Azure Signin Logs

  • Updated on Aug 28, 2024
  • Published on Jul 6, 2023

Self Service Ingestion

Connect this data source on your own, using the Hunters platform.

Overview

Table name: azure_signin

Azure Sign-In Logs are logs that provide information about authentication events in Azure Entra ID, including the date and time, user identity, status, and client used, and can be used for monitoring and compliance purposes.

Send data to Hunters

STEP 1: Set up Azure Event Hub

Before setting up the connection on the Hunters platform, you'll need to set up and create an Azure Event Hub.

Follow this guide to complete the set up.

STEP 2: Route logs to the Event Hub

  1. In the Azure portal home screen, open the side menu and click Azure Entra ID.
    Microsoft Entra ID

  2. Now, scroll down the side menu to the Monitoring section, and click Sign-in Logs.
    Entra ID Signin Logs

  3. Click Export Data Settings.
    Audit log Sign In log export data setting

    The Diagnostic Settings page opens.

  4. Click Add Diagnostic setting.

  5. Under Logs, check the following boxes:
    a. SignInLogs
    b. NonInteractiveUserSignInLogs
    c. ServicePrincipalSignInLogs
    d. ManagedIdentitySignInLogs

  6. Under Destination details, check the Stream to an Event Hub option.

  7. Fill in the requested details and give the diagnostic setting a name.

  8. Click Save.

STEP 3: Set up the connection on Hunters

📘 Before you begin
To complete this process you will need the information gathered when following this guide.
To connect logs to Hunters:
  1. Open the Hunters platform and navigate to Data > Data Sources.
    Data sources1
  2. Click ADD DATA SOURCES.
    Add data source4
  3. Locate the Microsoft Azure panel and click Connect.
    The Add Data Flows window opens.
  4. Fill in the required Azure application details, as gathered here under STEP 2.
    Connect Azure logs on Hunters
  5. Under the Data Types section, activate the data types you want to connect.
  6. For each activated data type, fill in the required information, as gathered here:
    1. Under STEP 1 - Subscription ID
    2. Under STEP 3 - Resource group name and Event Hub namespace and
    3. Under STEP 4 - Event Hub name.
  7. OPTIONAL: Under the Consumer group field you can specify a specific Azure Event Hub consumer group, or leave this field empty to use the default consumer group.
  8. Click Test Connection to make sure everything was set up correctly.
  9. Once the connection is established, click Submit.

Expected format

{ "time": "2023-08-02T01:00:24.0727263Z", "resourceId": "/tenants/aaaa-1111/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "SignInLogs", "tenantId": "aaaa-1111", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "1.1.1.1", "correlationId": "2222-bbbb", "identity": "John Doe", "Level": 4, "location": "US", "properties": {"id":"1111","createdDateTime":"2023-08-02T00:58:04.7475611+00:00","userDisplayName":"John Doe","userPrincipalName":"john.doe@domain.com","userId":"asdf-1234","appId":"cccc-3333","appDisplayName":"Windows Sign In","ipAddress":"1.1.1.1","status":{"errorCode":0},"clientAppUsed":"Mobile Apps and Desktop clients","userAgent":"Windows-AzureAD-Authentication-Provider/1.0","deviceDetail":{"deviceId":"cccc-3333","displayName":"AA-22","operatingSystem":"Windows","trustType":"Azure AD joined"},"location":{"city":"Alameda","state":"California","countryOrRegion":"US","geoCoordinates":{"latitude":37.75,"longitude":-122.24}},"correlationId":"xxx","conditionalAccessStatus":"notApplied","appliedConditionalAccessPolicies":[],"authenticationContextClassReferences":[],"originalRequestId":"xxx","isInteractive":true,"tokenIssuerName":"","tokenIssuerType":"AzureAD","authenticationProcessingDetails":[{"key":"Legacy TLS","value":"False"},{"key":"Is CAE Token","value":"False"}],"networkLocationDetails":[],"clientCredentialType":"none","processingTimeInMilliseconds":67,"riskDetail":"none","riskLevelAggregated":"none","riskLevelDuringSignIn":"none","riskState":"none","riskEventTypes":[],"riskEventTypes_v2":[],"resourceDisplayName":"Windows Azure Entra ID","resourceId":"xxx","resourceTenantId":"xxx","homeTenantId":"xxx","tenantId":"xxx","authenticationDetails":[],"authenticationRequirementPolicies":[],"sessionLifetimePolicies":[],"authenticationRequirement":"singleFactorAuthentication","servicePrincipalId":"","userType":"Member","flaggedForReview":false,"isTenantRestricted":false,"autonomousSystemNumber":6167,"crossTenantAccessType":"none","privateLinkDetails":{},"ssoExtensionVersion":"","uniqueTokenIdentifier":"-xxx","authenticationStrengths":[],"incomingTokenType":"none","authenticationProtocol":"none","appServicePrincipalId":null,"resourceServicePrincipalId":"xxx","rngcStatus":0}}