This is only needed if your organization does not have Entra ID Protect Plan 1 or higher. If you have Entra IDP P1 or higher Wirespeed’s default Microsoft integration will ingest sign-in logs.

Wirespeed uses Entra ID’s data export settings to forward all sign in logs to a customer-owned storage blob, which is synced every minute. A 5-10 minute delay between a sign in occurring and Microsoft publishing it to the storage account is common.

Integration Instructions

1. Create Storage Account

  1. Log into https://portal.azure.com
  2. Search for Storage Accounts
  3. Click create and provide the following options:
    1. Subscription: Choose a subscription for the storage account
    2. Resource Group: Any resource group can be selected
    3. Storage account name: Provide a name for the storage blob
    4. Region: Any region, US - West preferred
    5. Primary Service: Azure Blob Storage
    6. Performance: Standard
    7. Redundancy: Locally-redundant storage
    8. Logs are short-lived in these storage blobs, however you may choose Geo-redundant storage if you would like
  4. Review + Create > Create

2. Create Lifecycle Policy

We want to automatically expire logs after a certain period so that you aren’t paying for them after they’ve been ingested by Wirespeed. Wirespeed syncs logs every minute, but it’s common to set retention between 1-7 days. Wirespeed does not delete logs in your storage accounts after ingestion, which is why a lifecycle policy is used.

  1. Navigate to the Storage account that was created
  2. Select Data Management > Lifecycle management
  3. Click add a rule and provide the following options:
    1. Rule name: Provide a name for the rule
    2. Rule scope: Apply rule to all blobs in your storage account
    3. Blob type: Append blobs
    4. Blob subtype: Base blobs
  4. Click next
  5. If Base blobs were Last modified more than N days ago then Delete the blob
    1. Any value where N>=1 day is acceptable

3. Forward Logs

  1. Search for Sign-in Logs in the Azure Portal
  2. Provide a Diagnostic setting name
  3. Select Export Data Settings
    1. Select Add a diagnostic setting
    2. Logs > Categories > SignInLogs
    3. Destination details > Archive to a storage account
    4. Select storage account from Step 1
  4. Click Save

4. Integrate with Wirespeed

  1. Navigate to the storage account from Step 1
  2. Select Security + networking > Access keys
  3. Copy the connection string for key1
  4. Login to https://app.wirespeed.co
  5. Integrations > Add Integration > Microsoft Entra Sign-in Logs
  6. Provide your storage account name and connection string

After integrating, it’s normal to see warnings in our integration logs saying “Failed to list blobs from container”. Microsoft does not publish logs immediately, so this warning will be present until logs are published.

Cost

TL;DR: You can expect to pay <$5/mo

There is a minimal cost associated with this integration due to it being hosted in your account and not ours. You can calculate your costs using the below information.

In the below calculations, we assume the average size of a sign-in event which is 5kb.

API Read Operations

We call the List and Create Container endpoint every minute, this endpoint has an associated cost of $0.05 per 10k requests (source). For the duration of a month, this totals** ~45k** API requests, totaling $.225/mo.

API Write Operations

This cost is dependent on Microsoft and how often they write to your storage account. If we assume they write once a minute at $0.0228 per 10k write requests (source), for ~45k monthly requests, we get a total of $.1026/mo.

Data Storage

With a lifecycle policy of 1 day and 1 million monthly sign-in events, 33k daily sign-in events would be stored at any given time. 33k events * 5KB/event = 165,000KB = .165GB stored at any given time. With a storage rate of $0.15/GB (source) this would total** $.02475/mo**.

Data Egress

Azure charges for data leaving their network. While downloading from the account itself is free, you are charged for network egress at a rate of $.08/GB (source). Sign-in events are ~5kb per event, which totals** ~200k** sign-in events per GB. For an organization with 1 million monthly sign-in events, you can expect to pay $.40/mo.

If you observe otherwise in your environment please contact support.