Azure Sentinel Connector for the Azure Active Directory updated

The past month was an amazing moth for Azure Sentinel. A large amount of new connectors has been released. With these new connectors an update on the connector for the Azure Active Directory connector has been released. The connector now includes new categories of sign-in logs and a brand new log containing provisioning activities.

The Azure Sentinel connector for the Azure Active Directory has been expanded with new options for sign-ins and the provisioning logs.

Azure Sign-in log updates

Before this update, only active user sign-ins were logged in Azure Sentinel. This means that you could not build detections on logs executed non-interactive or logins that were executed by applications using a service principal. The Sign-in logs now contains information for the following categories of sign-ins:

• Interactive user sign-ins — This are the sign-ins where a user provided an authentication factor to login.
• Non-interactive user sign-ins — This are sign-ins where an application signs in on behalf of a user
• Service principal sign-ins — This are sign-ins that have been executed by applications using an app registration with its own credential (e.g. a secret).
• Managed Identity sign-ins — This are sign-ins that have been executed by Azure resources that have a managed identity (Azure manages the secrets for these types of accounts).

Pro tip: The new managed identity and service principal sign-ins allow for a new type of use-cases, where the authentication of service principals and managed identities are monitored.

Provisioning Log

As I wrote earlier, a new logs has been added: “Provisioning logs.” This log contains system log information about users, groups and roles that are provisioned by the Azure Active Directory. In order to receive these logs, an Azure Active Directory premium license (P1 or P2) needs to be present. The provisioning log has the following columns:

• The identity
• The action that has been executed
• The source system
• The target system
• The status
• The date

Conclusion

Both the new sign-in categories and provisioning log are currently in preview. I think they are a great addition to the Azure Sentinel Active Directory connector, and allow for the creation of great new use-cases regarding to application authentication and “on-behalf” authentication. Even tough the updates are still in preview, it is very helpful to get familiar with the new that you could use to improve your detections.

Happy logging and hunting!

— Jeroen Niesen