Connect data from Azure Active Directory

Azure Sentinel enables you to collect data from Azure Active Directory and stream it into Azure Sentinel. You can choose to stream sign-in logs and audit logs .

Prerequisites

  • If you want to export sign-in data from Active Directory, you must have an Azure AD P1 or P2 license.

  • User with global admin or security admin permissions on the tenant you want to stream the logs from.

  • To be able to see the connection status, you must have permission to access Azure AD diagnostic logs.

Connect to Azure AD

  1. In Azure Sentinel, select Data connectors and then click the Azure Active Directory tile.

  2. Next to the logs you want to stream into Azure Sentinel, click Connect.

  3. You can select whether you want the alerts from Azure AD to automatically generate incidents in Azure Sentinel automatically. Under Create incidents select Enable to enable the default analytic rule that creates incidents automatically from alerts generated in the connected security service. You can then edit this rule under Analytics and then Active rules.

  4. To use the relevant schema in Log Analytics for the Azure AD alerts, search for SigninLogs and AuditLogs.

Next steps

In this document, you learned how to connect Azure AD to Azure Sentinel. To learn more about Azure Sentinel, see the following articles: