Skip to content

Azure AD

Overview

Monitoring Azure Active Directory (Azure AD) events can help you track changes and activities in your Azure AD environment.

This can be useful for a variety of reasons, such as:

Ensuring the security of your Azure AD environment: By monitoring Azure AD events, you can identify potential security threats, such as unusual login activity or unauthorized changes to user accounts.

Troubleshooting issues: Monitoring Azure AD events can help you diagnose and resolve problems in your Azure AD environment. For example, if you notice a spike in failed login attempts, you can use this information to investigate the cause and take appropriate action.

Auditing and compliance: Many compliance regulations require organisations to track and audit certain activities in their IT systems. Monitoring Azure AD events can help you meet these requirements by providing a record of changes and activities in your Azure AD environment.

Overall, monitoring Azure AD events can provide valuable insights and help you maintain a secure and efficient Azure AD environment.

Gartner Peer Reviews

crystal-eye-xdr-gartner-peer-review1-azure-ad Explore more Red Piranha Customer Reviews on Gartner Peer Insights

Left-hand navigation Panel > Compliance > Azure AD

ce-xdr-navigation-azure-ad-app

Video Resources

Installation

The Azure AD app is installed by default and can be accessed from the left-hand navigation panel.

Configuring Crystal Eye XDRs Azure AD App

The Azure AD application not only monitors user activities in OneDrive, Sharepoint and across MS 365 mail exchange, but also extracts threat intelligence info of phishing attacks on your organisation.

The configuration parameters in the Crystal Eye XDR Azure AD app constitutes of 4 components that can be copied/extracted from the Azure Portal. In order to do so, the first requirement involves creating an application in the Azure portal.

Note

After registering an application in the Azure portal, we will extract the Client ID, Application ID, Client Secret and the Domain and enter it in the field highlighted in the screenshot below. ce-xdr-azure-ad-configuration1

Perform the following steps to connect the Azure AD platform with the Crystal Eye XDR to view OneDrive, Sharepoint, Mail Exchange, and User activities including a dedicated Threat intelligence dashboard outlining threats deriving from phishing attempts.

Step 1: Login to your Microsoft 365 Admin Center (https://admin.microsoft.com) and select Identity under Admin centers section:

20231213_-_ce-xdr-azure-ad-231213-step1

Step 2: You will be directed to Microsoft Entra admin center. Click on “App registrations” under Applications in the Navigation pane.

20231213_-_ce-xdr-azure-ad-231213-step2

Step 3: In the App registrations, click on “New Registration” and in the following form that will appear, give your application any name and then under “Supported account types” -> “Who can use this application or access this API?”, select “Accounts in this organizational directory only (your_tenant_name only – Single tenant)”.
Finally, register the application by clicking the “Register” button at the bottom.

20231213_-_ce-xdr-app-registration-231213-step3a 20231213_-_ce-xdr-app-registration-231213-step3b

Step 4: After registering the application, you will need to grant it the necessary permissions so that your Crystal Eye can use it to retrieve event logs from your Azure tenant. Click on “API Permissions” under “Manage” section.

20231213_-_ce-xdr-grant-permissions-231213-step4

Step 5: Inside API Permissions of your newly registered application, you will see that your application shall have at least one permission already granted to it by default (i.e., permission to use/access Microsoft Graph API, specifically “User.Read”). Click on “Add permission” to grant it additional required permissions: 20231213_-_ce-xdr-add-permissions-231213-step5

Step 6: The “Request API permissions” pane will appear on the right, click on the “Office 365 Management APIs” tile. Note that this tile can also be searched under the “APIs my organization uses” tab. 20231213_-_ce-xdr-m365-management-api-231213-step6

Step 7: In the following window, you will be asked what type of permission you will grant the application. Since retrieving Azure event logs does not require stricter permissions (as opposed to an application that is meant to access users’ mailbox for example), we can grant it “Application permissions” type. 20231213_-_ce-xdr-request-api-perms-231213-step7

This will enable your Crystal Eye to use the application without any user intervention (e.g., a user doesn’t have to type in his or her credentials or satisfy the MFA challenge when running the application).

Step 8: When “Application permissions” is selected, a list of specific permissions will appear. Under “ActivityFeed” Permission, check both “ActivityFeed.Read” and “ActivityFeed.ReadDlp”. Selecting both permissions will allow your newly registered application access to your Azure tenant’s Audit and email logs, including DLP-related events (Data Loss Prevention). Finally, click the “Add permission” button at the bottom.

20231213_-_ce-xdr-request-api-perms-231213-step8

Step 9: If you want to configure Microsoft Defender for Endpoint integration as well in your Crystal Eye (under “Compliance Controls -> M365 -> Win Defender”), you can use the same application you registered above or register a new one (by following the same steps above (1-4)). Afterwards, grant the application additional API permission, this time locate “WindowsDefenderATP” from the “APIs my organization uses” tab. Type “Windows” in the search text box and the list of matching APIs will appear. Click on “WindowsDefenderATP”.

20231213_-_ce-xdr-grant-api-perms-231213-step9

Step 10: Next, just like for the API permission for Azure integration, select “Application permissions” type and then expand “Alert” permission and select/check “Alert.Read.All” permission. Click “Add permission” button at the bottom when you’re done. 20231213_-_ce-xdr-add-perms-step10a 20231213_-_ce-xdr-add-perms-step10b

Step 11: Once all permissions have been selected, it is now time to apply the changes. To do this, after you click on “Add permissions” button in the previous step, you will be taken back to the application’s “API permissions” page. Click on “Grant admin consent for your_tenant_name”, and a pop-up window will appear asking you to confirm. You will see that the status indicated for the API permissions will change to “Granted for your_tenant_name” once you confirm. 20231213_-_ce-xdr-grant-admin-consent-step11a

Step 12: In order for your Crystal Eye to use this newly registered application(s), you will need to generate a secret key (or essentially, the application’s password). You will need to enter this application secret along with additional information into your Crystal Eye’s configuration settings. Still under the application you registered, click on “Certificates & secrets” under the Manage pane and then click on “New client secret”. A form will appear on the right where you can fill in the Description as well as Expiration time. Set these values to your preference and the click on “Add” button at the bottom and a confirmation pop-up will appear. 20231213_-_ce-xdr-certificates-and-secrets-step12 20231213_-_ce-xdr-certificates-and-secrets-step12a

Step 13: Copy this newly created application secret somewhere so that you can enter it into your Crystal Eye’s configuration settings, along with additional information (see next steps). Click on “Copy to clipboard” icon next to the newly created secret and paste it to the corresponding Client Secret fields for Azure AD and M365 Win Defender. 20231213_-_ce-xdr-certificates-and-secrets-step13

Step 14: Next, go to the “Overview” page and you will see other information that you need to enter in your Crystal Eye configuration settings along with the application secret. Copy “Directory (tenant) ID” and paste to “Client ID” in the Crystal Eye UI as shown below as well as the “Application (client) ID” which is pasted to “Application ID” in the Crystal Eye Azure AD Configuration and “Client ID” in M365 -> Win Defender Configuration as below. Complete the rest of the fields as required and Save/Add the configuration. 20231213_-_ce-xdr-certificates-and-secrets-step14

Azure AD Summary Dashboard

The Azure AD summary page have following statics with time filter options:

Total Sign In: This stat shows the total number of successful user logins and total number of user login failures. ce-xdr-azure-ad-total-sign-in

Sign In Enabled: Shows the total number of successful logins

ce-xdr-azure-ad-sign-in-enabled

Sign In Disabled: Shows the total number of failed logins

ce-xdr-azure-ad-sign-in-disabled

Total Mail: This parameter shows the total mail count detected by exchange service for operation Create, Send, Update, SendAs.

ce-xdr-azure-ad-total-mail

Create: Total number of times an email is created during the filtered time.

ce-xdr-azure-ad-create

Send: Shows the total number of emails sent during the filtered time.

ce-xdr-azure-ad-send

Update: Shows the total number of times an email thread was updated.

ce-xdr-azure-ad-update

Compliance Threats: Shows the total number of threats count detected by 'SecurityComplianceCenter' service for severity "High", "Informational".

ce-xdr-azure-ad-compliance-threats

High Severity Threats: Total Threats count for severity 'High'.

ce-xdr-azure-ad-high-severity-threats

Informational Severity Threats: Total Threats count for severity 'Informational'.

ce-xdr-azure-ad-informational-severity-threats

Threat Detected: Total threats count detected by 'ThreatIntelligence' service

ce-xdr-azure-ad-threat-detected

High Risk: Total threats count for PhishConfidenceLevel 'High'.

ce-xdr-azure-ad-high-risk

Normal Risk: Total threats count for PhishConfidenceLevel 'Normal'.

ce-xdr-azure-ad-normal-risk

Top Active Users: These are top users who have registered highest count of user activity.

ce-xdr-azure-ad-top-active-users

Top Recursively Used Files: Show the top 10 files which have highest activity count in 'OneDrive', 'SharePoint'.

ce-xdr-azure-ad-top-recursively-used-files

Top Targeted Users: Show the top 10 recipient users list which have 'High' PhishConfidenceLevel detected by Threat Intelligence Services.

ce-xdr-azure-ad-top-targeted-users

Top Active MS-Teams Users: Shows the top 10 users activities count for Microsoft Teams.

ce-xdr-azure-ad-top-active-ms-teams-users

Top Threat Actor: Show the top 10 phishing email sender email list which have 'High' PhishConfidenceLevel detected by Threat Intelligence services.

ce-xdr-azure-ad-top-threat-actor

OneDrive Dashboard

This Dashboard provides comprehensive insights related to the user’s interaction with files on OneDrive. The data displayed here helps in monitoring and understanding the level of collaboration going on by looking at the number of files shared.

Filtering OneDrive Dashboard Reports Using the Time Filter Option

Use the time filter option to view OneDrive related user activity/collaboration for a particular time period. ce-xdr-azure-ad-one-drive-dashboard-time-filter

Filtering OneDrive Dashboard Reports Using the Operations Type Filter

Use the operations dropdown to select the OneDrive collaboration activities that you want to view in the dashboard. ce-xdr-azure-ad-one-drive-dashboard-operation-filter

Detailed View of a Particular OneDrive Operation of a User

Click the User to view the Details pop-up which displays the granular version of the User Details & the Events Details. ce-xdr-azure-ad-one-drive-dashboard-detailed-view

The following are the OneDrive collaboration activities that can be viewed in the dashboard after selecting them in the operations dropdown:

File Accessed: This event is captured when a user accesses a file.

File Modified: This event is captured when a user saves a file or when a file is auto-saved.

File Deleted: This event is captured when a user saves a file or when a file is auto-saved.

File Downloaded: This event is captured when the user downloads a copy of a file to his or her hard drive.

File Renamed: This event is captured when a user renames a file.

File Previewed: This event is captured when a user previews the file

File Restored: This event is captured when a user restores his or her file from the site recycling bin.

File Moved: This event is captured when a user moves a file located in document library into another folder located in document library.

File Recycled: This event is captured when a user deletes a file and after its recycled.

File Copied: This event is captured when a user creates a copy of a file located in a document library.

File Malware Detected: This event is captured when a malware is detected.

Folder Renamed: User renames a folder on a site.

Folder Created: User creates a folder on a site.

Folder Moved: User moves a folder to a different location on a site.

Folder Recycled: This event is captured when a user deletes a folder and after its recycled.

Folder Modified: User modifies a folder on a site. This includes changing the folder metadata, such as changing tags and properties.

Sharing Revoked: This event is captured when a user revokes the sharing permission to a file or folder to a designated user, in other words the designated user will not have access to the resource.

Sharing Policy Changed: This event is captured when the sharing policy of the file is changed.

Sharing Set: This event is captured when a user creates or updates a permission sharing to a file or folder.

List item Created: This event is created when a list item is created.

List Item Deleted: This event is created when a list item is deleted.

List Updated: This event is created when a list is updated.

Company Link Created: A link that works for people in the company was created.

Secure Link Created: A link that only works for specific people was created. It's usually followed by a series of AddedToSecureLink operations, which signify the users who were secured to the link.

Secure Link Updated: A secure link's settings were changed.

Added to SecureLink: A user was added to the list of entities who can use a secure sharing link.

Access Request Approved: This event is captured when a user approves an internal user to access a file or folder.

SharePoint Dashboard

The SharePoint Dashboard provides a comprehensive view of the users interaction with files on SharePoint. The data displayed here helps in monitoring and understanding the level of collaboration going on by looking at the number of files shared.

Filtering SharePoint Dashboard Reports Using the Time Filter Option

Use the time filter option to view SharePoint related user activity/collaboration for a particular time period. ce-xdr-azure-ad-share-point-dashboard-time-filter

Filtering SharePoint Dashboard Reports Using the Operations Type Filter

Use the operations dropdown to select the SharePoint collaboration activities that you want to view in the dashboard. ce-xdr-azure-ad-share-point-dashboard-operation-filter

Detailed View of a Particular SharePoint Operation of a User

Click the User to view the Details pop-up which displays the granular version of the User Details & the Events Details. ce-xdr-azure-ad-sharepoint-dashboard-detailed-view

The following are the SharePoint collaboration activities that can be viewed in the dashboard after selecting them in the operations dropdown:

File Accessed: This event is captured when a user accesses a file.

File Modified: This event is captured when a user saves a file or when a file is auto-saved.

File Deleted: This event is captured when a user saves a file or when a file is auto-saved.

File Downloaded: This event is captured when the user downloads a copy of a file to his or her hard drive.

File Renamed: This event is captured when a user renames a file.

File Previewed: This event is captured when a file is previewed.

File Restored: This event is captured when a user restores his or her file from the site recycling bin.

File Moved: This event is captured when a user moves a file located in document library into another folder located in document library.

File Recycled: This event is captured when a user deletes a file and recycles it.

File Copied: This event is captured when a user creates a copy of a file located in a document library.

File Malware Detected: This event is captured when a file malware is detected in sharepoint.

Folder Renamed: User renames a folder on a site.

Folder Created: User creates a folder on a site.

Folder Moved: User moves a folder to a different location on a site.

Folder Recycled: This event is captured when a user deletes a folder and after the deleted item is moved to the recycle bin.

Folder Modified: User modifies a folder on a site. This includes changing the folder metadata, such as changing tags and properties.

Sharing Revoked: This event is captured when a user revokes the sharing permission to a file or folder to a designated user, in other words the designated user will not have access to the resource.

Sharing Policy Changed: This event is captured when the sharing policy of the file is changed.

Sharing Set: This event is captured when a user creates or updates a permission sharing to a file or folder.

List item Created: This event is captured when a list item is created.

List Item Deleted: This event is captured when a list item is deleted.

List Updated: This event is captured when a list is updated

Company Link Created: A link that works for people in the company was created.

Secure Link Created: A link that only works for specific people was created. It's usually followed by a series of AddedToSecureLink operations, which signify the users who were secured to the link.

Secure Link Updated: A secure link's settings were changed.

Added to SecureLink: A link that only works for specific people was secured to a user.

Access Request Approved: This event is captured when a user approves an internal user to access a file or folder.

User Audit Dashboard

The User Audit Dashboard lists a variety of user administration activities logged when an admin adds or changes a user account.

Filtering User Audit Dashboard Reports Using the Time Filter Option

Use the time filter option to view user administration activities for a particular time period. ce-xdr-azure-ad-user-audit-dashboard-time-filter

Filtering User Audit Dashboard Reports Using the Operations Type Filter

Use the operations dropdown to select the user administration activities that you want to view in the dashboard. ce-xdr-azure-ad-user-audit-dashboard-operation-filter

Detailed View of a Particular Operation of a User

Click the User to view the Details pop-up which displays the granular version of the User Details & the Events Details. ce-xdr-azure-ad-user-audit-dashboard-detailed-view

The following are the user administration activities that can be viewed in the dashboard after selecting them in the operations dropdown:

UserLoggedIn: Lists when a user logs in

UserLoginFailed: Lists when a user login was failed.

Add user: A user account was created.

Delete user: A user account was deleted.

Update user: Administrator changes one or more properties of a user account.

Restore user: This event is created when the user is restored.

Change user password: A user changes their password. Self-service password reset has to be enabled (for all or selected users) in your organisation to allow users to reset their password. You can also track self-service password reset activity in Azure Active Directory.

Reset user password: Administrator resets the password for a user.

Change user license: The license assigned to a user what changed. To see what licenses were changes, see the corresponding Updated user activity.

Set user manager: A manager was set for a user.

Add group: This event is created when an admin or a user creates a MS 365 group.

Update group: A property of a group was changed.

Delete group: This event is created when an admin deletes a group.

Add member to group: This event is created when a member was added to the group.

Add owner to group: This event is created when the admin adds name of one or more people who will be designated to manage the group.

Remove member from group: This event is created when a member was removed from a group.

Update policy: This event is created when a communication compliance administrator has performed a policy update.

Add Policy: This event was created when a communication compliance administrator has added a policy.

Update device: This event is created when a SharePoint or global administrator changed the unmanaged devices policy for your organisation. This policy controls access to SharePoint, OneDrive, and Microsoft 365 from devices that aren't joined to your organisation. Configuring this policy requires an Enterprise Mobility + Security subscription.

Disable account: This event is created when an account is disabled.

Disable Strong Authentication: Disable strong authentication for a single user.

Update device configuration:

Delete application password for user: This event is created when an application password is deleted for a user.

Add registered owner to device:

Add member to role:

Mail Exchange Dashboard

The Mail Exchange Dashboard provides a granular insight about the mailbox activities performed by the mailbox owner, a delegated user, or an administrator.

Filtering Mail Exchange Dashboard Reports Using the Time Filter Option

Use the time filter option to view Mail Exchange related user activity for a particular time period. ce-xdr-azure-ad-mail-exchange-dashboard-time-filter

Filtering Mail Exchange Dashboard Reports Using the Operations Type Filter

Use the operations dropdown to select the O365 Mail Exchange related activities that you want to view in the dashboard. ce-xdr-azure-ad-mail-exchange-dashboard-operations-filter

Detailed View of a Particular Mail Exchange related Operation of a User

Click the User to view the Details pop-up which displays the granular version of the User Details & the Events Details. ce-xdr-azure-ad-mail-exchange-dashboard-detailed-view

The following are the mailbox activities that can be viewed in the dashboard after selecting them in the operations dropdown:

Create: An item is created in the Calendar, Contacts, Notes, or Tasks folder in the mailbox. For example, a new meeting request is created. Creating, sending, or receiving a message isn't audited. Also, creating a mailbox folder isn't audited.

Send: A message was sent, replied to or forwarded. This activity is only logged for users with an Office 365 or Microsoft 365 E5 license.

SendAs: A message was sent using the SendAs permission. This means that another user sent the message as though it came from the mailbox owner.

Update: A message or its properties was changed.

Mail Items Accessed: Messages were read or accessed in mailbox. Audit records for this activity are triggered in one of two ways: when a mail client (such as Outlook) performs a bind operation on messages or when mail protocols (such as Exchange ActiveSync or IMAP) sync items in a mail folder. This activity is only logged for users with an Office 365 or Microsoft 365 E5 license. Analyzing audit records for this activity is useful when investigating compromised email account.

The MailItemsAccessed event is a mailbox auditing action and is triggered when mail data is accessed by mail protocols and mail clients. This event can help investigators identify data breaches and determine the scope of messages that may have been compromised.

If an attacker gained access to email messages, the MailItemsAccessed action will be triggered even if there's no explicit signal that messages were actually read (in other words, the type of access such as a bind or sync is recorded in the audit record).

Send on Behalf: A message was sent using the SendOnBehalf permission. This means that another user sent the message on behalf of the mailbox owner. The message indicates to the recipient whom the message was sent on behalf of and who actually sent the message.

Mailbox Login: The user signed in to their mailbox.

Hard Delete: A message was purged from the Recoverable Items folder (permanently deleted from the mailbox).

Soft Delete: A message was permanently deleted or deleted from the Deleted Items folder. These items are moved to the Recoverable Items folder. Messages are also moved to the Recoverable Items folder when a user selects it and presses Shift+Delete.

Add Recipient Permission: A user was granted a permission. The only permission that can be granted with this is the SendAs permission.

Set User: A user's attributes have been modified.

Threat Intelligence Dashboard

The Threat Intelligence Dashboard displays information regarding phishing attempts detected by the system. The dashboard provides in-depth insights of spam mails identified as phishing attempts which includes Timestamp, Sender Info, Targeted Internal User, Delivery Action, Phishing Risk Level, and the Subject of the Email.

The screenshot below clearly depicts the email related threat intelligence:

ce-xdr-azure-ad-threat-intelligence-dashboard