Tutorial: Stream Azure Agile Directory logs to an Azure event hub

In this tutorial, you learn how to set up Azure Monitor diagnostics settings to stream Azure Active Directory (Azure AD) logs to an Azure issue hub. Employ this mechanism to integrate your logs with third-party Security Information and Event Management (SIEM) tools, such as Splunk and QRadar.

Prerequisites

To utilize this feature, y'all need:

  • An Azure subscription. If y'all don't accept an Azure subscription, you lot can sign up for a gratuitous trial.
  • An Azure AD tenant.
  • A user who'southward a global ambassador or security administrator for the Azure AD tenant.
  • An Event Hubs namespace and an issue hub in your Azure subscription. Learn how to create an event hub.

Stream logs to an event hub

  1. Sign in to the Azure portal.

  2. Select Azure Active Directory > Audit logs.

  3. Select Consign Data Settings.

  4. In the Diagnostics settings pane, do either of the following:

    • To change existing settings, select Edit setting.
    • To add new settings, select Add diagnostics setting.
      You lot can have upward to three settings.
  5. Select the Stream to an event hub check box, and and so select Event Hub/Configure.

    Export settings

    1. Select the Azure subscription and Event Hubs namespace that you want to road the logs to.
      The subscription and Event Hubs namespace must both exist associated with the Azure Advertizement tenant that the logs stream from. You can likewise specify an result hub within the Event Hubs namespace to which logs should be sent. If no event hub is specified, an event hub is created in the namespace with the default name insights-logs-inspect.

    2. Select any combination of the post-obit items:

      • To send audit logs to the event hub, select the AuditLogs check box.
      • To send interactive user sign-in logs to the outcome hub, select the SignInLogs check box.
      • To send non-interactive user sign-in logs to the issue hub, select the NonInteractiveUserSignInLogs bank check box.
      • To send service main sign-in logs to the upshot hub, select the ServicePrincipalSignInLogs check box.
      • To transport managed identity sign-in logs to the event hub, select the ManagedIdentitySignInLogs cheque box.
      • To send provisioning logs to the event hub, select the ProvisioningLogs bank check box.
      • To ship sign-ins sent to Azure Advertizing by an Advertizing FS Connect Health agent, select the ADFSSignInLogs check box.
      • To send risky user information, select the RiskyUsers cheque box.
      • To ship user risk events information, select the UserRiskEvents bank check box.

      Notation

      Some sign-in categories contain large amounts of log data depending on your tenant'south configuration. In full general, the non-interactive user sign-ins and service principal sign-ins can be five to 10 times larger than the interactive user sign-ins.

    3. Select Save to salvage the setting.

  6. After virtually 15 minutes, verify that events are displayed in your event hub. To do and so, go to the event hub from the portal and verify that the incoming messages count is greater than zero.

    Audit logs

Access data from your event hub

After data is displayed in the effect hub, you can admission and read the data in 2 ways:

  • Configure a supported SIEM tool. To read data from the event hub, most tools crave the upshot hub connection cord and certain permissions to your Azure subscription. Third-party tools with Azure Monitor integration include, but aren't limited to:

    • ArcSight: For more data about integrating Azure Advertizing logs with ArcSight, run across Integrate Azure Active Directory logs with ArcSight using Azure Monitor.

    • Splunk: For more information about integrating Azure Advertisement logs with Splunk, see Integrate Azure Advertizement logs with Splunk by using Azure Monitor.

    • IBM QRadar: The DSM and Azure Issue Hub Protocol are available for download at IBM support. For more information well-nigh integration with Azure, get to the IBM QRadar Security Intelligence Platform vii.3.0 site.

    • Sumo Logic: To set up Sumo Logic to consume data from an issue hub, see Install the Azure Advertizement app and view the dashboards.

  • Fix up custom tooling. If your current SIEM isn't supported in Azure Monitor diagnostics nonetheless, you can fix upwardly custom tooling by using the Event Hubs API. To learn more, see the Getting started receiving messages from an consequence hub.

Side by side steps

  • Create diagnostic settings to ship platform logs and metrics to different destinations
  • Integrate Azure Active Directory logs with ArcSight using Azure Monitor
  • Integrate Azure Advert logs with Splunk by using Azure Monitor
  • Integrate Azure AD logs with SumoLogic by using Azure Monitor
  • Integrate Azure AD logs with Rubberband using an event hub
  • Interpret inspect logs schema in Azure Monitor
  • Interpret sign-in logs schema in Azure Monitor