074: Integrate all Entra logs into SIEM
Overview
Ingest all data signal from Azure AD to SIEM systems. There are several types of logs that should always be exported to a SIEM:
- AuditLogs
- SignInLogs
- ServicePrincipalSignInLogs
- ManagedIdentitySignInLogs
- ADFSSignInLogs
- RiskyUsers
- UserRiskEvents
- RiskyServicePrincipals
- ServicePrincipalRiskEvents
Consider exporting other log types as well, to aid investigations. Some of these log sources can generate a large volume of logs, so ensure that you have a strategy for log retention to control storage costs:
- NonInteractiveUserSignInLogs
- ProvisioningLogs
- NetworkAccessTrafficLogs
- EnrichedOffice365AuditLogs
- MicrosoftGraphActivityLogs
- RemoteNetworkHealthLogs