Listen to this Post
Introduction:
In the modern cybersecurity landscape, identity is the new perimeter, and Microsoft Entra ID (formerly Azure Active Directory) sits at its core. The vast logs generated by Entra ID are a goldmine of security intelligence, but without the proper methodology and tools, critical signals of compromise can be lost in the noise. Mastering the analysis of these logs is no longer a niche skill but a fundamental requirement for defending hybrid and cloud environments against sophisticated identity-based attacks. This article provides a technical deep dive into transforming raw Entra ID audit and sign-in logs into actionable security insights, enabling you to move from a reactive to a proactive security posture.
Learning Objectives:
- Understand the critical Entra ID log types and the specific security data they contain.
- Learn to construct powerful Kusto Query Language (KQL) queries to hunt for threats.
- Implement automated monitoring and alerting based on anomalous identity patterns.
You Should Know:
- The Foundation: Accessing and Understanding Entra ID Logs
To begin the journey from data to insights, you must first ensure you are collecting the right data. Entra ID provides several log categories, but two are paramount for security: Sign-in logs and Audit logs. Sign-in logs provide details about authentication attempts, including success, failure, and the conditional access policies applied. Audit logs record system and user activities, such as user creation, group membership changes, and application consent grants.
Step-by-step guide:
- Enable Log Ingestion: Navigate to the Microsoft Entra admin center. You must have an Entra ID P1 or P2 license. Connect these logs to a security information and event management (SIEM) system like Microsoft Sentinel, Splunk, or an Azure Log Analytics workspace. This is non-negotiable for historical analysis and correlation.
- Understand Key Tables: In a Log Analytics workspace, the core tables are `SigninLogs` and
AuditLogs. Familiarize yourself with their schema. - Basic Reconnaissance Query: Run a simple KQL query to get a feel for the data. This query summarizes sign-in failures by user and application, which is a great starting point for identifying brute-force attacks or misconfigured applications.
SigninLogs | where ResultType !in ("0", "50140") // Exclude success and "stay signed in" interruptions | summarize FailedAttempts = count() by UserPrincipalName, AppDisplayName | sort by FailedAttempts desc
2. Hunting for Impossible Travel and Anonymous Sign-Ins
One of the most potent indicators of a compromised account is “impossible travel,” where two sign-ins from geographically distant locations occur in an impossibly short time frame. Similarly, sign-ins from anonymous IP addresses (e.g., Tor nodes) are highly suspicious.
Step-by-step guide:
- Concept: The query below uses the `ipv4_lookup` operator to join with a geolocation database (you would need to import one) and then calculates the time and distance between consecutive sign-ins for the same user.
2. KQL Query for Analysis:
let GeoData = external_data(network:string, country_code:string, city:string) [ ... ]; // Reference to your geolocation data let Signins = SigninLogs | where ResultType == "0" // Successful sign-ins | project TimeGenerated, UserPrincipalName, IPAddress, LocationDetails; Signins | join kind=inner (Signins) on UserPrincipalName | where TimeGenerated < TimeGenerated1 | extend TimeDiff = TimeGenerated1 - TimeGenerated | where TimeDiff between (1min .. 60min) // Check for logins within an hour | invoke ipv4_lookup(GeoData, IPAddress, network) | invoke ipv4_lookup(GeoData, IPAddress1, network) | extend Distance = geo_distance_2points(toreal(LocationDetails.cityLat), toreal(LocationDetails.cityLon), toreal(LocationDetails1.cityLat), toreal(LocationDetails1.cityLon)) | where Distance > 500000 // Distance in meters (e.g., 500 km) | project UserPrincipalName, IPAddress, City1=LocationDetails.city, IPAddress1, City2=LocationDetails1.city, TimeDiff, Distance
3. Alerting: In Microsoft Sentinel, you can create a scheduled analytics rule based on this query logic to automatically generate incidents for investigation.
3. Detecting Privileged Identity Manipulation
Attackers seeking persistence and escalation often target highly privileged accounts. Monitoring for specific, high-risk audit events is crucial.
Step-by-step guide:
- Identify Critical Events: Key activities to monitor include adding a user to a privileged role, adding a user to a highly privileged group (e.g., “Domain Admins” in hybrid scenarios, “Global Administrators”), and changing a user’s password (a potential takeover indicator).
2. KQL Query for Audit Logs:
AuditLogs
| where TimeGenerated > ago(1h)
| where OperationName in ("Add member to role", "Add user", "Update user", "Add member to group")
| where TargetResources has_any ("Global Administrator", "Privileged Role Administrator", "Domain Admins")
or (OperationName == "Update user" and Result == "success" and TargetResources.[bash].modifiedProperties has "\"Password\"" )
| project TimeGenerated, OperationName, InitiatedBy=InitiatedBy.user.userPrincipalName, Target=TargetResources.[bash].userPrincipalName, IPAddress, Result
3. Mitigation: Configure Privileged Identity Management (PIM) to require justification and approval for role activation. This query should feed directly into a high-severity alert.
4. Uncovering Risky OAuth Application Consent
A user granting excessive permissions to a third-party application can create a massive security hole. Monitoring the audit log for application consent grants is essential.
Step-by-step guide:
- Concept: The audit log records when a user or admin consents to an application’s permission request. You should scrutinize these events, especially for applications requesting high-privilege permissions like `Mail.ReadWrite` or
Directory.ReadWrite.All.
2. KQL Query:
AuditLogs
| where OperationName == "Consent to application"
| extend ConsentType = tostring(parse_json(tostring(TargetResources.[bash].modifiedProperties))[bash].newValue)
| extend AppId = tostring(TargetResources.[bash].id)
| extend Permissions = tostring(parse_json(tostring(TargetResources.[bash].modifiedProperties))[bash].newValue)
| where Permissions has_any ("Directory.ReadWrite.All", "Mail.ReadWrite", "Sites.FullControl.All")
| project TimeGenerated, User=InitiatedBy.user.userPrincipalName, AppId, ConsentType, Permissions
3. Hardening: Implement an Admin Consent Workflow in Entra ID to prevent users from consenting to applications indiscriminately, forcing such requests to be reviewed by an administrator.
5. Leveraging PowerShell for Automated Log Retrieval
While KQL is ideal for analysis, you may need to extract logs for offline review or integration with other tools. PowerShell, combined with the Microsoft Graph API, is perfect for this.
Step-by-step guide:
- Install Module: Install the `Microsoft.Graph` PowerShell module:
Install-Module Microsoft.Graph. - Authenticate: Connect to Graph with the required scopes:
Connect-MgGraph -Scopes "AuditLog.Read.All", "Directory.Read.All".
3. Script to Retrieve Sign-In Logs:
Retrieve sign-in logs from the last 24 hours with failures
$Params = @{
Filter = "ResultType eq 50126" Example: Invalid username or password
All = $true
}
$SignInLogs = Get-MgAuditLogSignIn @Params
$SignInLogs | Select-Object UserDisplayName, UserPrincipalName, IPAddress, ResultType, ResultDescription | Format-Table
This script can be scheduled as a task to periodically collect high-risk sign-in data for further processing.
What Undercode Say:
- Identity is the Primary Attack Vector: The sophistication of attacks has decisively shifted from network perimeters to the identity layer. A mature security operation is defined by its ability to monitor, analyze, and respond to identity threats with the same rigor applied to network intrusions.
- Automation is Non-Negotiable: Manual review of Entra ID logs is a futile exercise. The scale and speed of modern attacks demand that detection logic be codified into automated KQL queries and alerting rules within a SIEM like Microsoft Sentinel. Proactive hunting, guided by these queries, is what separates resilient organizations from breach victims.
The session highlighted by Gianni Castaldi underscores a critical evolution in IT responsibilities. Cloud administrators and security analysts must now possess the skills of a data detective, using KQL as their primary tool. The raw logs are meaningless without the context and correlation that well-structured queries provide. Failing to invest in these skills and the underlying SIEM infrastructure is to operate blind to the most common and damaging attack paths in use today.
Prediction:
The role of Entra ID logs will only grow in strategic importance. As AI-driven identity attacks become more prevalent, characterized by low-and-slow password sprays and AI-generated social engineering, static defense rules will become less effective. The future of cloud identity protection lies in behavioral analytics and User and Entity Behavior Analytics (UEBA) platforms, which are built directly on top of this log data. Organizations that have mastered foundational KQL querying and log management will be uniquely positioned to integrate these advanced AI security solutions, using them to detect subtle anomalies that traditional rules miss. Consequently, the ability to derive “Valuable Insights” from identity logs will become the single biggest differentiator between secured and compromised enterprises in the next 3-5 years.
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Giannicastaldi Dutch – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
