You can directly stream Azure AD logs to an Azure event hub. You do not require to write any automation for moving the data to Azure event hub.
You can configure streaming of audit logs (which includes changes made to any Azure AD resources like Users, groups, apps, roles or policies) using Azure portal. You need to follow the below steps -
- Sign in to Azure and go to "Audit Logs" blade (Azure Active Directory > Monitoring > Audit logs)
- Select Export Data Settings .
- Select Add diagnostics setting from Diagnostics settings pane
- Select "Stream to an event hub" and provide required details of Event Hub
You can then use this event hub data using supported SIEM tools if require. Please refer to Tutorial: Stream Azure Active Directory logs to an Azure event hub to get detailed information.
(Please don't forget to accept helpful replies as answer)