Creating email alert when specific event is triggered in Azure AD ?

EnterpriseArchitect 4,721 Reputation points
2021-03-05T05:32:45.017+00:00

Hi Everyone,

As per: https://techcommunity.microsoft.com/t5/azure-active-directory-identity/azure-ad-workbook-to-help-you-assess-solorigate-risk/ba-p/2010718

  • How can I get the email alert when these risky events are updated or happening across my Subscription?
  • Modified application and service principal credentials/authentication methods
  • Modified federation settings
  • New permissions granted to service principals
  • Directory role and group membership updates for service principals

Thanks in advance.

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
10,565 questions
Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
1,192 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,442 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Ulv 81 Reputation points
    2021-03-05T06:15:11.25+00:00

    Hey EnterpriseArchitect,

    You can create a KQL Query Alert through your Azure Log Analytics where you filter for the event, and trigger it with an e-mail when the risky event is triggered.

    You can also leverage the SendGrid free tier to send e-mail.

    List of KQL you can configure for Solorigate
    https://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095
    SendGrid for Azure
    https://sendgrid.com/docs/for-developers/partners/microsoft-azure/
    Trigger alerts for Log Analytics log entries
    https://learn.microsoft.com/en-us/azure/azure-monitor/alerts/tutorial-response

    Update:
    List of KQL to monitor for in relation to Solorigate (https://github.com/FalconForceTeam/FalconFriday/blob/master/Uncategorized/FireEye_red_team_tool_countermeasures.md)

    Hope this helps,

    all the best,
    Ulv

    0 comments