log Analytics Workspace and to do that you need to have a Azure Subscription in place (and you need Contributor access to it).
– Create a “Resource Group”
– Create a “Log Analytics Workspace

Here i have created a Resource group and added a Log Analytics Workspace to that group named “idefix-sentinel-log-analytics”

Azure AD configuration

When the LAW (Log Analytics Workspace) is ready then you can configure Azure AD to send log`s directly to it.
Head into Azure AD and navigate to “Audit Logs” or “Sign-in logs” and from there click the “Export Data Settings”

Azure AD -> Audit Logs -> Export Data Settings

Here you click on “Add Diagnostics Settings” and give it a name, point it to the log analytics you created and choose what to store into that LAW.

Choose all categories you want to store

After you save it you should wait about 15-20 minutes before trying to query the logs, just to be sure that new log`s have been streaming into LAW.

Test query in Log Analytics

To query your data you need to navigate to your Log Analytics Workspace and head into the “Logs” pane and from there you can add a Query to search the log`s with.

Log Analytics Workspace -> Logs

This query gets all login entries for users whose name containsĀ Julian

SigninLogs
| where Identity contains "Julian"

To be more specific, useĀ UserPrincipalName:

SigninLogs
| where UserPrincipalName == "julian.rasmussen@idefix365.no"

All sign-ins for Julian in the last 30 days

SigninLogs
| where UserPrincipalName == "julian.rasmussen@idefix365.no"
| where TimeGenerated > ago(30d)