LOG-03: Stream All Security Events to SIEM in Real-Time

Overview

This guide walks you through streaming all Microsoft Entra ID sign-in and audit logs to a SIEM in real-time. At Level 3 (Maximum Security), every identity event must flow continuously to a central security stack where custom detection rules can correlate and alert within minutes of a suspicious pattern appearing.

Control ID: LOG-03 Category: Logging Severity: Info Minimum Level: 3 (Maximum Security) License Required: Microsoft Entra ID P2

Why This Matters

Real-time log streaming enables immediate threat detection and correlation across your security stack. Level 3 organizations can detect and respond to attacks within minutes, not days.

Advisory: TrueConfig detects whether Entra ID Diagnostic Settings are configured and whether retention meets the 2-year minimum. Remediation is manual and requires configuration in the Entra admin center and your SIEM or Azure environment. There is no one-click fix.


Prerequisites

Required Roles

You need one of the following roles:

  • Security Administrator
  • Global Administrator

Additionally, for Azure resource configuration:

  • Contributor on the Azure subscription
  • Log Analytics Contributor for workspace configuration

Required Licenses

FeatureLicense Required
Entra ID Diagnostic Settings (sign-in and audit log export)Microsoft Entra ID P1 or P2
Identity Protection risk logs (RiskyUsers, UserRiskEvents)Microsoft Entra ID P2
Microsoft Sentinel SIEMAzure subscription

Note: Entra ID P2 is required for this Level 3 control because Identity Protection risk signals are part of the expected complete security event stream.

Pre-Configuration Requirements

  • Log Analytics workspace or Event Hub namespace provisioned in Azure
  • Microsoft Sentinel workspace deployed (recommended), or third-party SIEM connector configured
  • Entra ID Diagnostic Settings access confirmed
  • Retention target (minimum 2 years) agreed with compliance team
  • LOG-01 (Unified Audit Log) and LOG-02 (log export to storage) already active

Time Estimate

TaskDuration
Provision Event Hub (if needed)15 minutes
Configure Entra ID Diagnostic Settings20 minutes
Enable Sentinel Entra ID connector15 minutes
Create custom detection rules45-60 minutes
Verify log flow and test alerts30 minutes
Total2-2.5 hours

Step-by-Step Instructions

Step 1: Configure Entra ID Diagnostic Settings

All sign-in and audit log categories must stream out of Entra ID before any SIEM can consume them.

  1. Navigate to Microsoft Entra admin center
  2. Go to Identity > Monitoring and health > Diagnostic settings
  3. Click + Add diagnostic setting
  4. Name the setting: EntraID-RealTime-SIEM

Select All Log Categories

  1. Under Logs, enable every applicable category:
CategoryPurpose
AuditLogsAdministrative and configuration changes
SignInLogsInteractive user sign-ins
NonInteractiveUserSignInLogsApp and service sign-ins
ServicePrincipalSignInLogsApplication authentication
ManagedIdentitySignInLogsManaged identity authentication
ProvisioningLogsUser provisioning events
RiskyUsersUsers flagged as risky (requires P2)
UserRiskEventsRisk detection events (requires P2)
RiskyServicePrincipalsRisky service principals (requires P2)
ServicePrincipalRiskEventsService principal risk events (requires P2)
ADFSSignInLogsFederated sign-ins (if using AD FS)

Choose Destination

  1. Select one or both destinations:

    • Send to Log Analytics workspace (for Microsoft Sentinel or KQL-based alerting)
    • Stream to an event hub (for third-party SIEM such as Splunk or IBM QRadar)
  2. Click Save

Step 2: Connect to Microsoft Sentinel (Recommended)

Microsoft Sentinel is the recommended SIEM for Microsoft 365 tenants. It ingests directly from the Log Analytics workspace configured in Step 1.

  1. Navigate to Azure portal
  2. Open your Microsoft Sentinel workspace
  3. Go to Configuration > Data connectors
  4. Search for Microsoft Entra ID
  5. Click Open connector page
  6. Enable all available log types (sign-in logs, audit logs, identity protection)
  7. Click Apply changes

Verify that data is flowing. Wait 15-30 minutes after saving, then run this query in General > Logs:

SigninLogs
| take 5
| project TimeGenerated, UserPrincipalName, AppDisplayName, ResultType

If rows appear, the stream is active.

Step 3: Stream to an Event Hub (Third-Party SIEM)

If your organization uses Splunk, IBM QRadar, or another SIEM, stream logs via Azure Event Hub.

  1. Create an Event Hub namespace in the Azure portal:

    • Namespace name: entra-siem-stream
    • Pricing tier: Standard (or higher for large tenants)
    • Throughput units: Start at 1 and scale as needed
  2. Create an Event Hub within the namespace:

    • Name: entra-logs
    • Partition count: 4 (adjust for volume)
    • Message retention: 7 days (acts as a short buffer)
  3. Return to Entra ID Diagnostic Settings and add an additional destination:

    • Check Stream to an event hub
    • Select the namespace and hub created above
    • Click Save
  4. In your SIEM, configure the Event Hub connection using the namespace connection string. Consult your SIEM vendor's documentation for the specific connector.

    For Splunk: install the Splunk Add-on for Microsoft Cloud Services and configure an Azure Event Hub input.

    For IBM QRadar: use the Microsoft Azure DSM with an Event Hub data source.

Step 4: Configure Long-Term Retention (Minimum 2 Years)

Log retention of at least 2 years is required for this control.

Log Analytics Workspace Retention

  1. Navigate to your Log Analytics workspace in the Azure portal
  2. Go to Settings > Usage and estimated costs
  3. Click Data retention
  4. Set retention to 730 days (2 years minimum)
  5. Click OK

For compliance requirements beyond 730 days, use the Log Analytics archive tier or storage account archival (see below).

Archive via Storage Account

For cost-efficient long-term archival beyond the Log Analytics retention window:

  1. In Entra ID Diagnostic Settings, add an archive destination:
    • Check Archive to a storage account
    • Select or create a dedicated storage account
    • Set retention to 0 (indefinite) or your required period in days
  2. Configure a lifecycle management policy on the storage account to move blobs to cool or archive tier after 90 days to reduce storage costs

Step 5: Create Custom Detection Rules on Suspicious Patterns

Custom detection rules are a core expected outcome of this control. The three required patterns are new sign-in locations for admins, bulk operations, and off-hours admin activity.

Rule 1: Sign-In from New Country for an Admin Account

SigninLogs
| where TimeGenerated > ago(1h)
| where ResultType == 0
// Adjust the UPN filter to match your admin account naming convention
| where UserPrincipalName has_any ("admin", "ga-", "svc-admin")
| summarize Countries = make_set(Location), SignInCount = count() by UserPrincipalName
| where array_length(Countries) > 1

Rule 2: Bulk Operations by a Single Admin in a 15-Minute Window

AuditLogs
| where TimeGenerated > ago(1h)
| where Category in ("RoleManagement", "Policy", "ApplicationManagement", "GroupManagement")
| extend Actor = tostring(InitiatedBy.user.userPrincipalName)
| where isnotempty(Actor)
| summarize OperationCount = count() by Actor, bin(TimeGenerated, 15m)
| where OperationCount > 20

Rule 3: Off-Hours Admin Activity

AuditLogs
| where TimeGenerated > ago(24h)
| extend HourOfDay = hourofday(TimeGenerated)
// Adjust window for your timezone; this covers activity outside 07:00-20:00 UTC
| where HourOfDay < 7 or HourOfDay > 20
| where Category in ("RoleManagement", "Policy", "UserManagement")
| extend Actor = tostring(InitiatedBy.user.userPrincipalName)
| where isnotempty(Actor)
| project TimeGenerated, HourOfDay, Actor, OperationName, Category

Rule 4: High-Risk Sign-In (Identity Protection)

SigninLogs
| where TimeGenerated > ago(1h)
| where RiskLevelDuringSignIn in ("high", "medium")
| project TimeGenerated, UserPrincipalName, RiskLevelDuringSignIn, IPAddress, Location
| order by TimeGenerated desc

Deploying Rules as Sentinel Analytics

  1. In your Sentinel workspace, go to Configuration > Analytics
  2. Click + Create > Scheduled query rule
  3. Paste the query, set run frequency (every 5 minutes for near-real-time coverage)
  4. Set severity (High for admin sign-in anomalies, Medium for bulk operations)
  5. Under Incident settings, enable incident creation
  6. Click Save and enable

Verification Checklist

After completing configuration:

  • All Entra ID sign-in and audit logs stream to SIEM in real-time
  • Logs are reaching the SIEM: query SigninLogs | take 5 returns rows within 30 minutes of setup
  • All log categories including risk logs (RiskyUsers, UserRiskEvents) are included
  • Event Hub stream is active if using a third-party SIEM
  • Log retention is set to at least 2 years (730 days) in Log Analytics workspace
  • Archive storage or Log Analytics archive tier is configured for logs beyond 730 days
  • Custom detection rules alert on suspicious patterns (at minimum: new admin sign-in location, bulk operations, off-hours activity)
  • At least one custom detection rule has been tested and confirmed to produce an alert
  • Security team receives notifications from detection rules

Alert Response Procedures

Responding to a Triggered Detection Rule

  1. Acknowledge - Review the Sentinel incident or alert within your agreed SLA
  2. Assess - Open the related sign-in or audit log entries to verify context
  3. Contain - If the account appears compromised, revoke sessions and disable the account
  4. Investigate - Use Advanced Hunting or Log Analytics KQL queries to map related activity
  5. Remediate - Reset credentials, review any configuration changes made during the suspicious window
  6. Document - Record actions in your incident management system
  7. Tune - Adjust detection rule thresholds if the trigger was a false positive

Troubleshooting

Issue: Logs Not Appearing in Log Analytics After 30 Minutes

Cause: Diagnostic settings may not be saved correctly, or there is a propagation delay.

Solution:

  1. Return to Entra ID Diagnostic Settings and confirm the setting shows as Enabled
  2. Verify the correct Log Analytics workspace subscription and name are selected
  3. Confirm that sign-in activity has occurred in the tenant (no activity means no logs)
  4. Wait up to 1 hour; initial propagation can take longer on first setup

Issue: Risk Log Categories (RiskyUsers, UserRiskEvents) Not Available in Diagnostic Settings

Cause: Entra ID P2 license not assigned or Identity Protection is not active in the tenant.

Solution:

  1. Verify Entra ID P2 licenses are assigned to users
  2. Navigate to Protection > Identity Protection and confirm it is accessible
  3. These categories only appear in Diagnostic Settings when P2 is active

Issue: Event Hub Stream Not Received by SIEM

Cause: Connection string, namespace, or consumer group misconfiguration.

Solution:

  1. Confirm the Event Hub connection string in your SIEM matches the namespace primary key
  2. Check that the SIEM uses a dedicated consumer group, not the shared $Default group
  3. Verify the shared access policy on the Event Hub includes the Listen permission
  4. Review SIEM connector logs for authentication errors

Issue: Detection Rule Returns No Results

Cause: Admin naming convention in the rule does not match your tenant, or no activity in the time range.

Solution:

  1. Run the query with a broader time range (ago(7d)) to look for any historical activity
  2. Adjust UPN filters to match your actual admin account naming convention
  3. Trigger a known admin action (such as a role assignment) and re-run the query within 5 minutes

Issue: Log Analytics Retention Cannot Be Set Beyond 730 Days

Cause: Log Analytics workspace is on a legacy tier or the archive feature is not enabled.

Solution:

  1. Enable the Log Analytics workspace archive tier for long-term retention up to 12 years
  2. Alternatively, configure archival to an Azure Storage account via Diagnostic Settings for indefinite retention

Related Controls

  • LOG-01: Enable Unified Audit Logging - Prerequisite; ensure the Unified Audit Log is active before streaming
  • LOG-02: Export Logs to Long-Term Storage - Level 2 baseline export; LOG-03 builds on this
  • LOG-04: Configure Privileged Operation Alerts - Alert on specific admin actions
  • LOG-05: Admin Activity Anomaly Detection - Complement with SIEM-based admin anomaly rules

Additional Resources