Tweet
Title: (Intermediate) Azure AD Logs for the Blue Team
Description:
As enterprises move to cloud resources like Office365 and Azure AD it is imperative that they proactively monitor and protect against potential threats. But these vast quantities of security data are of no value if you, as a security admin, cannot make sense of it. In this session we'll explore the data that's available in Azure AD logs, how to integrate it with 3rd party SIEMs and get actionable insights from it. We'll also share the best practices on consuming Azure AD logs based on our insights from working with large enterprises.
Outline:
Understanding the different types of logs in Azure AD (Sign-In, Audit, Risk, Application) what data is in each of them. (15 mins)
Example Conditional Access Sign-in Logs (2 mins)
Example Service Principal Log (2 mins)
Understanding how to send logs to SIEMS (5 mins)
Demo Configuring Azure Monitor Event Hub to send to 3rd party SIEM (2 mins)
Understanding key events to look for and why (10 mins)
Demo Using Azure work books and Log Analytics to look for key events (5 mins)
Q and A (Remaining time)
Speaker(s): Mark Morowczynski
Location: Blue Team Vlg / Blue Team Vlg - Workshop Track 1
Discord: https://discord.com/channels/7082082...54317658734613
Event starts: 2020-08-09 15:00 (03:00 PM) PDT (UTC -07:00)
Event ends: 2020-08-09 15:45 (03:45 PM) PDT (UTC -07:00)
For the most up-to-date information, please either visit https://info.defcon.org, or use HackerTracker, which is available for iOS and Android. This is an automated message, and this data was last modified 2020-08-03T01:06 (UTC).
Description:
As enterprises move to cloud resources like Office365 and Azure AD it is imperative that they proactively monitor and protect against potential threats. But these vast quantities of security data are of no value if you, as a security admin, cannot make sense of it. In this session we'll explore the data that's available in Azure AD logs, how to integrate it with 3rd party SIEMs and get actionable insights from it. We'll also share the best practices on consuming Azure AD logs based on our insights from working with large enterprises.
Outline:
Understanding the different types of logs in Azure AD (Sign-In, Audit, Risk, Application) what data is in each of them. (15 mins)
Example Conditional Access Sign-in Logs (2 mins)
Example Service Principal Log (2 mins)
Understanding how to send logs to SIEMS (5 mins)
Demo Configuring Azure Monitor Event Hub to send to 3rd party SIEM (2 mins)
Understanding key events to look for and why (10 mins)
Demo Using Azure work books and Log Analytics to look for key events (5 mins)
Q and A (Remaining time)
Speaker(s): Mark Morowczynski
Location: Blue Team Vlg / Blue Team Vlg - Workshop Track 1
Discord: https://discord.com/channels/7082082...54317658734613
Event starts: 2020-08-09 15:00 (03:00 PM) PDT (UTC -07:00)
Event ends: 2020-08-09 15:45 (03:45 PM) PDT (UTC -07:00)
For the most up-to-date information, please either visit https://info.defcon.org, or use HackerTracker, which is available for iOS and Android. This is an automated message, and this data was last modified 2020-08-03T01:06 (UTC).