Ingest Logs from Microsoft Azure AD

Ingest authentication and audit logs and data from Microsoft Azure AD for use in Cortex XDR authentication stories.
Ingesting Logs from Azure AD requires a Cortex XDR Pro per TB license and a Microsoft Azure Premium 1 or Premium 2 license.
To receive authentication and audit logs from Azure AD, you must first configure the Data Collection settings in Cortex XDR. After you set up data collection, Cortex XDR begins receiving new logs and data from the source.
To address Azure reporting latency, there is a 10-minute latency period for Cortex XDR to receive Azure AD logs.
When Cortex XDR begins receiving logs, the app creates a new dataset (
MSFT_Azure_AD_raw
for authentication logs or
MSFT_Azure_AD_Audit_raw
for audit logs) that you can use to initiate XQL Search queries. For example queries, refer to the in-app XQL Library. When relevant, Cortex XDR stitches Azure AD authentication logs with authentication stories. Cortex XDR can also raise Cortex XDR alerts (IOC and BIOC only) when relevant from Azure AD logs.
  1. From the Microsoft Azure Console, create an app for Cortex XDR with the following API permissions:
    AuditLog.ReadAll
    and
    Directory.ReadAll
    . For more information on Microsoft Azure, see the following instructions on the Microsoft documentation portal:
  2. Select
    Settings ( )
    Configurations
    Data Collection
    Collection Integrations
    .
  3. Integrate the Microsoft Azure AD authentication service with Cortex XDR.
    1. Enter the
      Tenant Domain
      of your Microsoft Azure AD tenant.
    2. Obtain the
      Application Client ID
      and
      Secret
      for your Azure AD service from the Microsoft Azure Console and enter the values in Cortex XDR.
      These values enable Cortex XDR to authenticate with your Azure AD service.
    3. Select the types of logs that you want to receive from your Azure AD service.
      Options are
      Authentication Logs
      and
      Audit Logs
      . By default, both options are enabled.
    4. Test
      the connection settings.
      To test the connection, you must select one or both log types. Cortex XDR then tests the connection settings for the selected log types.
    5. If successful,
      Enable
      Azure AD log collection.
  4. After Cortex XDR begins receiving logs, you can return to the Integrations page to view the log collection status.
    If you set up Cortex XDR to receive both authentication and audit logs, the events total includes both log types.
  5. As part of your investigation flows, create queries when needed to search for specific Azure AD logs.
    See Create an Authentication Query (authentication logs only) or Create an XQL Query.

Recommended For You