Ingest Microsoft Entra ID sign-in logs

  • Latest
  • How-to guide

In the following, you’ll learn how to ingest sign-in logs from your Microsoft Entra ID instance into Grail and monitor them on the Dynatrace platform.

How it works

There are two ways to enable Entra ID sign-in logs forwarding to Dynatrace:

See below for details.

mechanism1

  1. Microsoft Entra ID continuously exports sign-in logs to Azure Event Hubs.

  2. An Azure Function app pre-processes the logs and sends them to Dynatrace, taking advantage of the OpenPipeline dedicated log ingest endpoint.

  1. The fetched data is mapped to the Dynatrace Semantic Dictionary.

  2. Data is stored in Grail in a unified format, in a default bucket called default_logs. For details, see Built-in Grail buckets.

Prerequisites

Enable Entra ID sign-in logs forwarding to Dynatrace via either of the two options:

Get started

To set up Microsoft Entra ID sign-in log monitoring, follow the steps below.

  1. In Dynatrace, go to Settings > Process and contextualize > OpenPipeline and select Logs.

  2. Go to Pipelines and select Pipeline.

  3. Under Processing, select Processor > Technology bundle > Azure Entra ID Audit Logs.

  4. Select Choose.

  5. Enter a name for your Azure pipeline and select Save.

  6. Under Dynamic routing, select Dynamic route.

  7. Enter the following matching condition:

    matchesValue(cloud.provider, "azure") AND
    matchesPhrase(content, "\"SignInLogs\"")

  8. Select the newly created pipeline, enter a name for the Dynamic route, and select Add.

Verify the configuration by running the following query in Notebooks:

fetch logs
| filter cloud.provide == "azure"
  AND isNotNull(audit.action)
  AND isNotNull(authentication.is_multifactor)

  1. Download our sample dashboard from GitHub.

  2. Open Dashboards, select Import Upload, then select the downloaded file.

Use cases

With the ingested data, you can leverage Dynatrace platform to monitor your Microsoft Entra ID sign-in activity and access to business-critical organization applications, spotting anomalies and staying ahead of potential threats. For details, see Monitor suspicious sign-in activity with Dynatrace.