How-To: Export your RADIUS Logs to Azure Log Analytics and Azure Sentinel

Prerequisites

• The Keytos Entra applications are registered in your tenant
• You have an active EZRADIUS plan

How to Export your RADIUS Logs to Azure Sentinel and Log Analytics

1. Go to your EZRADIUS portal.
2. Click on Settings.
3. Scroll to the bottom and enable the “Send Audit Logs” to SIEM option.
4. Select Sentinel as the SIEM Provider.
5. In another tab, go to the Azure Portal
6. Select the log analytics connected to your Sentinel instance.
7. Click on “Agents Management”.
8. Copy Your Workspace ID.
9. Go back to the EZRADIUS tab and paste it in the “Workspace ID” field.
10. Go back to the Azure tab and copy the primary key.
11. Go back to the EZRADIUS tab and paste the key in the “Workspace Key” field.
12. Click the “Test Connection” button, this will create a test log in your SIEM to make sure EZRADIUS can write to the SIEM.
13. If the connection test is successful, click “Save changes” at the top of the subscription.
14. EZRADIUS will now send your security logs to your SIEM. If an error occurs it will email your subscription PKI administrators. EZRADIUS will now send your security logs to your SIEM. If an error occurs it will email your subscription PKI administrators. Now you should check out how to create a dashboard for your RADIUS service

How To Create Alerts in Azure Sentinel to Monitor Your Cloud RADIUS Activity

Using a SIEM enables you to create alerts for critical operations or abnormal behavior. We recommend setting up alerts for any high criticality event, and closely monitor medium and low events. Below are sample queries for the Administrator events.

Azure Sentinel

EZRadiusAdministrator_CL | where  Action_s == "NotAuthorized" 

CrowdStrike Falcon LogScale

LogType = "EZRadiusAdministrator" and Action = "NotAuthorized"