Connect data from Azure Activity log
You can stream logs from Azure Activity log into Azure Sentinel with a single click. The Activity log is a subscription log that provides insight into subscription-level events that occurred in Azure. This includes a range of data, from Azure Resource Manager operational data to updates on Service Health events. Using the Activity log, you can determine the ‘what, who, and when’ for any write operation (PUT, POST, DELETE) taken on the resources in your subscription. You can also understand the status of the operation and other relevant properties. The Activity log does not include read (GET) operations or operations for resources that use the Classic/"RDFE" model.
- User with global administrator or security administrator permissions
Connect to Azure Activity log
In Azure Sentinel, select Data connectors and then click the Azure Activity log tile.
In the Azure Activity log pane, select the subscriptions you want to stream into Azure Sentinel.
To use the relevant schema in Log Analytics for the Azure Activity alerts, search for AzureActivity.
In this document, you learned how to connect Azure Activity log to Azure Sentinel. To learn more about Azure Sentinel, see the following articles:
- Learn how to get visibility into your data, and potential threats.
- Get started detecting threats with Azure Sentinel.