question

BenPeters-1518 avatar image
0 Votes"
BenPeters-1518 asked SaurabhSharma-msft commented

Script configuration of audit logs for AAD to an event hub

I am trying to write a script we can use company wide, across all our Azure accounts, to properly configure all the audit logging for centralized monitoring. I am struggling, however, to figure out how to script configuring Active Directory audit logs to go into an event hub.

I have been able to script this for logs related to a subscription and all associated resources, and I know how to do the AD portion via the portal, but I cannot find any way using Azure CLI or powershell to do this for AD logs.

Specifically, I want to be able to script configuration so that things like user and group creation, are also forwarded to an event hub.

azure-active-directory
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

2 Answers

SaurabhSharma-msft avatar image
0 Votes"
SaurabhSharma-msft answered

You can directly stream Azure AD logs to an Azure event hub. You do not require to write any automation for moving the data to Azure event hub.
You can configure streaming of audit logs (which includes changes made to any Azure AD resources like Users, groups, apps, roles or policies) using Azure portal. You need to follow the below steps -

  1. Sign in to Azure and go to "Audit Logs" blade (Azure Active Directory > Monitoring > Audit logs)

  2. Select Export Data Settings .
    9045-audit-logs-export-data-settings.png


  3. Select Add diagnostics setting from Diagnostics settings pane
    9112-audit-logs-diagnostic-settings.png

  4. Select "Stream to an event hub" and provide required details of Event Hub
    8999-diagnostics-settings-stream-to-event-hub.png


You can then use this event hub data using supported SIEM tools if require. Please refer to Tutorial: Stream Azure Active Directory logs to an Azure event hub to get detailed information.

(Please don't forget to accept helpful replies as answer)



audit-logs-export-data-settings.png (77.3 KiB)
audit-logs-diagnostic-settings.png (25.7 KiB)
diagnostics-settings-stream-to-event-hub.png (49.0 KiB)
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

BenPeters-1518 avatar image
0 Votes"
BenPeters-1518 answered SaurabhSharma-msft commented

Thank you very much for taking the time to answer, however, it doesn't really help. As I mentioned, I actually already knew how to do it via the portal, with the method you describe. I specifically need to script this if possible, as the intention is to give a single, simple script to many Azure account owners so they can easily configure logging.

· 2
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SaurabhSharma-msft avatar image SaurabhSharma-msft ·

@BenPeters-1518 sorry, unfortunately it is not possible to configure and send audit logs to EventHub. I suggest you to please post this as a feedback at UserVoice. This will allow the community to upvote and for the product team to include into their plans.


0 Votes 0 ·
SaurabhSharma-msft avatar image SaurabhSharma-msft SaurabhSharma-msft ·

@BenPeters-1518 Please do not forget to "Accept the answer" wherever the information provided helps you to help others in the community.

0 Votes 0 ·