Azure Integration - Microsoft Entra ID Logs
Step 1: Create an Event Hub for Microsoft Entra ID Logs
-
Go to Azure Portal > Event Hubs > Create Namespace
- Select Resource Group or create a new one.
- Choose a Region and a Pricing Tier (Standard or Premium).
- Click Review + Create → Create.
-
Create an Event Hub inside the namespace
- Navigate to the Namespace → Click + Event Hub.
- Set Name:
entra-id-logs
(Example) - Set Partitions: At least 2 (for redundancy).
- Click Create.
-
Create a Consumer Group (Optional)
- Go to Event Hub > Consumer Groups.
- Add a new group (e.g.,
elastic-agent-group
).
-
Generate Connection String
- Navigate to Event Hubs Namespace > Shared Access Policies.
- Click + Add Policy.
- Set Name:
ElasticAgentPolicy
. - Select "Listen" permission.
- Copy Primary Connection String (used in the next steps).
Step 2: Enable Diagnostic Settings for Microsoft Entra ID
- Go to Azure Portal > Microsoft Entra ID.
- Navigate to Monitoring > Diagnostic Settings.
- Click + Add Diagnostic Setting and configure:
- Name:
entra-logs-to-elastic
- Log Categories:
-Sign-in logs
-Audit logs
-Identity Protection logs
-Provisioning logs - Destination: Select Event Hubs.
- Choose the Event Hub Namespace created earlier.
- Select the Event Hub (
entra-id-logs
). - Click Save.
- Name:
Step 3: Configure Azure Storage for Checkpointing
-
Create a Storage Account
- Navigate to Azure Portal > Storage Accounts > Create.
- Select Resource Group (same as Event Hub).
- Set Storage Account Name:
elasticstorageentra
. - Disable Hierarchical Namespace and Enable TLS 1.2.
- Click Create.
-
Create a Blob Container
- Open the Storage Account > Containers.
- Click + Container.
- Set Name:
entra-checkpoints
. - Set Public Access Level: Private.
-
Copy Storage Account Keys
- Go to Storage Account > Access Keys.
- Copy Storage Account Name & Key for Elastic configuration.
Step 4: Configure Elastic Agent in Kibana
-
Go to Kibana > Fleet > Integrations.
-
Click Azure Logs > Add Integration.
-
Configure the integration:
- Event Hub Name:
entra-id-logs
- Consumer Group:
$Default
(orelastic-agent-group
) - Event Hub Connection String: (Paste the copied string)
- Storage Account Name:
elasticstorageentra
- Storage Account Key: (Paste the copied key)
- Storage Container Name:
entra-checkpoints
- Resource Manager Endpoint: Default (
https://management.azure.com/
)
- Event Hub Name:
-
Click Save & Deploy.
Step 5: Verify Logs in Kibana
- Go to Kibana > Discover.
- Select the index pattern:
- Apply filters to view:
- Failed Sign-ins
- Unauthorized Access Attempts
- Privileged Account Changes
- Create Alerts & Dashboards to track suspicious activity.
Summary
Microsoft Entra ID Logs → Azure Event Hub → Elastic → Kibana
Create Event Hub & Consumer Group
Enable Diagnostic Settings for Microsoft Entra ID
Set Up Azure Storage for Checkpoints
Configure Elastic Agent in Kibana
Monitor Logs & Create Alerts in Kibana
No Comments