Connect data from Azure Activity log
You can stream logs from Azure Activity log into Azure Sentinel with a single click. The Activity log is a subscription log that records and displays subscription-level events across Azure, from Azure Resource Manager operational data to updates on Service Health events. Using the Activity log, you can determine the 'what, who, and when' for any write operation (PUT, POST, DELETE) performed on the resources in your subscription. You can also learn the status of the operation and other relevant properties. The Activity log does not include read (GET) operations or operations for resources that use the Classic/"RDFE" model.
- Your user must have Contributor permissions to the Log Analytics workspace.
- Your user must have Reader permissions to any subscription whose logs you want to stream into Azure Sentinel.
Set up the Azure Activity connector
From the Azure Sentinel navigation menu, select Data connectors. From the list of connectors, click on Azure Activity, and then on the Open connector page button on the lower right.
Under the Instructions tab, click the Configure Azure Activity logs > link.
In the Azure Activity log pane, select the subscriptions whose logs you want to stream into Azure Sentinel.
In the subscription pane that opens to the right, click Connect.
To use the relevant schema in Log Analytics for Azure Activity alerts, type
AzureActivityin the query window.
In this document, you learned how to connect Azure Activity log to Azure Sentinel. To learn more about Azure Sentinel, see the following articles:
- Learn how to get visibility into your data, and potential threats.
- Get started detecting threats with Azure Sentinel, using built-in or custom rules.