Tutorial: Stream Azure Active Directory logs to an Azure event hub

In this tutorial, you learn how to set up Azure Monitor diagnostics settings to stream Azure Active Directory (Azure AD) logs to an Azure event hub. Use this mechanism to integrate your logs with third-party Security Information and Event Management (SIEM) tools, such as Splunk and QRadar.

Prerequisites

To use this feature, you need:

  • An Azure subscription. If you don't have an Azure subscription, you can sign up for a free trial.
  • An Azure AD tenant.
  • A user who's a global administrator or security administrator for the Azure AD tenant.
  • An Event Hubs namespace and an event hub in your Azure subscription. Learn how to create an event hub.

Stream logs to an event hub

  1. Sign in to the Azure portal.

  2. Select Azure Active Directory > Audit logs.

  3. Select Export Data Settings.

  4. In the Diagnostics settings pane, do either of the following:

    • To change existing settings, select Edit setting.
    • To add new settings, select Add diagnostics setting.
      You can have up to three settings.
  5. Select the Stream to an event hub check box, and then select Event Hub/Configure.

    Export settings

    1. Select the Azure subscription and Event Hubs namespace that you want to route the logs to.
      The subscription and Event Hubs namespace must both be associated with the Azure AD tenant that the logs stream from. You can also specify an event hub within the Event Hubs namespace to which logs should be sent. If no event hub is specified, an event hub is created in the namespace with the default name insights-logs-audit.

    2. Select any combination of the following items:

      • To send audit logs to the event hub, select the AuditLogs check box.
      • To send interactive user sign-in logs to the event hub, select the SignInLogs check box.
      • To send non-interactive user sign-in logs to the event hub, select the NonInteractiveUserSignInLogs check box.
      • To send service principal sign-in logs to the event hub, select the ServicePrincipalSignInLogs check box.
      • To send managed identity sign-in logs to the event hub, select the ManagedIdentitySignInLogs check box.
      • To send provisioning logs to the event hub, select the ProvisioningLogs check box.
      • To send sign-ins sent to Azure AD by an AD FS Connect Health agent, select the ADFSSignInLogs check box.
      • To send risky user information, select the RiskyUsers check box.
      • To send user risk events information, select the UserRiskEvents check box.

      Note

      Some sign-in categories contain large amounts of log data depending on your tenant’s configuration. In general, the non-interactive user sign-ins and service principal sign-ins can be 5 to 10 times larger than the interactive user sign-ins.

    3. Select Save to save the setting.

  6. After about 15 minutes, verify that events are displayed in your event hub. To do so, go to the event hub from the portal and verify that the incoming messages count is greater than zero.

    Audit logs

Access data from your event hub

After data is displayed in the event hub, you can access and read the data in two ways:

Next steps