LME icon indicating copy to clipboard operation
LME copied to clipboard

Published 20 hours ago verified publisher icon cisagov

Entra Identity Logs from Azure Active Directory

Open rgbrow1949 opened this issue 10 months ago • 3 comments

Identity logs are valuable and in LME 2.0, the rearchitecture will allow us to bring in new logs from Azure Active Directory.

We should look into ways to collect Entra logs and what infrastructure changes would we need to make to LME to do it.

Available tools:

  • Ethan Bowen's Export-AAD tool: https://github.com/25004/Export-AAD.git
  • Untitled Good Tool: https://github.com/cisagov/untitledgoosetool

rgbrow1949 avatar Mar 28 '24 23:03 rgbrow1949

The untitled goose tool contains PowerShell scripts we can use to get AAD logs from the tenant. Question: Does the current LME setup automatically configure AAD for auditing? Or will it need to be activated? AAD logs can be moved to Elk Stack with Filebeat.

rgbrow1949 avatar Apr 04 '24 22:04 rgbrow1949

Adding @rgbrow1949 as a watcher.

safiuddinr avatar May 13 '24 17:05 safiuddinr

There are 4 steps ;

  1. Entra logs (AAD) require Powershell modules to run a powershell script to extract logs.
  2. After modules are installed, script will be ran to export logs. (Logs will be in Json file)
  3. Logs will later be exported via filebeat to elasticsearch in LS1.
  4. Logs will be visualized using dashboards in Kibana.

ddiabe avatar Jun 10 '24 17:06 ddiabe