Ingest authentication and audit logs and data from Microsoft
Azure AD for use in Cortex XDR authentication stories.
Ingesting Logs from Azure AD requires
a Cortex XDR Pro per TB license and a Microsoft Azure Premium 1
or Premium 2 license.
To receive authentication and
audit logs from Azure AD, you must first configure the Data Collection
settings in Cortex XDR. After you set up data collection, Cortex
XDR begins receiving new logs and data from the source.
When Cortex XDR begins receiving logs, the
app creates a new dataset (
authentication logs or
audit logs) that you can use to initiate XQL Search queries. For
example queries, refer to the in-app XQL Library. When relevant,
Cortex XDR stitches Azure AD authentication logs with authentication
stories. Cortex XDR can also raise Cortex XDR alerts (IOC and BIOC
only) when relevant from Azure AD logs.
From the Microsoft Azure Console, create an app
for Cortex XDR with the following API permissions:
For more information on Microsoft Azure, see the following instructions
on the Microsoft documentation portal: