Muokkaa

Jaa


Connect Microsoft Entra data to Microsoft Sentinel

You can use Microsoft Sentinel's built-in connector to collect data from Microsoft Entra ID and stream it into Microsoft Sentinel. The connector allows you to stream the following log types:

  • Sign-in logs, which contain information about interactive user sign-ins where a user provides an authentication factor.

    The Microsoft Entra connector now includes the following three additional categories of sign-in logs, all currently in PREVIEW:

  • Audit logs, which contain information about system activity relating to user and group management, managed applications, and directory activities.

  • Provisioning logs (also in PREVIEW), which contain system activity information about users, groups, and roles provisioned by the Microsoft Entra provisioning service.

  • Microsoft Graph activity logs, which contain information about HTTP requests accessing your tenant’s resources through the Microsoft Graph API.

Important

Some of the available log types are currently in PREVIEW. See the Supplemental Terms of Use for Microsoft Azure Previews for other legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

Note

For information about feature availability in US Government clouds, see the Microsoft Sentinel tables in Cloud feature availability for US Government customers.

Prerequisites

  • A Microsoft Entra ID P1 or P2 license is required to ingest sign-in logs into Microsoft Sentinel. Any Microsoft Entra ID license (Free/O365/P1 or P2) is sufficient to ingest the other log types. Other per-gigabyte charges may apply for Azure Monitor (Log Analytics) and Microsoft Sentinel.

  • Your user must be assigned the Microsoft Sentinel Contributor role on the workspace.

  • Your user must have the Security Administrator role on the tenant you want to stream the logs from, or the equivalent permissions.

  • Your user must have read and write permissions to the Microsoft Entra diagnostic settings in order to be able to see the connection status.

  • Install the solution for Microsoft Entra ID from the Content Hub in Microsoft Sentinel. For more information, see Discover and manage Microsoft Sentinel out-of-the-box content.

Connect to Microsoft Entra ID

  1. In Microsoft Sentinel, select Data connectors from the navigation menu.

  2. From the data connectors gallery, select Microsoft Entra ID and then select Open connector page.

  3. Mark the check boxes next to the log types you want to stream into Microsoft Sentinel, and select Connect.

Find your data

After a successful connection is established, the data appears in Logs, under the LogManagement section, in the following tables:

  • SigninLogs
  • AuditLogs
  • AADNonInteractiveUserSignInLogs
  • AADServicePrincipalSignInLogs
  • AADManagedIdentitySignInLogs
  • AADProvisioningLogs
  • MSGraphActivityLogs

To query the Microsoft Entra logs, enter the relevant table name at the top of the query window.

Next steps

In this document, you learned how to connect Microsoft Entra ID to Microsoft Sentinel. To learn more about Microsoft Sentinel, see the following articles: