[Filebeat] Azure Module - Additional Azure AD Log Sources

Recently Microsoft Azure has added 4 new Azure AD log sources to be consumed by Azure Monitor Diagnostic Settings. When would be able to receive support for these new log sources for the Azure module?

New Log Sources

  • NonInteractiveUserSignInLogs
  • ServicePrincipalSignInLogs
  • ManagedIdentitySignInLogs
  • ProvisioningLogs


1 Like

hi @Matthew_Lubbers, can you create an enhancement issue in the beats github repo , elastic/beats: Beats - Lightweight shippers for Elasticsearch & Logstash (github.com), this might be something we want to add in. Meanwhile, you could use the azure-eventhub input and use your own pipeline to process the messages.

Thanks for the request @Matthew_Lubbers. As Mariana mentioned, it's best to create an enhancement requests. I've gone ahead and created the issue here.

If you could provide some sample events of the new SignIn and Provisioning logs in JSON format it'd be a big help (sanitised events are fine).

@jamie.hynds @jamie.hynds on a similar matter. Microsoft has a security graph Api to pull all security related events . Do you know if there is any work regarding integrating this data similar how you currently do the o365 module for the Microsoft management Api?
Thank you

For reference, here is the Graph API documentation for security alerts:
MSFT Graph API - Security Alerts

In my opinion, I would skip the Secure Score APIs as they are pretty subjective and most of the time, enterprises use a Cloud Security Posture Management (CSPM) tool to provide compliance across Cloud Platforms instead of just relying on Secure Score.

I would agree, the securityevents is what matters. I reviewed in detail the filebeat o365 module that leverages the microsoft management api. It has some alerts from the securitycompliance scheme but it is missing many other alerts such as the identity protection alerts.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.