Azure Entra Logs

Azure Entra is Microsoft’s identity and access management solution, encompassing services like Azure Active Directory (Azure AD). Entra logs capture identity-related activities such as user sign-ins, access attempts, multi-factor authentication (MFA) events, and directory changes. These logs help monitor authentication activity, track access to applications and resources, and investigate potential security incidents like unauthorized access or account compromise.

Ingest Method

Azure Entra logs can be ingested using either an Azure storage bucket or pushed to RunReveal using a webhook.

Azure storage buckets are inherently cheaper than using the webhook method but logs can be delayed by up to an hour. The webhook ingestion imports logs as soon as they are generated, but using an event hub can become more expensive if there are lots of logs.

EventHub Creation

The first step in setting up Azure Entra logs is to create an event hub.

An event hub needs an event hub namespace, if you don’t already have one that you want to use, you will need to create that first.

Follow the steps in Azure to create a namespace in your resource group giving it a name. This name will be needed when setting up your Azure function.

After creating the namespace, create a new event hub inside it. Save the name you give to it as it will be needed later.

At this point you can now setup Azure to export logs to your event hubs, but you can also setup different access policies or consumer groups for your event hubs as required by your organization.

Export Logs to Event Hub

With the event hub in place you can now setup Activity Logs to export to it. Pick and choose which type of log you want imported to RunReveal.

From your Entra admin portal navigate to the Users->Sign-in logs screen and click on “Export Data Settings”

On the diagnostic settings page, add a new diagnostic setting. Give the diagnostic setting a name, choose the categories you wish to include in your events, and select “Stream to an event hub” filling in the details with the event hub that was created.

RunReveal Source

In order for your RunReveal workspace to accept the log you will first need to create the source.

Create a new Azure Entra Log source and select the Webhook ingest method.

Once you have created the source, make note of the Webhook URL that was generated. This will be used when setting up your Azure function.

Connect Everything Together

The final step is to create an Azure function that will trigger when new messages are sent to the event hub, and forward them to your RunReveal source. Luckily we have an easy to use template to help with that. Navigate to our GitHub repo to view the source code of the Azure Function getting deployed. Click on the below button to automatically load the template into Azure.

To get started fill in the Subscription, resource group, and function name. Select the event hub namespace where the logs are sent and the access policy that will be used to read events. The GitHub repo and branch are used to download the function source code. Keep these default unless you plan to fork the repo to your own GitHub account.

If you plan to import Activity Logs, check the “Enable Activity Log Event Hub Functions” box to bring up the options for Activity Logs. Fill in the RunReveal webhook URL that was obtained earlier when creating your source. Then select the event hub and consumer group that are being used to store the activity logs.

If you plan to Import Entra Logs, check the “Enable Entra Log Event Hub Functions” box to bring up the options for Entra Logs. Fill in the RunReveal webhook URL that was obtained earlier when creating your source. Then select the event hub and consumer group that are being used to store the Entra logs.

When filling in the webhooks for Azure Activity Logs and Entra Logs, make sure to use the correct URL for that source. Mixing up the URLs or creating the wrong type of source will cause most if not all of your logs to fail to import.

Add any required tags to your setup, then review the settings. Once created Azure will begin the deployment of the function. This may take a few minutes, but when complete logs should begin flowing to RunReveal.

Azure may take some time before they start to forward events to your Azure function. If a few hours have gone by and you have not seen any logs appear in your RunReveal account reach out to us to for some help.

Schema

The following columns are exposed for this source. RunReveal applies schema normalization across all sources, ensuring uniform field names and data types for cross-source queries and reusable detection logic.

Table: entra_logs (51 columns)

Column	Type
`workspaceID`	String
`sourceID`	String
`sourceType`	LowCardinality(String)
`sourceTTL`	UInt32
`receivedAt`	DateTime
`id`	String
`eventTime`	DateTime
`eventName`	String
`eventID`	String
`srcIP`	String
`srcASCountryCode`	String
`srcASNumber`	UInt32
`srcASOrganization`	String
`srcCity`	String
`srcConnectionType`	String
`srcISP`	String
`srcLatitude`	Float64
`srcLongitude`	Float64
`srcUserType`	String
`dstIP`	String
`dstASCountryCode`	String
`dstASNumber`	UInt32
`dstASOrganization`	String
`dstCity`	String
`dstConnectionType`	String
`dstISP`	String

Column	Type
`dstLatitude`	Float64
`dstLongitude`	Float64
`dstUserType`	String
`actor`	Map(String, String)
`tags`	Map(String, String)
`resources`	Array(String)
`serviceName`	String
`readOnly`	Bool
`rawLog`	String
`time`	String
`resourceId`	String
`operationName`	String
`operationVersion`	String
`category`	String
`tenantId`	String
`resultSignature`	String
`resultDescription`	String
`durationMs`	Int64
`callerIpAddress`	String
`correlationId`	String
`identity`	String
`level`	Int64
`location`	String
`properties`	String
`normalizedTime`	String

Activity Logs Azure Flow