Azure Entra Logs

Azure Entra is Microsoft's identity and access management solution, encompassing services like Azure Active Directory (Azure AD). Entra logs capture identity-related activities such as user sign-ins, access attempts, multi-factor authentication (MFA) events, and directory changes. These logs help monitor authentication activity, track access to applications and resources, and investigate potential security incidents like unauthorized access or account compromise.

Ingest Method

Azure Entra logs can be ingested using either an Azure storage bucket or pushed to RunReveal using a webhook.

Azure storage buckets are inherently cheaper than using the webhook method but logs can be delayed by up to an hour. The webhook ingestion imports logs as soon as they are generated, but using an event hub can become more expensive if there are lots of logs.

Azure Blob Storage
RunReveal Webhook

Activity Logs NSG Flow