Azure AD (Entra ID) Audit Logs
Location
Azure Portal > Entra ID > Monitoring > Audit logs (or Microsoft Graph API /auditLogs/directoryAudits)Description
Directory change logs recording modifications to users, groups, roles, applications, policies, and service principals including the initiating actor, target resource, and changed properties.
Forensic Value
Audit logs expose persistence mechanisms in the identity plane. Key events include new service principal credential additions (indicating OAuth app backdoors), role assignment changes (privilege escalation to Global Admin), conditional access policy modifications (weakening security controls), and new federated domain additions (Golden SAML preparation). Comparing initiatedBy actors against known admin accounts identifies unauthorized changes.
Tools Required
Collection Commands
Graph API
GET https://graph.microsoft.com/v1.0/auditLogs/directoryAudits?$filter=activityDateTime ge 2024-01-01T00:00:00Z&$top=999
PowerShell
Get-AzureADAuditDirectoryLogs -Filter "activityDateTime ge 2024-01-01" -Top 1000 | Export-Csv audit_logs.csv -NoTypeInformation
az CLI
az rest --method GET --url "https://graph.microsoft.com/v1.0/auditLogs/directoryAudits?\$filter=activityDateTime ge 2024-01-01" --output json > directory_audits.json
MITRE ATT&CK Techniques
Used in Procedures
Credential and Account Lockdown
contain
Log Preservation and Snapshot
preserve
Azure AD Sign-In and Audit Log Collection
collect
Detect OAuth and Consent Phishing Abuse
analyze
Revoke Cloud Sessions and Tokens
contain
Comprehensive Persistence Mechanism Sweep
eradicate
Cloud Tenant Configuration Snapshot
preserve
Phishing Remediation: Purge, Reset, Revoke
eradicate
Review Cloud Hardening Gaps After Identity Compromise
post-incident
Related Blockers
Legal Requesting Preservation Conflicts with Containment
Legal counsel has issued a preservation hold requiring that certain systems, mailboxes, or data stores remain untouched. This directly conflicts with containment actions like reimaging hosts, resetting accounts, or blocking network segments.
Unknown Scope of Credential Compromise
One or more accounts are confirmed compromised, but it is unclear how many additional credentials the attacker has obtained. Resetting only known-compromised accounts may be insufficient, while a mass reset disrupts operations.
Attacker Using VPN/Tor -- Cannot Determine True Origin
The threat actor is connecting through VPN services, Tor exit nodes, or residential proxy networks. Source IP addresses rotate frequently and do not reveal the actual origin, limiting geographic attribution and IP-based blocking.
Suspected Insider Still Has Access -- Investigation Must Be Covert
The primary suspect is a current employee or contractor who still has active credentials and system access. Overt containment actions (account lockout, visible monitoring) would tip off the suspect and risk evidence destruction or acceleration of harmful activity.
Regulatory Notification Deadline Approaching
A regulatory reporting deadline (GDPR 72-hour, SEC 4-day, state breach notification, HIPAA) is imminent and the investigation has not yet determined the full scope of data exposure. The team must balance thorough investigation against mandatory disclosure timelines.
Critical Logs Rotated/Overwritten Before Collection
Key log files (Security EVTX, web server access logs, syslog) have been rotated out or overwritten due to aggressive retention settings, high volume, or attacker manipulation. The evidence window for those sources is now closed.
SIEM Not Ingesting Relevant Log Sources
The SIEM does not ingest logs from the affected systems, applications, or network segments. Correlation, alerting, and historical search capabilities are unavailable for the evidence sources most relevant to this incident.
Attacker Used Timestomping, Log Clearing, or Other Anti-Forensics
Evidence of deliberate anti-forensic activity has been found: timestamps modified, event logs cleared, prefetch/shimcache wiped, or tools designed to defeat forensic analysis were executed. Standard timeline analysis may be unreliable.
Cloud or Container Logging Coverage Missing
The investigation depends on cloud-control-plane or container telemetry that was never enabled, was retained too briefly, or was routed to an unavailable destination. This creates blind spots around identity misuse, cluster administration, and workload behavior.
SaaS Audit Logging Not Enabled or Not Licensed
The investigation depends on SaaS audit evidence that was never enabled, is unavailable under the current subscription tier, or requires a higher-privilege admin role than the response team currently has. This creates blind spots for identity abuse, collaboration-platform misuse, and source-code access.
SaaS Audit Retention Expired Before Collection
The response started after the native retention window for Google Workspace, Okta, Slack, GitHub, or similar SaaS evidence had already passed. The necessary events are no longer available in the vendor UI or API even though the underlying accounts and content may still exist.