This script is meant to send the Azure signin activity logs to a SIEM via syslog. Since Active Directory in Azure is a distributed cloud service, the logs arive to the API destination out of order. This is because not all systems have the same load or are in the same part of the world. Since this is the case, we need to rely on comparing the id field from the logs in chunks of time and sending the difference to the SIEM. There is also an alert built in to detect when the logs have drifted beyond a configurable amount of time from the current time. This could indicate an issue with the Azure service such as a login attack. Detailed information regarding this script can be found: https://www.sans.org/reading-room/whitepapers/logging/building-custom-siem-integration-api-based-log-source-azure-ad-graph-sign-in-events-38280 Variables that need to be configured: $ClientID $ClientSecret $tenantdomain $dstserver $dstport Schedule this script to execute using the local task scheduler. You will want to tune the frequency at which the script is executed. The time it takes to execute one run should not be longer than the execution frequency. The time it takes to execute the script one time will vary depending on the amount of risk alerts you have in your portal. You can adjust $query_minutes to impact the amount of time one execution of the script takes. Less $query_minutes = less ids to compare = shorter execution. The results of each query should overlap to catch and logs arriving late in the Microsoft logging facility.
jason-mihalow/Azure_Sigin_Activity_to_syslog
This script is meant to send the Azure signin activity logs to a SIEM via syslog. Since Active Directory in Azure is a distributed cloud service, the logs arive to the API destination out of order. This is because not all systems have the same load or are in the same part of the world. Since this is the case, we need to rely on comparing the id field from the logs in chunks of time and sending the difference to the SIEM. There is also an alert built in to detect when the logs have drifted beyond a configurable amount of time from the current time. This could indicate an issue with the Azure service such as a login attack. Detailed information regarding this script can be found: https://www.sans.org/reading-room/whitepapers/logging/building-custom-siem-integration-api-based-log-source-azure-ad-graph-sign-in-events-38280 Variables that need to be configured: $ClientID $ClientSecret $tenantdomain $dstserver $dstport Schedule this script to execute using the local task scheduler. You will want to tune the frequency at which the script is executed. The time it takes to execute one run should not be longer than the execution frequency. The time it takes to execute the script one time will vary depending on the amount of risk alerts you have in your portal. You can adjust $query_minutes to impact the amount of time one execution of the script takes. Less $query_minutes = less ids to compare = shorter execution. The results of each query should overlap to catch and logs arriving late in the Microsoft logging facility.
PowerShell