Skip to main content

Microsoft Entra ID (formerly Azure Active Directory)

Microsoft Entra ID (formerly Azure Active Directory) is a cloud-based identity and access management service, that can be used to access both internal and external resources.

This pack includes:

  • Log Normalization - XDM mapping for key event types.

Supported Event Types:

  • AuditLogs
  • SignInLogs
  • NonInteractiveUserSignInLogs
  • ServicePrincipalSignInLogs
  • ManagedIdentitySignInLogs
  • ADFSSignInLogs
  • ProvisioningLogs
  • RiskyUsers
  • UserRiskEvents
  • RiskyServicePrincipals
  • ServicePrincipalRiskEvents

Supported Timestamp Formats:

  • YYYY-MM-DDTHH:MM:SS.S* (UTC)
  • YYYY-MM-DDTH:M:S.S* (UTC)

Data Collection

To configure Microsoft Entra ID to send logs to Cortex XSIAM, follow the below steps.

Prerequisites

  • Create an Azure event hub. For more information, refer to Microsoft's official documentation.
  • Make sure that you have at least a Security Administrator role.

Stream logs to an event hub

  1. Sign in to the Microsoft Entra admin center.
  2. Navigate to IdentityMonitoring & healthDiagnostic settings.
  3. Select + Add diagnostic setting to create a new integration or select Edit setting for an existing integration.
  4. Enter a Diagnostic setting name. If you're editing an existing integration, you can't change the name.
  5. Select the log categories that you want to stream. Refer to the Log Normalization section for the supported log categories for normalization.
  6. Select the Stream to an event hub checkbox.
  7. Select the Azure subscription, Event Hubs namespace, and optional event hub where you want to route the logs.

For more information, refer to Microsoft's official documentation.

Cortex XSIAM side

To connect Cortex XSIAM to the Azure Event Hub, follow the below steps.

Azure Event Hub Collector

  1. Navigate to SettingsData Sources.
  2. If you have already configured an Azure Event Hub Collector, select the 3 dots, and then select + Add New Instance. If not, select + Add Data Source, search for "Azure Event Hub" and then select Connect.
  3. Fill in the attributes based on the Azure Event Hub you streamed your data to.
  4. Leave the Use audit logs in analytics checkbox selected, unless you were told otherwise.

More information can be found here.

PUBLISHER

PLATFORMS

Cortex XSIAM

INFO

CertificationRead more
Supported ByCortex
CreatedJuly 24, 2024
Last ReleaseJuly 24, 2024

DISCLAIMER
Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise. For more information, see the Marketplace documentation.