Azure AD - Audit Logs Test

Azure Active Directory provides Audit Logs, where changes/updates to the configuration of users, groups, and applications are logged. With the audit logs in Azure AD, administrators get access to records of system activities for compliance.

The success of such updates is key to maintaining the integrity of resources (eg., users, groups, applications, policies etc.) managed by Azure AD. If attempts to make these changes fail/timeout frequently, then outdated objects/information will be managed by Azure AD. For instance, if an important group policy update fails, then it can poke some serious security holes in your Azure cloud organization. To avoid this, administrators should be instantly alerted if configuration changes/critical activities performed on Azure AD, fail. This is exactly what the Azure AD - Audit Logs test does! 

This test auto-discovers the different categories of activities performed on Azure AD, using the messages logged in Azure AD audit logs. The test then scans each category of messages logged for failures, and reports the count and details of such failures. Using this information, administrators can promptly capture and effectively resolve failures that are encountered when making business-critical changes to the Azure organization.

Target of the Test: A Microsoft Azure Active Directory

Agent deploying the test: A remote agent

Output of the test: One set of results for each type/category of change activity performed on the Azure AD tenant being monitored. A set of results is also reported for a 'Summary' descriptor.

Configurable parameters for the test
Parameters Description

Test Period

How often should the test be executed.

Host

The host for which the test is to be configured.

Tenant ID

Specify the Directory ID of the Azure AD tenant to which the target subscription belongs. To know how to determine the Directory ID, refer to Configuring the eG Agent to Monitor Microsoft Azure Active Directory Using Microsoft Graph API

Client ID, Client Password, and Confirm Password

To connect to Azure AD, the eG agent requires an Access token in the form of an Application ID and the client secret value. If a Microsoft Azure Subscription component is already monitored in your environment, then you would have already created an Application for monitoring purposes. You can provide the Application ID and Client Secret value of that application here. However, if no such application pre-exists, you will have to create one for monitoring Azure AD. To know how to create such an application and determine its Application ID and Client Secret, refer to Configuring the eG Agent to Monitor Microsoft Azure Active Directory Using Microsoft Graph API. Specify the Application ID of the Application in the Client ID text box and the client secret value in the Client Password text box. Confirm the Client Password by retyping it in the Confirm Password text box.

Proxy Host and Proxy Port

In some environments, all communication with the Azure cloud be routed through a proxy server. In such environments, you should make sure that the eG agent connects to the cloud via the proxy server and collects metrics. To enable metrics collection via a proxy, specify the IP address of the proxy server and the port at which the server listens against the Proxy Host and Proxy Port parameters. By default, these parameters are set to none, indicating that the eG agent is not configured to communicate via a proxy, by default.

Proxy Username, Proxy Password and Confirm Password

If the proxy server requires authentication, then, specify a valid proxy user name and password in the Proxy Username and Proxy Password parameters, respectively. Then, confirm the password by retyping it in the Confirm Password text box.

Detailed Diagnosis

To make diagnosis more efficient and accurate, the eG Enterprise embeds an optional detailed diagnostic capability. With this capability, the eG agents can be configured to run detailed, more elaborate tests as and when specific problems are detected. To enable the detailed diagnosis capability of this test for a particular server, choose the On option. To disable the capability, click on the Off option.

The option to selectively enable/disable the detailed diagnosis capability will be available only if the following conditions are fulfilled:

  • The eG manager license should allow the detailed diagnosis capability
  • Both the normal and abnormal frequencies configured for the detailed diagnosis measures should not be 0.
Measures made by the test:
Measurement Description Measurement Unit Interpretation

Audit successful activities

Indicates the number of successful activities of this category performed on Azure AD.

For the Summary descriptor, this measure reports an aggregate of all successful activities, across categories.

Number

Use the detailed diagnosis of this measure to know which activity was performed, when, who initiated it, and which property was modified as a result.

Audit failure activities

Indicates the number of activities of this type that failed.

For the Summary descriptor, this measure reports an aggregate of all failed activities, across categories.

Number

Ideally, the value of this measure should be 0. A non-zero value implies that an activity / an update has failed. Using the detailed diagnosis of this measure, you can figure out when the failure occurred, what activity/change was attempted, who attempted it, and the reason for the failure. This information will greatly support the troubleshooting efforts of administrators.

Audit timeout activities

Indicates the number of activities of this category that timed out.

For the Summary descriptor, this measure reports an aggregate of all activities that timed out, across categories.

Number

Use the detailed diagnosis of this measure to know which activity was timed out, who initiated it, and which property was modified as a result.

Unknown activities

Indicates the number of activities of this category that are logged as 'Unknown' in the Azure AD audit logs.

For the Summary descriptor, this measure reports an aggregate of all 'Unknown' activities, across categories.

Number

Ideally, the value of this measure should be 0. If this measure reports a non-zero value, then use the detailed diagnosis of this measure to determine what are the 'Unknown' activities.

Other activities

Indicates the number of 'other' activities - i.e., activities that cannot be classified as successful, failed, timed out, or unknown - logged in the audit logs for this category.

For the Summary descriptor, this measure reports an aggregate of 'other' activities, across categories.

Number

Use the detailed diagnosis of this measure to know which are these activities, when they were performed, and who initiated them.