Contents
- Analysing and investigating sing-in logs to troubleshoot access issues
- Reviewing and monitoring Azure AD audit logs
- Understanding the Concepts of Azure Sentinel
- Enabling Azure AD Diagnostic Log Analytics/Azure Sentinel
- Azure AD activity by using Log Analytics/Sentinel. Workbooks excluding KQL use
- Exporting Sign in and audit logs to a 3rd party SIEM
- Configuring Notifications
Analysing and investigating sing-in logs to troubleshoot access issues
Viewing logs
- Go to Azure AD -> Sign ins
- From here view and filter the sign in logs. You can see information like:
– IP address
– Date time
– Applications
– Login Status (success/failure)
– location - If you click on a log entry you get more information such as the failure reason
- You can create a support ticket with Microsoft directly from the log entry
- You can download the logs to JSON or CSV file
Reviewing and monitoring Azure AD audit logs
There are general audit logs you can look at, but there are also specific logs for each feature.
General audit logs
- Go to Azure AD -> audit logs
- Here you can find logs on everything that is happening in your Azure tenant. EG: when a user is updated. You can then click on the entry and see what was changed.
- You can filter these logs by date, services, category, Activities etc…
- You can export the logs as a CSV file
Specific logs:
If you go to the Users blade in Azure AD, from there you click on Audit logs and that will be specific to users. You can do the same thing for groups etc…
Understanding the Concepts of Azure Sentinel
Azure Sentinel is a scalable, cloud based Security Information Event Management (SIEM) and Security Orchestration Automated Response (SOAR) product.
It delivers intelligent security analytics and a centralised point for alert detection. It can pull in data from on premise and cloud resources.
Purposes of Sentinel
- data collection: users, devices, applications, infrastructure both on prem and in the cloud
- Find previously undetected threats, minimise false positives
- Investigate threats with AI
- Respond to incidents rapidly
Sentinel Components
Connectors
Sentinel comes with out of the box connectors for:
- Microsoft threat protection
- M365
- O365
- Azure AD
- Azure ATP
- And more
Workbooks
Workbooks allow you to group things together for monitoring.
Analytics
Sentinel uses analytics to correlate alerts into incidents. Incidents are groups of related alerts that together create an actionable possible threat that you can investigate and resolve.
Security Automation and Orchestration
You can configure “playbooks”. These are actions Sentinel can carry out if it comes across particular alerts or incidents. EG: it can send emails, Team messages, disable a user etc…
Investigation
Sentinel deep investigation tools help you understand the scope and find the root cause of a particular security threat.
Hunting (KQL Kusto Query Language)
This powerful hunting search and query tool (based on MITRE framework) enables you to hunt for security threats.
Community
Sentinel community is a resource for threat detection and automation. Users can post helpful queries and information.
Enabling Azure AD Diagnostic Log Analytics/Azure Sentinel
You need an Azure subscription for the storage of the logs
Setting up Sentinel:
- Go to Azure -> all services -> and search for Sentinel
- Click connect to Workspace
- Choose your subscription and resource group
- Give your Sentinel instance a name. It needs to be a unique name.
- Select the Region
- Click Create
It takes a few mins to deploy. It can grab a lot of data so you need to keep an eye on your storage to see what it is using.
Azure AD activity by using Log Analytics/Sentinel. Workbooks excluding KQL use
- Go to Azure -> all services -> and search for Sentinel
- Overview: this will show you any events and alerts
- Logs: there are lots of sample queries you can start with to filter the logs. EG: CPU usage on VM’s
- Incidents: this is where you can find and investigate any incidents or security threats that have been flagged
- Workbooks: these workbooks can be used to group together resources and logs that you want to monitor.
- Hunting: this allows you Hunt for specific threats. There are a number of sample query’s in place you can start with. These include things like “Failed login attempt by expired accounts”
- Notebooks: this is an area for grouping together queries, scripts and info which is stored in GitHub. This is linked to the Community. There are a number of sample notebooks to start with
- Data Connectors: this is where you get the agents for installing on different services and devices
- Analytics: here you will get analytics from all the different Sentinel areas including Data Connectors
- Playbooks: these are used in Orchestration. These are a group of actions that can be carried out when incident or threat occurs. They are linked to a Subscription and Resource group. They use CPU power and resources so they do cost money
- Community: this ties to GitHub
Exporting Sign in and audit logs to a 3rd party SIEM
Manually exporting
- Go to Azure AD -> Monitoring -> Sign ins
- Click on Download (as CSV or JSON)
- Do the same thing for audit logs
Automating Exporting
Microsoft has lots of add ons to automate the exporting of these logs. EG: to Splunk
Configuring Notifications
Notification Hub
this allows you to push notifications to different devices
NOTE: to use this Notification Hub you must have an Azure subscription with credit
Configuring Notification Hub
- Go to Azure portal -> All Services -> Notification Hub
- Click Create
- Select your Azure Subscription
- Select the Resource Group
- Give the Hub namespace a name (no spaces allowed)
- Give the Notification Hub a name
- Select the Location
- Pricing Tier: Free tier gives you quite a bit
- Click Create
Once Created go to the Notification Hub
There are different methods for setting up push notifications to different device types.
For Apple you need to sign up with apple and get a an APN (Apple Push Notification) certificate to configure this with.
