Creating email alert when specific event is triggered in Azure AD ?

EnterpriseArchitect 2,741 Reputation points
2021-03-05T05:32:45.017+00:00

Hi Everyone,

As per: https://techcommunity.microsoft.com/t5/azure-active-directory-identity/azure-ad-workbook-to-help-you-assess-solorigate-risk/ba-p/2010718

  • How can I get the email alert when these risky events are updated or happening across my Subscription?
  • Modified application and service principal credentials/authentication methods
  • Modified federation settings
  • New permissions granted to service principals
  • Directory role and group membership updates for service principals

Thanks in advance.

Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
14,709 questions
Microsoft Graph Security API
Microsoft Graph Security API
A Microsoft API that provides a unified interface to connect security solutions from multiple Microsoft and third-party providers.
125 questions
Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
822 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Ulv 81 Reputation points
    2021-03-05T06:15:11.25+00:00

    Hey EnterpriseArchitect,

    You can create a KQL Query Alert through your Azure Log Analytics where you filter for the event, and trigger it with an e-mail when the risky event is triggered.

    You can also leverage the SendGrid free tier to send e-mail.

    List of KQL you can configure for Solorigate
    https://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095
    SendGrid for Azure
    https://sendgrid.com/docs/for-developers/partners/microsoft-azure/
    Trigger alerts for Log Analytics log entries
    https://learn.microsoft.com/en-us/azure/azure-monitor/alerts/tutorial-response

    Update:
    List of KQL to monitor for in relation to Solorigate (https://github.com/FalconForceTeam/FalconFriday/blob/master/Uncategorized/FireEye_red_team_tool_countermeasures.md)

    Hope this helps,

    all the best,
    Ulv

    0 comments