question

EddieHernandez-1528 avatar image
0 Votes"
EddieHernandez-1528 asked EddieHernandez-1528 commented

Azure Active Directory best practices for monitoring

Hello. I've been tasked with figuring out what security related events we're collecting in Azure Active Directory, then finding the difference between that and best practices. The goal being to pull those events to our external monitoring tool using the Graph API.

Is there a 'Best Practices' list of events for Azure AD?

It seems like I can only send certain event categories to a workspace for the API to pull from, is there no way to send specific events to a workspace?

azure-monitorazure-security-center
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi, we are investigating your issue and will update you shortly.

Best,
James

0 Votes 0 ·

1 Answer

JamesHamil-MSFT avatar image
0 Votes"
JamesHamil-MSFT answered EddieHernandez-1528 commented

Hi @EddieHernandez-1528 , there aren't any official "Best practices" per say, as it differs depending on what your application is. Most people use sign in logs the most but other than that it's up to you. Can you explain more by what you mean about sending specific events to a workspace?

Thank you,
James

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

In previous SIEMS we didn't want everything from systems, so we would collect specific Windows Event IDs. Such as those in https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor. However, it seems like Azure AD only provides categories to be sent to workspaces, those categoriees each containing a group of event IDs.

0 Votes 0 ·