Integrate all Entra logs into SIEM

Implementation Effort: Medium – Configuring comprehensive log integration requires setting up diagnostic settings, managing data pipelines to the SIEM, and ensuring appropriate storage and retention policies.

User Impact: Low – This is an administrative backend process with no direct impact on end-user experience.

Overview

Integrating Microsoft Entra ID logs into a Security Information and Event Management (SIEM) system is critical for centralized monitoring, threat detection, and incident response. At the minimum, export the following logs:

• AuditLogs
• SignInLogs
• ServicePrincipalSignInLogs
• ManagedIdentitySignInLogs
• ADFSSignInLogs
• RiskyUsers
• UserRiskEvents
• RiskyServicePrincipals
• ServicePrincipalRiskEvents

Consider exporting other log types as well, to aid investigations. Some of these log sources can generate a large volume of logs, so ensure that you have a strategy for log retention to control storage costs:

• NonInteractiveUserSignInLogs
• ProvisioningLogs
• NetworkAccessTrafficLogs
• EnrichedOffice365AuditLogs
• MicrosoftGraphActivityLogs
• RemoteNetworkHealthLogs

This integration aligns with Zero Trust principles by enabling continuous verification of user and device activities (verify explicitly), ensuring that access decisions are based on comprehensive and real-time data. It supports the principle of assuming breach by providing visibility into potential security incidents, allowing for rapid detection and response to threats. Without this integration, organizations risk delayed detection of malicious activities, limited forensic capabilities, and non-compliance with regulatory requirements.

Reference

• Microsoft Entra activity log integration options
• Send Microsoft Entra ID data to Microsoft Sentinel
• Logs available for streaming from Microsoft Entra ID
• Export risk data - Microsoft Entra ID Protection
• Access activity logs in Microsoft Entra ID