I am having an issue where we setup an EventHub to pass information to InsightIDR but are getting a limited set of data. Meaning I only see things like ADSync and some user changes like user added to groups and users password change. Nothing showing like an application sign on or anything related to Defender. I feel like we’ve got to do more than just what the instructions state. What am I missing?
Are you following the steps in this article?
https://docs.rapid7.com/insightidr/microsoft-azure
Because we get all of our Azure logs…
Hi. We have followed the document, but not the web logs from azure… any suggestions?
Hey Arthur,
can you elaborate on what you mean by web logs?
Are you referring to Sign in Logs? If so as part of the Diagnostic Setting in Entra you have to ensure you select all of the applicable checkboxes when configuring the Diagnostic setting
This piece
If not Sign in logs please let me know
David