Listen to this Post
Introduction:
Identity is the new perimeter, and its logs are a goldmine for threat hunters. By visualizing Microsoft Entra ID sign-in logs within a Microsoft Sentinel workbook, security teams can transform raw authentication data into a dynamic, investigative dashboard. This centralized view is critical for detecting anomalies like impossible travel, spotting attack patterns, and ensuring Conditional Access policies are functioning as intended, all from within the Unified Defender Portal.
Learning Objectives:
- Learn how to configure data connectors and permissions to feed Entra ID logs into Sentinel.
- Understand the key tables and KPI visualizations needed for effective identity threat hunting.
- Gain the ability to build and customize a Sentinel workbook to track sign-in failures, risky events, and legacy authentication attempts.
You Should Know:
1. Prerequisites & Data Connector Configuration
Before visualization comes ingestion. Your Microsoft Sentinel instance must be fed a steady stream of logs from Microsoft Entra ID. This setup is foundational and involves enabling specific data connectors in the Sentinel Content Hub.
Step‑by‑step guide explaining what this does and how to use it.
Step 1: Access the Content Hub. In your Microsoft Sentinel workspace, navigate to “Content Hub” (formerly Solution Gallery). Search for and install the “Microsoft Entra ID” solution. This packaged solution includes the necessary connectors, analytics rules, and workbooks.
Step 2: Enable the Sign-In Logs Connector. After installation, go to “Data connectors” under Configuration. Find the “Microsoft Entra ID” connector and open it. On the configuration page, ensure you check the box for “Sign-in logs”. For enhanced visibility, also enable “Audit logs” and “User risk events” (if using Identity Protection).
Step 3: Verify Permissions & Data Flow. Ensure your account and the Sentinel Managed Identity have the necessary reader permissions on the Entra ID tenant and the Log Analytics workspace. Data will typically start flowing into the `SigninLogs` table within 15-30 minutes. Verify with a simple KQL query in the Logs blade: SigninLogs | take 10.
2. Core Log Tables for Identity Analysis
Sentinel structures Entra data into specific tables. Knowing which table holds what data is key to building effective queries and visualizations.
Step‑by‑step guide explaining what this does and how to use it.
SigninLogs: This is your primary table for interactive user sign-ins (e.g., a user logging into the Azure portal or Microsoft 365). It contains detailed properties like user, application, device, location, and Conditional Access results.
AADNonInteractiveUserSignInLogs: Crucial for detecting token-based attacks, this table logs non-interactive sign-ins, such as those using OAuth refresh tokens. A spike here could indicate stolen token usage.
AADServicePrincipalSignInLogs: Focuses on service accounts and applications. Monitoring this table is essential for securing machine-to-machine (M2M) communications and detecting compromised applications.
Supplemental Tables: For a richer view, link data from `IdentityInfo` (user details), `AuthenticationMethods` (for MFA analysis), and `AADUserRiskEvents` (for risky user context).
3. Building the KPI & Trend Dashboard
The power of a workbook lies in its visual summaries. Top-level KPIs and trends allow SOC analysts to gauge the health and security of the identity landscape at a glance.
Step‑by‑step guide explaining what this does and how to use it.
Step 1: Create a New Workbook. In Sentinel, go to Workbooks > + Add workbook > Edit. Start by adding a new query step.
Step 2: Query for Success vs. Failure Rates. Use a KQL query to calculate key metrics. For a success/failure KPI tile:
SigninLogs | summarize Total = count(), Success = countif(ResultType == 0), Failures = countif(ResultType != 0) | extend FailureRate = (todouble(Failures) / todouble(Total)) 100
Set the visualization to “Tile” and bind the `Success` and `FailureRate` values to the display.
Step 3: Create Time Series Charts. To visualize sign-in trends and failure spikes over the last 7 days:
SigninLogs | where TimeGenerated > ago(7d) | summarize Count = count() by bin(TimeGenerated, 1h), Result = iff(ResultType == 0, "Success", "Failure") | render timechart
This can be plotted in a “Time Chart” visualization to identify anomalous periods.
4. Analyzing Top Users, Apps, and Failure Reasons
Drilling down from trends to specific entities pinpoints the source of issues, whether it’s a misconfigured app, a targeted user, or a specific error like incorrect password.
Step‑by‑step guide explaining what this does and how to use it.
Step 1: Identify Top Failed Sign-In Users. This query highlights users under potential attack or with credential issues:
SigninLogs | where ResultType != 0 // Filter for failures only | summarize FailureCount = count() by UserPrincipalName, ResultType | top 10 by FailureCount desc
Visualize this as a bar chart.
Step 2: List Top Applications with Failures. This helps identify problematic or malicious third-party integrations:
SigninLogs | where ResultType != 0 | summarize FailureCount = count() by AppDisplayName | top 10 by FailureCount desc
Step 3: Map Common Failure Reasons. Understanding `ResultType` codes (e.g., 50126 for invalid username/password, 53003 for blocked by Conditional Access) is vital. Create a pie chart using | summarize Count = count() by ResultType.
5. Geo-Location Mapping and Impossible Travel Detection
Visualizing sign-in locations on a map is a powerful method for detecting compromised credentials, where an attacker signs in from a location the user couldn’t physically reach.
Step‑by‑step guide explaining what this does and how to use it.
Step 1: Extract Location Data. The `SigninLogs` table contains `Location` details, including city, country/region, and latitude/longitude.
Step 2: Create a Map Visualization. In your workbook, add a query that projects location data:
SigninLogs | where ResultType == 0 and isnotempty(LocationDetails) | summarize Count = count() by Location = strcat(tostring(LocationDetails.city), ", ", tostring(LocationDetails.state)), lat = LocationDetails.latitude, lon = LocationDetails.longitude
Set the visualization to “Map” and configure the latitude (lat), longitude (lon), and size (Count) fields.
Step 3: Hunt for Impossible Travel. While automated detection is better via Sentinel Analytics Rules, you can manually hunt by querying for a single user’s successful sign-ins from distant locations within a short time window (e.g., two different countries within 1 hour).
6. Integrating Risky Sign-Ins and Legacy Auth Tracking
Layering risk signals from Entra ID Identity Protection and tracking deprecated protocols provides a proactive security stance.
Step‑by‑step guide explaining what this does and how to use it.
Step 1: Link Risky User Events. If you’ve enabled User Risk Events, join this data with sign-in logs for context:
SigninLogs | where TimeGenerated > ago(1d) | join kind=inner (AADUserRiskEvents | where TimeGenerated > ago(1d)) on UserPrincipalName | project-away TimeGenerated1
Step 2: Hunt for Legacy Authentication. Protocols like IMAP, POP3, and SMTP often bypass MFA. Create an alert tile by querying for `ClientApp` values like Exchange ActiveSync, IMAP, POP3, etc., in the SigninLogs.
7. Creating Deep Links for Rapid Investigation
A SOC dashboard isn’t just for viewing; it’s for doing. Adding deep links that teleport an analyst directly to the relevant user or sign-in event in the Entra admin center drastically reduces Mean Time to Respond (MTTR).
Step‑by‑step guide explaining what this does and how to use it.
Step 1: Construct the Entra Portal URL. The base URL for a user’s sign-in logs in the Entra portal follows this pattern: https://entra.microsoft.com/view/Microsoft_AAD_UsersAndTenants/UserProfileMenuBlade/~/SignIns/userId/`. You need the user's Object ID (UserIdin logs).
Step 2: Add a Hyperlink Column in Your Workbook. In a query step that lists users (e.g., top failure users), add a computed column that generates the link. In the workbook editor's advanced settings for that column, use a formula like:
http://aka.ms/entra-signins?userId={UserId}
Or build it manually:= @’https://entra.microsoft.com/view/Microsoft_AAD_UsersAndTenants/UserProfileMenuBlade/~/SignIns/userId/'{grid[‘UserId’]}`. This will render a clickable link next to each user entry.
What Undercode Say:
- Visibility is the First Step to Control: You cannot secure what you cannot see. This workbook template transforms opaque log streams into a coherent visual narrative for identity, which is the primary attack vector today.
- Automation Starts with Contextualization: While Sentinel Analytics Rules provide automated alerts, a well-crafted workbook provides the contextual backdrop needed to validate those alerts quickly, reducing false positives and accelerating investigation.
The methodology outlined here moves beyond simple log review to operationalized threat hunting. By systematically visualizing success/failure rates, geographic anomalies, and risk correlations, SOC teams shift from a reactive to a proactive posture. The inclusion of deep links is a masterstroke in workflow design, acknowledging that a tool must not only inform but also act as a launchpad for response. In an era of identity-centric attacks, such a centralized, intelligent pane of glass is not a luxury—it’s a operational necessity for any mature SecOps team.
Prediction:
The integration of Entra ID logs with Sentinel workbooks represents a stepping stone towards the fully AI-driven SOC. In the near future, we can expect these visualizations to become dynamically interactive, with embedded Security Copilot prompts that automatically generate hunting queries based on a clicked data point. Furthermore, workbooks will evolve from static dashboards into live investigation canvases, where visualizations of attack paths (from initial identity compromise to lateral movement) are auto-generated, and remediation actions can be triggered directly from the chart. The line between visualization, investigation, and response will continue to blur, powered by AI agents acting on the insights these dashboards surface.
▶️ Related Video (76% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Uros Babic – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
