Azure Sentinel Connector for the Azure Active Directory updated

Jeroen Niesen
Feb 3 · 2 min read

The past month was an amazing moth for Azure Sentinel. A large amount of new connectors has been released. With these new connectors an update on the connector for the Azure Active Directory connector has been released. The connector now includes new categories of sign-in logs and a brand new log containing provisioning activities.

The Azure Sentinel connector for the Azure Active Directory has been expanded with new options for sign-ins and the provisioning logs.

Azure Sign-in log updates

Before this update, only active user sign-ins were logged in Azure Sentinel. This means that you could not build detections on logs executed non-interactive or logins that were executed by applications using a service principal. The Sign-in logs now contains information for the following categories of sign-ins:

Pro tip: The new managed identity and service principal sign-ins allow for a new type of use-cases, where the authentication of service principals and managed identities are monitored.

Provisioning Log

As I wrote earlier, a new logs has been added: “Provisioning logs.” This log contains system log information about users, groups and roles that are provisioned by the Azure Active Directory. In order to receive these logs, an Azure Active Directory premium license (P1 or P2) needs to be present. The provisioning log has the following columns:

Conclusion

Both the new sign-in categories and provisioning log are currently in preview. I think they are a great addition to the Azure Sentinel Active Directory connector, and allow for the creation of great new use-cases regarding to application authentication and “on-behalf” authentication. Even tough the updates are still in preview, it is very helpful to get familiar with the new that you could use to improve your detections.

Happy logging and hunting!

— Jeroen Niesen

Wortell

Microsoft Cloud & Enterprise Security