UTMStack
Get Entra ID user audit logs (not admin) #705
-
|
Hello, Is there a way to get Entra ID user audit logs like the below activities?
This would be very helpful to identify compromised accounts. |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments
-
|
Hi, @pwhitney5524 at the moment, only 3 events are supervised by this module and are "hard coded" right now, in the future we will add new events and maybe the scan process can be changed on demand, but it isn't a priority right now. You can do that by making custom correlation rules in your instance, thanks for the feedback. |
Beta Was this translation helpful? Give feedback.
-
|
Hello,
Correlation rules will only work if the log has been downloaded to UTMStack form Entra ID right?
I searched the logs in UTMStack and the log I am looking for is simply not there.
How can we tell UTMSTack to download these logs?
Cordialement, | Best regards,
Philippe
[cid:digitaldayslogo_a74f6b71-7c63-41d8-b208-43cd21774aef.png]
Philippe Whitney
Senior Network Architect
Services informatiques gérés, cybersécurité et solutions Cloud
Managed IT Services, CyberSecurity & Cloud Solutions
Montréal | Toronto | Ottawa 1.877.934.4678 x 103
This e-mail may contain information that is privileged, confidential and/or exempt from disclosure. No waiver whatsoever is intended by sending this e-mail which is intended only for the named recipient(s). Unauthorized use, dissemination or copying is prohibited. If you receive this email in error, please notify the sender and destroy all copies of this e-mail. // Ce courriel peut contenir de l’information privilégiée, confidentielle ou protégée contre la divulgation. L’envoi de ce courriel qui est destiné exclusivement au(x) destinataire(s) mentionné(s) ne constitue pas une renonciation à un droit de quelque nature que ce soit. Toute utilisation, transmission ou copie non autorisée de ce courriel est interdite. Si vous avez reçu ce courriel par erreur, veuillez en aviser l’expéditeur et détruire toute copie en votre possession.
…________________________________
From: Freddy R. Laffita Almaguer ***@***.***>
Sent: Friday, June 7, 2024 10:43 AM
To: utmstack/UTMStack ***@***.***>
Cc: Philippe Whitney ***@***.***>; Mention ***@***.***>
Subject: Re: [utmstack/UTMStack] Get Entra ID user audit logs (not admin) (Discussion #705)
You don't often get email from ***@***.*** Learn why this is important<https://aka.ms/LearnAboutSenderIdentification>
Hi, @pwhitney5524<https://github.com/pwhitney5524> at the moment, only 3 events are supervised by this module and are "hard coded" right now, in the future we will add new events and maybe the scan process can be changed on demand, but it isn't a priority right now. You can do that by making custom correlation rules in your instance, thanks for the feedback.
—
Reply to this email directly, view it on GitHub<#705 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/BI7IW4P6JDY73AJCMIYQ3TLZGHBHXAVCNFSM6AAAAABI3POVVOVHI2DSMVQWIX3LMV43SRDJONRXK43TNFXW4Q3PNVWWK3TUHM4TOMBTGUYTA>.
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
Beta Was this translation helpful? Give feedback.
Hi, @pwhitney5524 at the moment, only 3 events are supervised by this module and are "hard coded" right now, in the future we will add new events and maybe the scan process can be changed on demand, but it isn't a priority right now. You can do that by making custom correlation rules in your instance, thanks for the feedback.