A cybersecurity breach into a business network is a costly, time-consuming affair that strikes fear into the hearts of IT administrators worldwide. When one occurs, knowledge becomes power! For Microsoft users, Active Directory logs become an incredibly valuable resource of said knowledge, providing information about the precise sequence that led to the cyber incident. Preventative security can then be improved based on the logs, and specific recovery processes tailored for the future.
Today we’re going to take a look at the importance of logging and how it can be utilised to detect intrusions, analyse problems and improve cybersecurity posture. We’ll also look at why extended logging is essential in today’s environment, plus the added benefits of enabling conditional access.
First, let’s dive into the two activity logs in Azure Active Directory that we find extremely helpful in monitoring cyber health: audit logs and sign-in logs.
Azure Active Directory Audit Logs
Azure AD audit logs provide a comprehensive report on every single logged event in Azure AD, making available information on users, groups and applications. To give you an idea of the kind of information, the Microsoft website lists the following questions as being answered in the audit logs:
- What types of changes were recently applied to users?
- How many users were changed?
- How many passwords were changed?
- What groups were recently added?
- Have the owners of groups been changed?
- What licenses have been assigned to a group or a user?
- What applications have been added, updated, or removed?
- Has a service principal for an application changed?
- Have the names of applications been changed?
The logs will show the exact time and date an activity occurred, what the activity entailed, who initiated it, what the target was and whether it was a success or failure. You can also customise the logs by filtering the data available.
Azure Active Directory Sign-In Logs
Every single sign-in to all your internal apps and resources is logged with Azure AD. The information provided in these powerful activity logs can be analysed and used to help pinpoint the cause of a cybersecurity incident
The who, how and what of each sign-in is logged, so the identity of the user, the application being used and the resource being accessed are all available for analysis down the track.
Important queries that the sign-in logs can help answer include how many users are trying to sign into a particular application in a specific timeframe, what browsers or operating systems they’re signing in from, and how many failed sign-in attempts there have been.
Why Extended Logging is Vital
As you can see from above, Azure AD logs provide a large amount of information that is not only helpful in cybersecurity but will assist in keeping your business compliant too.
In order for those logs to be useful though, they have to exist. At Smile IT we’ve been dealing with a number of cybersecurity incident responses recently where the business did not have extended logging activated. This means we can’t access the logs that were relevant to the incident in question because they’ve expired.
This makes it really difficult to diagnose the source of the breach and what went wrong. If we don’t understand what went wrong, it makes it harder to build specific approaches to prevent a similar breach from occurring in the future.
The free and lowest tier of Azure Active Directory keeps a record of audit and sign-in logs for 7 days. In many cases, this hasn’t proved to be long enough, particularly when you consider the time it takes to design and implement a breach, and the time to identify a breach has occurred. By that stage, the logs will probably have expired already.
The Premium P1 and P2 tiers of AD both offer 30-day extended logging, which is ample when it comes to pinpointing the source of most breaches.
As Microsoft Partners in Brisbane, Smile IT can help you configure your Microsoft license to ensure your cybersecurity defences are as strong as they could possibly be. Enabling extended logging is a big step towards achieving that. Another step we’d urge you to consider is enabling conditional access.
Expert Tip: Enable Conditional Access in Azure AD
Conditional access is a set of requirements that grant or deny access to a resource, in addition to a sign-in process. These requirements are built around certain ‘signals’ associated with the sign-in attempt to determine its risk factor. These signals include a variety of data, including IP address and device type, as well as the more obvious data such as user and group membership.
Your conditional access policy is created within Azure AD and has a number of configuration criteria you can set as requirements to allow or deny a login attempt. This is very helpful in limiting the surface area you have exposed to a breach. It allows you to prevent login attempts from different geographical locations to your business (hackers overseas will simply be blocked before they can wreak any havoc!) and to deny access from devices your organisation doesn’t use.
Let Smile IT Configure Your Azure AD
Configuring your Azure AD license is an overwhelming prospect. There are so many considerations and decisions to be made, so much to get right or wrong. Luckily, we’re experts at it here at Smile IT! We can help you enable and configure your conditional access, plus help with enabling extended logging on sign-in and audit logs, and guide you through every other aspect of Azure Active Directory.
Give our expert IT team a shout out today with any questions you might have!
When he’s not writing tech articles or turning IT startups into established and consistent managed service providers, Peter Drummond can be found kitesurfing on the Gold Coast or hanging out with his family!