Ingest Logs from Microsoft Azure AD
Ingest authentication and audit logs and data from Microsoft Azure AD for use in Cortex XDR authentication stories.
Ingesting Logs from Azure AD requires a Cortex XDR Pro per TB license and a Microsoft Azure Premium 1 or Premium 2 license.
To receive authentication and audit logs from Azure AD, you must first configure the SaaS Log Collection settings in Cortex XDR. After you set up log collection, Cortex XDR begins receiving new logs and data from the source.
When Cortex XDR begins receiving logs, the app creates a new dataset (
MSFT_Azure_AD_rawfor authentication logs or
MSFT_Azure_AD_Audit_rawfor audit logs) that you can use to initiate XQL Search queries. For example queries, refer to the in-app XQL Library. When relevant, Cortex XDR stitches Azure AD authentication logs with authentication stories. Cortex XDR can also raise Cortex XDR alerts (IOC and BIOC only) when relevant from Azure AD logs.
- From the Microsoft Azure Console, create an app for Cortex XDR with the following API permissions:AuditLog.ReadAllandDirectory.ReadAll. For more information on Microsoft Azure, see the following instructions on the Microsoft documentation portal:
- Add API permissions for Directory.Read.All and AuditLog.Read.All with type Application: https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-configure-app-access-web-apis#add-permissions-to-access-web-apis
- Select.SettingsSaaS Log Collection
- Integrate the Microsoft Azure AD authentication service with Cortex XDR.
- Enter theTenant Domainof your Microsoft Azure AD tenant.
- Obtain theApplication Client IDandSecretfor your Azure AD service from the Microsoft Azure Console and enter the values in Cortex XDR.These values enable Cortex XDR to authenticate with your Azure AD service.
- Select the types of logs that you want to receive from your Azure AD service.Options areAuthentication LogsandAudit Logs. By default, both options are enabled.
- Testthe connection settings.To test the connection, you must select one or both log types. Cortex XDR then tests the connection settings for the selected log types.
- If successful,EnableAzure AD log collection.
- After Cortex XDR begins receiving logs, you can return to the SaaS Log Collection page to view the log collection status.If you set up Cortex XDR to receive both authentication and audit logs, the events total includes both log types.
Recommended For You
Recommended videos not found.