Following my last post about Azure AD Smart Lockout, have you ever wonder, how to monitor those events? Of Course, we can do it with Log Analytics
HOW TO MONITOR SMART LOCKOUT?
Integrating the monitor and alerting of Smart Lockout is very simple, this post will explain you how to do it:
- In Azure Portal, Select Azure Active Directory > Diagnostic settings -> Add diagnostic setting. select Export Settings from the Audit Logs or Sign-ins page to get to the diagnostic settings configuration page.
- In the Diagnostic settings menu, select the Send to Log Analytics workspace check box, and then select Configure.
- Select the Log Analytics workspace you want to send the logs to, or create a new workspace in the provided dialog box.
- Select one or both of the following:
- To send audit logs to the Log Analytics workspace, select the AuditLogs check box
- To send sign-in logs to the Log Analytics workspace, select the SignInLogs check box
- Select Save to save the setting.
Now, what we will need to do is wait, probably in 5-10 minutes we will start to have data into workspace.
The logs we are looking for are in the AuditLogs and SigninLogs tables in the workspace.
SigninLogs
| limit 50and click on run to get the last 50 sign-ins listed. As we are interested into the actual Smart-Lockouts (ResultType 50053), we need to add a filter criteria to our query and we probably want to limit it to the last seven days only.
SigninLogs
| where CreatedDateTime >= ago(7d)
| where ResultType == "50053" And because we like to get notified, we can also set an Alert Rule on this type of query. Click on New Alert Rule, which will bring you the next blade.
Then we need to reuse and Action Group or create a new one, this is used to be alerted when the signal occurs. we have to be aware that depending of the frequency of the alert, we will be charged in €€€
Another thing to keep in mind is that we will have a lag between the alert and the action when it happens, it’s not inmediately.
that’s all, have fun!
Albandrod's Memory 