Az - Monitoring

Reading time: 7 minutes

Entra ID - Logs

Kuna aina 3 za logi zinazopatikana kwenye Entra ID:

• Sign-in Logs: Sign-in logs zinarekodi kila jaribio la uthibitisho, iwe limefaulu au halikufanikiwa. Zinatoa maelezo kama anwani za IP, maeneo, taarifa za kifaa na sera za conditional access zilizotumika, ambazo ni muhimu kwa ufuatiliaji wa shughuli za watumiaji na kugundua tabia za kuingia zenye shaka au vitisho vya usalama.
• Audit Logs: Audit logs hutoa rekodi ya mabadiliko yote yaliyofanywa ndani ya mazingira yako ya Entra ID. Zinakamata masasisho kwa watumiaji, vikundi, nyadhifa, au sera kwa mfano. Logi hizi ni muhimu kwa uzingatiaji na uchunguzi wa usalama, kwani zinakuwezesha kukagua nani alifanya mabadiliko yapi na lini.
• Provisioning Logs: Provisioning logs zinatoa taarifa kuhusu watumiaji waliosajiliwa kwenye tenant yako kupitia huduma ya mtu wa tatu (kama vile directories za on‑premises au applications za SaaS). Logi hizi zinakusaidia kuelewa jinsi taarifa za kitambulisho zinavyosawazishwa.

Entra ID - Log Systems

• Diagnostic Settings: Diagnostic setting inaeleza orodha ya kategoria za logi za jukwaa na/au metrics ambazo ungependa kukusanya kutoka kwa rasilimali, na moja au zaidi ya destinasheni ambazo ungezipitishia. Ada za matumizi za destinasheni zitahitajika. Jifunze zaidi kuhusu kategoria tofauti za logi na yaliyomo katika logi hizo.
• Destinations:
• Analytics Workspace: Uchunguzi kupitia Azure Log Analytics na kuunda alerts.
• Storage account: Uchambuzi wa statiki na backup.
• Event hub: Kutiririsha data kwenda mifumo ya nje kama third‑party SIEMs.
• Monitor partner solutions: Integrations maalum kati ya Azure Monitor na majukwaa mengine ya ufuatiliaji yasiyo ya Microsoft.
• Workbooks: Workbooks huunganisha maandishi, log queries, metrics, na vigezo kuwa ripoti tajiri za mwingiliano.
• Usage & Insights: Inafaa kuona shughuli za kawaida zaidi katika Entra ID

Azure Monitor

Hizi ndizo sifa kuu za Azure Monitor:

• Activity Logs: Azure Activity Logs hukamata matukio ya ngazi ya subscription na operesheni za usimamizi, zikikupa muhtasari wa mabadiliko na vitendo vilivyofanywa kwenye rasilimali zako.
• Activily logs haiwezi kubadilishwa au kufutwa.
• Change Analysis: Change Analysis hugundua moja kwa moja na kuonyesha mabadiliko ya usanidi na hali katika rasilimali zako za Azure ili kusaidia kutambua matatizo na kufuatilia mabadiliko kwa wakati.
• Alerts: Alerts kutoka Azure Monitor ni taarifa za kiotomatiki zinazochochewa wakati masharti maalum au vizingiti vinapotimizwa katika mazingira yako ya Azure.
• Workbooks: Workbooks ni dashboards za mwingiliano na zinazoweza kubinafsishwa ndani ya Azure Monitor ambazo zinakuwezesha kuunganisha na kuona data kutoka vyanzo mbalimbali kwa uchambuzi wa kina.
• Investigator: Investigator inakuwezesha kuchambua kwa undani data za logi na alerts ili kufanya uchambuzi wa kina na kutambua chanzo cha matukio.
• Insights: Insights hutoa uchambuzi, metrics za utendaji, na mapendekezo ya utekelezaji (kama yale katika Application Insights au VM Insights) kusaidia kusimamia na kuboresha afya na ufanisi wa applications na miundombinu yako.

Log Analytics Workspaces

Log Analytics workspaces ni hazina kuu katika Azure Monitor ambapo unaweza kukusanya, kuchambua, na kuona data za logi na utendaji kutoka kwa rasilimali zako za Azure na mazingira ya on‑premises. Hapa kuna pointi muhimu:

• Centralized Data Storage: Zinatumika kama mahali kuu pa kuhifadhi diagnostic logs, metrics za utendaji, na logi maalum zinazotengenezwa na applications na services zako.
• Powerful Query Capabilities: Unaweza kuendesha queries kwa kutumia Kusto Query Language (KQL) kuchambua data, kuunda insights, na kutatua matatizo.
• Integration with Monitoring Tools: Log Analytics workspaces zinaunganishwa na huduma mbalimbali za Azure (kama Azure Monitor, Azure Sentinel, na Application Insights) zikikuruhusu kuunda dashboards, kuweka alerts, na kupata muhtasari kamili wa mazingira yako.

Kwa muhtasari, Log Analytics workspace ni muhimu kwa ufuatiliaji wa hali ya juu, utatuzi wa matatizo, na uchambuzi wa usalama katika Azure.

Unaweza kusanidi rasilimali kutuma data kwenda analytics workspace kutoka kwa diagnostic settings za rasilimali.

Graph vs ARM logging visibility (useful for OPSEC/hunting)

• Microsoft Graph Activity Logs hazifanyi kazi kwa default. Zuia na uzitumie (Event Hubs/Log Analytics/SIEM) ili kuona Graph read calls. Zana kama AzureHound zinafanya preflight GET kwa /v1.0/organization ambayo itaonekana hapa; UA ya default iliyobainika: azurehound/v2.x.x.
• Entra ID non-interactive sign-in logs zinarekodi authentication ya identity platform (login.microsoftonline.) inayotumiwa na scripts/tools.
• ARM control-plane read/list (HTTP GET) operations kwa kawaida haziaandikwi kwenye Activity Logs. Uonekano wa read operations unatokana na Diagnostic Settings za rasilimali kwa ajili ya data‑plane endpoints pekee (mfano, *.blob.core.windows.net, *.vault.azure.net) na sio kutoka kwa ARM control‑plane calls kwenda management.azure..
• Microsoft Defender XDR Advanced Hunting GraphApiAuditEvents (preview) inaweza kufichua Graph calls na token identifiers lakini inaweza kuondoa UserAgent na ina retention ndogo ya default.

Wakati wa kutafuta AzureHound, panga pamoja Entra sign‑in logs na Graph Activity Logs kwa session ID, IP, user/object IDs, na utafute mlipuko wa requests za Graph pamoja na ARM management calls ambazo hazina coverage ya Activity Log.

Enumeration

Entra ID

# Get last 10 sign-ins
az rest --method get --uri 'https://graph.microsoft.com/v1.0/auditLogs/signIns?$top=10'

# Get last 10 audit logs
az rest --method get --uri 'https://graph.microsoft.com/v1.0/auditLogs/directoryAudits?$top=10'

# Get last 10 provisioning logs
az rest --method get --uri ‘https://graph.microsoft.com/v1.0/auditLogs/provisioning?$top=10’

# Get EntraID Diagnostic Settings
az rest --method get --uri "https://management.azure.com/providers/microsoft.aadiam/diagnosticSettings?api-version=2017-04-01-preview"

# Get Entra ID Workbooks
az rest \
--method POST \
--url "https://management.azure.com/providers/microsoft.resourcegraph/resources?api-version=2021-03-01" \
--headers '{"commandName": "AppInsightsExtension.GetWorkbooksListArg"}' \
--body '{
"subscriptions": ["9291ff6e-6afb-430e-82a4-6f04b2d05c7f"],
"query": "where type =~ \"microsoft.insights/workbooks\" \n| extend sourceId = tostring(properties.sourceId) \n| where sourceId =~ \"Azure Active Directory\" \n| extend DisplayName = tostring(properties.displayName) \n| extend WorkbookType = tostring(properties.category), LastUpdate = todatetime(properties.timeModified) \n| where WorkbookType == \"workbook\"\n| project DisplayName, name, resourceGroup, kind, location, id, type, subscriptionId, tags, WorkbookType, LastUpdate, identity, properties",
"options": {"resultFormat": "table"},
"name": "e4774363-5160-4c09-9d71-2da6c8e3b00a"
}' | jq '.data.rows'

Azure Monitor

# Get last 10 activity logs
az monitor activity-log list --max-events 10

# Get Resource Diagnostic Settings
az rest --url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.DocumentDb/databaseAccounts/<db-name>/providers/microsoft.insights/diagnosticSettings?api-version=2021-05-01-preview"

# Get Entra ID Workbooks
az rest \
--method POST \
--url "https://management.azure.com/providers/microsoft.resourcegraph/resources?api-version=2021-03-01" \
--headers '{"commandName": "AppInsightsExtension.GetWorkbooksListArg"}' \
--body '{
"content": {},
"commandName": "AppInsightsExtension.GetWorkbooksListArg"
}'

# List Log Analytic groups
az monitor log-analytics workspace list --output table

# List alerts
az monitor metrics alert list --output table
az monitor activity-log alert list --output table

Marejeo

• Ugundaji wa Cloud na AzureHound (Unit 42)