LOG-03: Stream All Security Events to SIEM in Real-Time
Overview
This guide walks you through streaming all Microsoft Entra ID sign-in and audit logs to a SIEM in real-time. At Level 3 (Maximum Security), every identity event must flow continuously to a central security stack where custom detection rules can correlate and alert within minutes of a suspicious pattern appearing.
Control ID: LOG-03 Category: Logging Severity: Info Minimum Level: 3 (Maximum Security) License Required: Microsoft Entra ID P2
Why This Matters
Real-time log streaming enables immediate threat detection and correlation across your security stack. Level 3 organizations can detect and respond to attacks within minutes, not days.
Advisory: TrueConfig detects whether Entra ID Diagnostic Settings are configured and whether retention meets the 2-year minimum. Remediation is manual and requires configuration in the Entra admin center and your SIEM or Azure environment. There is no one-click fix.
Prerequisites
Required Roles
You need one of the following roles:
- Security Administrator
- Global Administrator
Additionally, for Azure resource configuration:
- Contributor on the Azure subscription
- Log Analytics Contributor for workspace configuration
Required Licenses
| Feature | License Required |
|---|---|
| Entra ID Diagnostic Settings (sign-in and audit log export) | Microsoft Entra ID P1 or P2 |
| Identity Protection risk logs (RiskyUsers, UserRiskEvents) | Microsoft Entra ID P2 |
| Microsoft Sentinel SIEM | Azure subscription |
Note: Entra ID P2 is required for this Level 3 control because Identity Protection risk signals are part of the expected complete security event stream.
Pre-Configuration Requirements
- Log Analytics workspace or Event Hub namespace provisioned in Azure
- Microsoft Sentinel workspace deployed (recommended), or third-party SIEM connector configured
- Entra ID Diagnostic Settings access confirmed
- Retention target (minimum 2 years) agreed with compliance team
- LOG-01 (Unified Audit Log) and LOG-02 (log export to storage) already active
Time Estimate
| Task | Duration |
|---|---|
| Provision Event Hub (if needed) | 15 minutes |
| Configure Entra ID Diagnostic Settings | 20 minutes |
| Enable Sentinel Entra ID connector | 15 minutes |
| Create custom detection rules | 45-60 minutes |
| Verify log flow and test alerts | 30 minutes |
| Total | 2-2.5 hours |
Step-by-Step Instructions
Step 1: Configure Entra ID Diagnostic Settings
All sign-in and audit log categories must stream out of Entra ID before any SIEM can consume them.
- Navigate to Microsoft Entra admin center
- Go to Identity > Monitoring and health > Diagnostic settings
- Click + Add diagnostic setting
- Name the setting:
EntraID-RealTime-SIEM
Select All Log Categories
- Under Logs, enable every applicable category:
| Category | Purpose |
|---|---|
| AuditLogs | Administrative and configuration changes |
| SignInLogs | Interactive user sign-ins |
| NonInteractiveUserSignInLogs | App and service sign-ins |
| ServicePrincipalSignInLogs | Application authentication |
| ManagedIdentitySignInLogs | Managed identity authentication |
| ProvisioningLogs | User provisioning events |
| RiskyUsers | Users flagged as risky (requires P2) |
| UserRiskEvents | Risk detection events (requires P2) |
| RiskyServicePrincipals | Risky service principals (requires P2) |
| ServicePrincipalRiskEvents | Service principal risk events (requires P2) |
| ADFSSignInLogs | Federated sign-ins (if using AD FS) |
Choose Destination
-
Select one or both destinations:
- Send to Log Analytics workspace (for Microsoft Sentinel or KQL-based alerting)
- Stream to an event hub (for third-party SIEM such as Splunk or IBM QRadar)
-
Click Save
Step 2: Connect to Microsoft Sentinel (Recommended)
Microsoft Sentinel is the recommended SIEM for Microsoft 365 tenants. It ingests directly from the Log Analytics workspace configured in Step 1.
- Navigate to Azure portal
- Open your Microsoft Sentinel workspace
- Go to Configuration > Data connectors
- Search for Microsoft Entra ID
- Click Open connector page
- Enable all available log types (sign-in logs, audit logs, identity protection)
- Click Apply changes
Verify that data is flowing. Wait 15-30 minutes after saving, then run this query in General > Logs:
SigninLogs
| take 5
| project TimeGenerated, UserPrincipalName, AppDisplayName, ResultType
If rows appear, the stream is active.
Step 3: Stream to an Event Hub (Third-Party SIEM)
If your organization uses Splunk, IBM QRadar, or another SIEM, stream logs via Azure Event Hub.
-
Create an Event Hub namespace in the Azure portal:
- Namespace name:
entra-siem-stream - Pricing tier: Standard (or higher for large tenants)
- Throughput units: Start at 1 and scale as needed
- Namespace name:
-
Create an Event Hub within the namespace:
- Name:
entra-logs - Partition count: 4 (adjust for volume)
- Message retention: 7 days (acts as a short buffer)
- Name:
-
Return to Entra ID Diagnostic Settings and add an additional destination:
- Check Stream to an event hub
- Select the namespace and hub created above
- Click Save
-
In your SIEM, configure the Event Hub connection using the namespace connection string. Consult your SIEM vendor's documentation for the specific connector.
For Splunk: install the Splunk Add-on for Microsoft Cloud Services and configure an Azure Event Hub input.
For IBM QRadar: use the Microsoft Azure DSM with an Event Hub data source.
Step 4: Configure Long-Term Retention (Minimum 2 Years)
Log retention of at least 2 years is required for this control.
Log Analytics Workspace Retention
- Navigate to your Log Analytics workspace in the Azure portal
- Go to Settings > Usage and estimated costs
- Click Data retention
- Set retention to 730 days (2 years minimum)
- Click OK
For compliance requirements beyond 730 days, use the Log Analytics archive tier or storage account archival (see below).
Archive via Storage Account
For cost-efficient long-term archival beyond the Log Analytics retention window:
- In Entra ID Diagnostic Settings, add an archive destination:
- Check Archive to a storage account
- Select or create a dedicated storage account
- Set retention to
0(indefinite) or your required period in days
- Configure a lifecycle management policy on the storage account to move blobs to cool or archive tier after 90 days to reduce storage costs
Step 5: Create Custom Detection Rules on Suspicious Patterns
Custom detection rules are a core expected outcome of this control. The three required patterns are new sign-in locations for admins, bulk operations, and off-hours admin activity.
Rule 1: Sign-In from New Country for an Admin Account
SigninLogs
| where TimeGenerated > ago(1h)
| where ResultType == 0
// Adjust the UPN filter to match your admin account naming convention
| where UserPrincipalName has_any ("admin", "ga-", "svc-admin")
| summarize Countries = make_set(Location), SignInCount = count() by UserPrincipalName
| where array_length(Countries) > 1
Rule 2: Bulk Operations by a Single Admin in a 15-Minute Window
AuditLogs
| where TimeGenerated > ago(1h)
| where Category in ("RoleManagement", "Policy", "ApplicationManagement", "GroupManagement")
| extend Actor = tostring(InitiatedBy.user.userPrincipalName)
| where isnotempty(Actor)
| summarize OperationCount = count() by Actor, bin(TimeGenerated, 15m)
| where OperationCount > 20
Rule 3: Off-Hours Admin Activity
AuditLogs
| where TimeGenerated > ago(24h)
| extend HourOfDay = hourofday(TimeGenerated)
// Adjust window for your timezone; this covers activity outside 07:00-20:00 UTC
| where HourOfDay < 7 or HourOfDay > 20
| where Category in ("RoleManagement", "Policy", "UserManagement")
| extend Actor = tostring(InitiatedBy.user.userPrincipalName)
| where isnotempty(Actor)
| project TimeGenerated, HourOfDay, Actor, OperationName, Category
Rule 4: High-Risk Sign-In (Identity Protection)
SigninLogs
| where TimeGenerated > ago(1h)
| where RiskLevelDuringSignIn in ("high", "medium")
| project TimeGenerated, UserPrincipalName, RiskLevelDuringSignIn, IPAddress, Location
| order by TimeGenerated desc
Deploying Rules as Sentinel Analytics
- In your Sentinel workspace, go to Configuration > Analytics
- Click + Create > Scheduled query rule
- Paste the query, set run frequency (every 5 minutes for near-real-time coverage)
- Set severity (High for admin sign-in anomalies, Medium for bulk operations)
- Under Incident settings, enable incident creation
- Click Save and enable
Verification Checklist
After completing configuration:
- All Entra ID sign-in and audit logs stream to SIEM in real-time
- Logs are reaching the SIEM: query
SigninLogs | take 5returns rows within 30 minutes of setup - All log categories including risk logs (RiskyUsers, UserRiskEvents) are included
- Event Hub stream is active if using a third-party SIEM
- Log retention is set to at least 2 years (730 days) in Log Analytics workspace
- Archive storage or Log Analytics archive tier is configured for logs beyond 730 days
- Custom detection rules alert on suspicious patterns (at minimum: new admin sign-in location, bulk operations, off-hours activity)
- At least one custom detection rule has been tested and confirmed to produce an alert
- Security team receives notifications from detection rules
Alert Response Procedures
Responding to a Triggered Detection Rule
- Acknowledge - Review the Sentinel incident or alert within your agreed SLA
- Assess - Open the related sign-in or audit log entries to verify context
- Contain - If the account appears compromised, revoke sessions and disable the account
- Investigate - Use Advanced Hunting or Log Analytics KQL queries to map related activity
- Remediate - Reset credentials, review any configuration changes made during the suspicious window
- Document - Record actions in your incident management system
- Tune - Adjust detection rule thresholds if the trigger was a false positive
Troubleshooting
Issue: Logs Not Appearing in Log Analytics After 30 Minutes
Cause: Diagnostic settings may not be saved correctly, or there is a propagation delay.
Solution:
- Return to Entra ID Diagnostic Settings and confirm the setting shows as Enabled
- Verify the correct Log Analytics workspace subscription and name are selected
- Confirm that sign-in activity has occurred in the tenant (no activity means no logs)
- Wait up to 1 hour; initial propagation can take longer on first setup
Issue: Risk Log Categories (RiskyUsers, UserRiskEvents) Not Available in Diagnostic Settings
Cause: Entra ID P2 license not assigned or Identity Protection is not active in the tenant.
Solution:
- Verify Entra ID P2 licenses are assigned to users
- Navigate to Protection > Identity Protection and confirm it is accessible
- These categories only appear in Diagnostic Settings when P2 is active
Issue: Event Hub Stream Not Received by SIEM
Cause: Connection string, namespace, or consumer group misconfiguration.
Solution:
- Confirm the Event Hub connection string in your SIEM matches the namespace primary key
- Check that the SIEM uses a dedicated consumer group, not the shared
$Defaultgroup - Verify the shared access policy on the Event Hub includes the Listen permission
- Review SIEM connector logs for authentication errors
Issue: Detection Rule Returns No Results
Cause: Admin naming convention in the rule does not match your tenant, or no activity in the time range.
Solution:
- Run the query with a broader time range (
ago(7d)) to look for any historical activity - Adjust UPN filters to match your actual admin account naming convention
- Trigger a known admin action (such as a role assignment) and re-run the query within 5 minutes
Issue: Log Analytics Retention Cannot Be Set Beyond 730 Days
Cause: Log Analytics workspace is on a legacy tier or the archive feature is not enabled.
Solution:
- Enable the Log Analytics workspace archive tier for long-term retention up to 12 years
- Alternatively, configure archival to an Azure Storage account via Diagnostic Settings for indefinite retention
Related Controls
- LOG-01: Enable Unified Audit Logging - Prerequisite; ensure the Unified Audit Log is active before streaming
- LOG-02: Export Logs to Long-Term Storage - Level 2 baseline export; LOG-03 builds on this
- LOG-04: Configure Privileged Operation Alerts - Alert on specific admin actions
- LOG-05: Admin Activity Anomaly Detection - Complement with SIEM-based admin anomaly rules