Tutorial: Stream Azure Active Directory logs to an Azure event hub
In this tutorial, you learn how to set up Azure Monitor diagnostics settings to stream Azure Active Directory (Azure AD) logs to an Azure event hub. Use this mechanism to integrate your logs with third-party Security Information and Event Management (SIEM) tools, such as Splunk and QRadar.
To use this feature, you need:
- An Azure subscription. If you don't have an Azure subscription, you can sign up for a free trial.
- An Azure AD tenant.
- A user who's a global administrator or security administrator for the Azure AD tenant.
- An Event Hubs namespace and an event hub in your Azure subscription. Learn how to create an event hub.
Stream logs to an event hub
Sign in to the Azure portal.
Select Azure Active Directory > Audit logs.
Select Export Data Settings.
In the Diagnostics settings pane, do either of the following:
- To change existing settings, select Edit setting.
- To add new settings, select Add diagnostics setting.
You can have up to three settings.
Select the Stream to an event hub check box, and then select Event Hub/Configure.
Select the Azure subscription and Event Hubs namespace that you want to route the logs to.
The subscription and Event Hubs namespace must both be associated with the Azure AD tenant that the logs stream from. You can also specify an event hub within the Event Hubs namespace to which logs should be sent. If no event hub is specified, an event hub is created in the namespace with the default name insights-logs-audit.
Select any combination of the following items:
- To send audit logs to the event hub, select the AuditLogs check box.
- To send interactive user sign-in logs to the event hub, select the SignInLogs check box.
- To send non-interactive user sign-in logs to the event hub, select the NonInteractiveUserSignInLogs check box.
- To send service principal sign-in logs to the event hub, select the ServicePrincipalSignInLogs check box.
- To send managed identity sign-in logs to the event hub, select the ManagedIdentitySignInLogs check box.
- To send provisioning logs to the event hub, select the ProvisioningLogs check box.
- To send sign-ins sent to Azure AD by an AD FS Connect Health agent, select the ADFSSignInLogs check box.
- To send risky user information, select the RiskyUsers check box.
- To send user risk events information, select the UserRiskEvents check box.
Some sign-in categories contain large amounts of log data depending on your tenant’s configuration. In general, the non-interactive user sign-ins and service principal sign-ins can be 5 to 10 times larger than the interactive user sign-ins.
Select Save to save the setting.
After about 15 minutes, verify that events are displayed in your event hub. To do so, go to the event hub from the portal and verify that the incoming messages count is greater than zero.
Access data from your event hub
After data is displayed in the event hub, you can access and read the data in two ways:
Configure a supported SIEM tool. To read data from the event hub, most tools require the event hub connection string and certain permissions to your Azure subscription. Third-party tools with Azure Monitor integration include, but aren't limited to:
ArcSight: For more information about integrating Azure AD logs with ArcSight, see Integrate Azure Active Directory logs with ArcSight using Azure Monitor.
Splunk: For more information about integrating Azure AD logs with Splunk, see Integrate Azure AD logs with Splunk by using Azure Monitor.
IBM QRadar: The DSM and Azure Event Hub Protocol are available for download at IBM support. For more information about integration with Azure, go to the IBM QRadar Security Intelligence Platform 7.3.0 site.
Sumo Logic: To set up Sumo Logic to consume data from an event hub, see Install the Azure AD app and view the dashboards.
Set up custom tooling. If your current SIEM isn't supported in Azure Monitor diagnostics yet, you can set up custom tooling by using the Event Hubs API. To learn more, see the Getting started receiving messages from an event hub.
- Create diagnostic settings to send platform logs and metrics to different destinations
- Integrate Azure Active Directory logs with ArcSight using Azure Monitor
- Integrate Azure AD logs with Splunk by using Azure Monitor
- Integrate Azure AD logs with SumoLogic by using Azure Monitor
- Integrate Azure AD logs with Elastic using an event hub
- Interpret audit logs schema in Azure Monitor
- Interpret sign-in logs schema in Azure Monitor