Tutorial: Stream Azure Active Directory logs to an Azure event hub
In this tutorial, you learn how to set up Azure Monitor diagnostics settings to stream Azure Active Directory (Azure AD) logs to an Azure event hub. Use this mechanism to integrate your logs with third-party Security Information and Event Management (SIEM) tools, such as Splunk and QRadar.
To use this feature, you need:
- An Azure subscription. If you don't have an Azure subscription, you can sign up for a free trial.
- An Azure AD tenant.
- A user who's a global administrator or security administrator for the Azure AD tenant.
- An Event Hubs namespace and an event hub in your Azure subscription. Learn how to create an event hub.
Stream logs to an event hub
Sign in to the Azure portal.
Select Azure Active Directory > Activity > Audit logs.
Select Export Settings.
In the Diagnostics settings pane, do either of the following:
To change existing settings, select Edit setting.
To add new settings, select Add diagnostics setting.
You can have up to three settings.
Select the Stream to an event hub check box, and then select Event Hub/Configure.
Select the Azure subscription and Event Hubs namespace that you want to route the logs to.
The subscription and Event Hubs namespace must both be associated with the Azure AD tenant that the logs stream from. You can also specify an event hub within the Event Hubs namespace to which logs should be sent. If no event hub is specified, an event hub is created in the namespace with the default name insights-logs-audit.
Select OK to exit the event hub configuration.
Do either or both of the following:
- To send audit logs to the storage account, select the AuditLogs check box.
- To send sign-in logs to the storage account, select the SignInLogs check box.
Select Save to save the setting.
After about 15 minutes, verify that events are displayed in your event hub. To do so, go to the event hub from the portal and verify that the incoming messages count is greater than zero.
Access data from your event hub
After data is displayed in the event hub, you can access and read the data in two ways:
Configure a supported SIEM tool. To read data from the event hub, most tools require the event hub connection string and certain permissions to your Azure subscription. Third-party tools with Azure Monitor integration include, but are not limited to:
ArcSight: For more information about integrating Azure AD logs with Splunk, see Integrate Azure Active Directory logs with ArcSight using Azure Monitor.
Splunk: For more information about integrating Azure AD logs with Splunk, see Integrate Azure AD logs with Splunk by using Azure Monitor.
IBM QRadar: The DSM and Azure Event Hub Protocol are available for download at IBM support. For more information about integration with Azure, go to the IBM QRadar Security Intelligence Platform 7.3.0 site.
Sumo Logic: To set up Sumo Logic to consume data from an event hub, see Install the Azure AD app and view the dashboards.
Set up custom tooling. If your current SIEM isn't supported in Azure Monitor diagnostics yet, you can set up custom tooling by using the Event Hubs API. To learn more, see the Getting started receiving messages from an event hub.