Azure Log導入至Sentinel === ###### tags: `SIEM analysis` ## AAD log to log analytics workspace 可以導出的資料類型 * Audit logs tenant 下所有的操作行為歷史紀錄 * Sign-in logs * Provisioning logs monitor which users have been created, updated, and deleted in all your third-party applications. * Risky users logs (public preview) monitor changes in user risk level and remediation activity. * Risk detections logs (public preview): monitor user's risk detections and analyze trends in risk activity detected in your organization. ### Streaming connector :::info reference * https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/tutorial-log-analytics-wizard * https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/howto-integrate-activity-logs-with-log-analytics ::: step0. * user who's a global administrator or security administrator for the Azure AD tenant * Log Analytics workspace in your Azure subscription * Licensing requirements - Azure AD Premium P1 or P2 tenant step1. * Select **Azure Active Directory > Diagnostic settings -> Add diagnostic setting** 或是 **select Export Settings from the Audit Logs or Sign-ins** page step2. * 選擇需要匯出的 log & location，等 15min 左右即可完成 step3. * ==舊的 log 只能想辦法手動匯入== ## Azure activity log to log analytics workspace :::info reference https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/activity-log ::: 或許可以直接從這裡看 (我沒有權限  step1. * Select **Export Activity Logs** to send the activity log to a Log Analytics workspace.    step2. * ==舊的 log 只能想辦法手動匯入== ## Others  - 從Sentinel Data Connector端直接啟用連接 - AD Log需要對應