Listen to this Post

Introduction:
In the complex tapestry of modern cloud security, comprehensive logging isn’t just a compliance checkbox—it’s the very foundation of threat detection and incident response. While most organizations capture basic sign-in and endpoint logs, critical telemetry from services like Intune, Key Vault, and Service Principals often falls into a visibility gap, allowing attackers to operate undetected. This article maps the essential but overlooked log sources in the Microsoft ecosystem and provides a technical blueprint for ensuring your security operations center (SOC) has the data needed to catch sophisticated post-compromise activities.
Learning Objectives:
- Identify at least seven critical, yet commonly unmonitored, log sources within Microsoft Azure and Microsoft 365 environments.
- Configure diagnostic settings and pipelines to ingest these logs into a Security Information and Event Management (SIEM) system like Microsoft Sentinel.
- Implement cost-optimization strategies, such as data transformation, to manage log volume without sacrificing forensic value.
You Should Know:
- The Foundational Step: Enabling Diagnostic Settings Across Services
The universal mechanism for exporting logs from Azure resources is the Diagnostic Setting. Without this configured, logs are ephemeral and lost to forensic investigation.
Step‑by‑step guide explaining what this does and how to use it.
What it does: A Diagnostic Setting routes platform logs and metrics for an Azure resource to destinations like a Log Analytics Workspace (LAW), Azure Storage, or an Event Hub.
How to use it (Azure CLI):
1. Identify the target resource’s Resource ID.
- Create or update the diagnostic setting. The command below sends all logs and metrics to a Log Analytics workspace.
az monitor diagnostic-settings create \ --resource <Your-Resource-Id> \ --name "Sentinel-Logging" \ --workspace <Your-Log-Analytics-Workspace-Id> \ --logs '[{"category": "AllLogs", "enabled": true}]' \ --metrics '[{"category": "AllMetrics", "enabled": true}]'For PowerShell or ARM templates, the principle is identical: ensure every critical resource has a diagnostic setting pointing to your central LAW.
-
Securing the Identity Fabric: Service Principal & Workload Identity Logs
Service Principals (non-human identities) are prime targets for attackers. Their sign-in logs and risk events are crucial for detecting credential theft and misuse.
Step‑by‑step guide explaining what this does and how to use it.
What it does: This captures authentication events for applications, managed identities, and service principals. Enabling the diagnostic for `Microsoft.EntraID/servicePrincipals` is free and future-proofs your environment for when you adopt Workload Identity Premium licenses.
How to use it (Azure Portal):
- Navigate to Azure Active Directory > Monitoring > Diagnostic settings.
2. Click + Add diagnostic setting.
3. Select the `SignInLogs` and `NonInteractiveUserSignInLogs` categories.
- Send it to your Log Analytics workspace. The crucial KQL table for querying these logs in Sentinel is
AADServicePrincipalSignInLogs. -
Guarding the Crown Jewels: Key Vault Diagnostic Logs
Key Vault stores secrets, keys, and certificates. Audit logs are vital for detecting unauthorized access or, critically, a `SecretPurge` operation that could be used destructively.
Step‑by‑step guide explaining what this does and how to use it.
What it does: Logs all authentication events (AuditEvent) and data plane operations (e.g., SecretGet, VaultPurge).
How to use it (Azure Policy for Automation):
Manually configuring each vault is error-prone. Enforce compliance via Azure Policy:
1. Assign the built-in policy: “Deploy Diagnostic Settings for Key Vault to Log Analytics workspace.”
2. Specify your target LAW in the policy parameters.
3. The policy will auto-remediate existing vaults and apply to new ones. Query logs in the `AzureDiagnostics` table or the dedicated `AzureDiagnostics` | where ResourceType == “VAULTS”.
4. Monitoring Control Plane Attacks: Intune Audit Logs
If an attacker compromises an Intune Administrator, they can dismantle device hardening. Intune audit logs are essential for tracking these configuration changes.
Step‑by‑step guide explaining what this does and how to use it.
What it does: Captures create, update, delete, and assign actions for Intune objects (policies, applications, device configurations).
How to use it:
- In the Microsoft Intune admin center, go to Tenant administration > Audit logs.
- While you can view logs here, for SIEM integration, you must use the Microsoft Graph API.
- Use a Logic App, Azure Function, or Sentinel Data Connector to regularly call the Graph API endpoint `https://graph.microsoft.com/v1.0/deviceManagement/auditEvents` and ingest the JSON responses into your LAW.
5. Network Forensics: VNET Flow Logs & Public IP DDoS Diagnostics
These logs provide visibility into network-layer attacks and data exfiltration attempts that higher-level logs might miss.Step‑by‑step guide explaining what this does and how to use it.
What it does: VNET Flow Logs show allowed/denied traffic to/from network interfaces. DDoS Protection diagnostics log mitigation flow logs and alerts during an attack.
How to use it (For Flow Logs via PowerShell):$NetworkWatcherRG = "NetworkWatcherRG" $NWLocation = "WestEurope" $NetworkWatcher = Get-AzNetworkWatcher -ResourceGroupName $NetworkWatcherRG -Name $NWLocation $StorageAccount = Get-AzStorageAccount -ResourceGroupName "YourRG" -Name "YourStorageAccount" $VM = Get-AzVM -ResourceGroupName "YourRG" -Name "YourVM" Set-AzNetworkWatcherConfigFlowLog ` -NetworkWatcher $NetworkWatcher ` -TargetResourceId $VM.Id ` -EnableFlowLog $true ` -StorageAccountId $StorageAccount.Id ` -EnableRetention $true ` -RetentionInDays 7
Ingest these logs from storage to Sentinel using the ASC (Azure Storage to Sentinel) connector or a Logic App.
6. The Proactive Measure: Custom Security Attribute Logs
These logs are low-volume but critical for future security models where attributes drive conditional access and entitlement management.
Step‑by‑step guide explaining what this does and how to use it.
What it does: Logs changes to the definition and assignments of custom security attributes in Entra ID.
How to use it:
- In Entra ID > Monitoring & Health > Diagnostic settings.
- Add a new setting and select the `AuditLogs` category.
- Ensure the `CustomSecurityAttribute` operation type is included in the stream sent to Log Analytics. This data lands in the `AuditLogs` table.
7. Cost-Effective Vigilance: Implementing Data Transformation Rules
Ingesting everything is ideal but costly. Data Transformation in Sentinel allows you to filter out unnecessary columns before ingestion, reducing cost while keeping critical events.
Step‑by‑step guide explaining what this does and how to use it.
What it does: A Data Transformation (preview) uses a KQL query to shape the data at ingestion time, dropping irrelevant fields.
How to use it (Example for AzureDiagnostics):
- In your Log Analytics Workspace, go to Tables > select a table like `AzureDiagnostics` > Transform.
- Create a new transformation rule. The KQL below keeps core fields but drops large, often unused XML payloads for a specific resource provider.
source | extend ResourceProvider = tostring(parse_json(ResourceProvider).resourceProvider) | where ResourceProvider != "MICROSOFT.APIMANAGEMENT/SERVICE" // Example filter | project-away _ResourceId, TenantId, CallerIpAddress // Example column drops
- This filtered data is what gets stored, leading to immediate and ongoing cost savings.
What Undercode Say:
- Visibility Precedes Protection: You cannot detect or respond to attacks in blind spots. The most sophisticated XDR is useless if foundational logs from key services are never collected. This setup is less about buying tools and more about conscientious configuration.
- Logging is a Living Configuration: Cloud environments are dynamic. A one-time setup is insufficient. This log source list must be integrated into a continuous compliance framework, checked automatically via Azure Policy or periodic audits, especially after deploying new services like Power Platform environments.
Prediction:
The convergence of AI-driven attacks and increasing cloud complexity will make granular, intelligent logging not just an operational necessity but a primary differentiator for organizational resilience. In the next 2-3 years, we will see a shift from “log everything” to “log intelligently,” with embedded AI in platforms like Sentinel automatically recommending critical log gaps based on your architecture and threat landscape. Furthermore, regulatory frameworks will move beyond mandating “logging” to specifying minimum log source types for critical infrastructure, making the configurations outlined above a baseline legal requirement, not just a best practice. The attackers are automating; our visibility must be automated and comprehensive by default.
▶️ Related Video (86% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Jay Kerai – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


