Az - Monitoring

Reading time: 6 minutes

Entra ID - Logs

There are 3 types of logs available in Entra ID:

• Sign-in Logs: Sign-in logs document every authentication attempt, whether successful or failed. They offer details such as IP addresses, locations, device information and applied conditional access policies, which are essential for monitoring user activity and detecting suspicious login behavior or potential security threats.
• Audit Logs: Audit logs provide a record of all changes made within your Entra ID environment. They capture updates to users, groups, roles, or policies for example. These logs are vital for compliance and security investigations, as they let you review who made what change and when.
• Provisioning Logs: Provisioning logs provide information about users provisioned in your tenant through a third-party service (such as on-premises directories or SaaS applications). These logs help you understand how identity information is synchronized.

Entra ID - Log Systems

• Diagnostic Settings: A diagnostic setting specifies a list of categories of platform logs and/or metrics that you want to collect from a resource, and one or more destinations that you would stream them to. Normal usage charges for the destination will occur. Learn more about the different log categories and contents of those logs.
  • Destinations:
    • Analytics Workspace: Investigation through Azure Log Analytics and create alerts.
    • Storage account: Static análysis and backup.
    • Event hub: Stream data to external systems like third-party SIEMs.
    • Monitor partner solutions: Special integrations between Azure Monitor and other non-Microsoft monitoring platforms.
• Workbooks: Workbooks combine text, log queries, metrics, and parameters into rich interactive reports.
• Usage & Insights: Useful to see the most common activities in Entra ID

Azure Monitor

These are the main features of Azure Monitor:

• Activity Logs: Azure Activity Logs capture subscription‑level events and management operations, giving you an overview of changes and actions taken on your resources.
  • Activily logs cannot be modified or deleted.
• Change Analysis: Change Analysis automatically detects and visualizes configuration and state changes across your Azure resources to help diagnose issues and track modifications over time.
• Alerts: Alerts from Azure Monitor are automated notifications triggered when specified conditions or thresholds are met in your Azure environment.
• Workbooks: Workbooks are interactive, customizable dashboards within Azure Monitor that enable you to combine and visualize data from various sources for comprehensive analysis.
• Investigator: Investigator helps you drill down into log data and alerts to conduct deep-rooted analysis and identify the cause of incidents.
• Insights: Insights provide analytics, performance metrics, and actionable recommendations (like those in Application Insights or VM Insights) to help you monitor and optimize the health and efficiency of your applications and infrastructure.

Log Analytics Workspaces

Log Analytics workspaces are central repositories in Azure Monitor where you can collect, analyze, and visualize log and performance data from your Azure resources and on-premises environments. Here are the key points:

• Centralized Data Storage: They serve as the central location to store diagnostic logs, performance metrics, and custom logs generated by your applications and services.
• Powerful Query Capabilities: You can run queries using Kusto Query Language (KQL) to analyze the data, generate insights, and troubleshoot issues.
• Integration with Monitoring Tools: Log Analytics workspaces integrate with various Azure services (such as Azure Monitor, Azure Sentinel, and Application Insights) allowing you to create dashboards, set up alerts, and gain a comprehensive view of your environment.

In summary, a Log Analytics workspace is essential for advanced monitoring, troubleshooting, and security analysis in Azure.

You can configure a resource to send data to an analytics workspace from the diagnostic settings of the resource.

Enumeration

Entra ID

# Get last 10 sign-ins
az rest --method get --uri 'https://graph.microsoft.com/v1.0/auditLogs/signIns?$top=10'

# Get last 10 audit logs
az rest --method get --uri 'https://graph.microsoft.com/v1.0/auditLogs/directoryAudits?$top=10'

# Get last 10 provisioning logs
az rest --method get --uri ‘https://graph.microsoft.com/v1.0/auditLogs/provisioning?$top=10’

# Get EntraID Diagnostic Settings
az rest --method get --uri "https://management.azure.com/providers/microsoft.aadiam/diagnosticSettings?api-version=2017-04-01-preview"

# Get Entra ID Workbooks
az rest \
  --method POST \
  --url "https://management.azure.com/providers/microsoft.resourcegraph/resources?api-version=2021-03-01" \
  --headers '{"commandName": "AppInsightsExtension.GetWorkbooksListArg"}' \
  --body '{
    "subscriptions": ["9291ff6e-6afb-430e-82a4-6f04b2d05c7f"],
    "query": "where type =~ \"microsoft.insights/workbooks\" \n| extend sourceId = tostring(properties.sourceId) \n| where sourceId =~ \"Azure Active Directory\" \n| extend DisplayName = tostring(properties.displayName) \n| extend WorkbookType = tostring(properties.category), LastUpdate = todatetime(properties.timeModified) \n| where WorkbookType == \"workbook\"\n| project DisplayName, name, resourceGroup, kind, location, id, type, subscriptionId, tags, WorkbookType, LastUpdate, identity, properties",
    "options": {"resultFormat": "table"},
    "name": "e4774363-5160-4c09-9d71-2da6c8e3b00a"
  }' | jq '.data.rows'

Azure Monitor

# Get last 10 activity logs
az monitor activity-log list --max-events 10

# Get Resource Diagnostic Settings
az rest --url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.DocumentDb/databaseAccounts/<db-name>/providers/microsoft.insights/diagnosticSettings?api-version=2021-05-01-preview"

# Get Entra ID Workbooks
az rest \
  --method POST \
  --url "https://management.azure.com/providers/microsoft.resourcegraph/resources?api-version=2021-03-01" \
  --headers '{"commandName": "AppInsightsExtension.GetWorkbooksListArg"}' \
  --body '{
    "content": {},
    "commandName": "AppInsightsExtension.GetWorkbooksListArg"
  }'

# List Log Analytic groups
az monitor log-analytics workspace list --output table

# List alerts
az monitor metrics alert list --output table
az monitor activity-log alert list --output table