Listen to this Post
Introduction:
Microsoft Entra ID’s new Session ID feature enhances security auditing by tracking user activities in a single session. However, filtering logs manually can be cumbersome. A PowerShell script simplifies this process, enabling security teams to extract detailed incident reports effortlessly.
Learning Objectives:
- Retrieve comprehensive session logs using PowerShell.
- Customize log extraction by date range for forensic analysis.
- Export session activity data to CSV for further investigation.
You Should Know:
1. Retrieving Entra ID Sign-In Logs with PowerShell
Command:
Connect-AzureAD $sessionLogs = Get-AzureADAuditSignInLogs -Filter "sessionId eq 'YOUR_SESSION_ID'" $sessionLogs | Export-Csv -Path "SessionLogs.csv" -NoTypeInformation
Step-by-Step Guide:
1. Connect to Azure AD using `Connect-AzureAD`.
2. Use `Get-AzureADAuditSignInLogs` with a Session ID filter.
3. Export results to CSV for analysis.
2. Filtering Logs by Date Range
Command:
$startDate = (Get-Date).AddDays(-30) $endDate = Get-Date $filteredLogs = Get-AzureADAuditSignInLogs -Filter "createdDateTime ge $startDate and createdDateTime le $endDate"
Step-by-Step Guide:
1. Define `$startDate` and `$endDate` variables.
- Apply a date filter to narrow down logs.
3. Export or analyze the filtered data.
3. Extracting MFA and Certificate-Based Auth Logs
Command:
$mfaLogs = Get-AzureADAuditSignInLogs -Filter "authenticationDetails/any(detail:detail/authenticationMethod eq 'mfa')"
Step-by-Step Guide:
1. Filter logs to only include MFA-authenticated sessions.
- Modify the filter for Certificate-Based Auth (CBA) if needed.
4. Automating Log Extraction with Purview Audit Logs
Script Link: Download Here
Key Features:
- Fetches logs for a specific Session ID and User Principal Name (UPN).
- Supports 180-day data retention.
- Exports structured CSV reports.
5. Enhancing Threat Hunting with Session Correlation
Command:
$suspiciousLogs = Get-AzureADAuditSignInLogs -Filter "riskDetail eq 'aiConfirmedSignInSafe'"
Step-by-Step Guide:
1. Use risk-based filters to detect anomalies.
2. Cross-reference Session IDs with threat intelligence feeds.
What Undercode Say:
- Key Takeaway 1: PowerShell automation drastically reduces manual log filtering efforts.
- Key Takeaway 2: Session ID tracking improves incident response by providing a clear activity timeline.
Analysis:
The integration of PowerShell with Entra ID logs enables security teams to respond faster to breaches. By automating log extraction, organizations can focus on threat analysis rather than data collection. This approach is particularly useful for compliance audits and forensic investigations.
Prediction:
As cloud identity threats grow, automated log analysis will become essential. Microsoft may further enhance Session ID capabilities with AI-driven anomaly detection, reducing false positives in threat hunting.
For more cybersecurity insights, follow Pavithra (PaVee) on LinkedIn and explore the provided PowerShell script for advanced log management.
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Pavithra Pavee – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
