Skip to main content

Azure Logs Inegration

Introduction

This document shows information related to Azure Active Directory Integration.
The Azure Logs integration retrieves different types of log data from Azure.

Assumptions

The procedures described in Section 3 assumes that a Log Collector has already
been setup.

Requirements

Here are several requirements before using the integration since the logs will
be read from azure event hubs.
1. The logs have to be exported first to the event hub.
• Create an event hub using Azure portal.
• https://learn.microsoft.com/en-us/azure/event-hubs/event-hubscreate.
2. To export activity logs to event hubs users can follow the steps here.
• Legacy collection methods
• https://learn.microsoft.com/en-us/azure/azuremonitor/essentials/activity-log?tabs=powershell#legacy-collectionmethods
3. To export audit and sign-in logs to event hubs users can follow the
steps here.
• Stream Azure Active Directory logs
https://learn.microsoft.com/en-us/azure/active-directory/reportsmonitoring/tutorial-azure-monitor-stream-logs-to-event-hub


Azure Active Directory Logs contain:

• Sign-in logs – Information about sign-ins and how your users use your
resources.

• Retrieves Azure Active Directory sign-in logs. The sign-ins report provides
information about the usage of managed applications and user sign-in
activities.


• Identity Protection logs - Information about user risk status and the events
that change it.


• Retrieves Azure AD Identity Protection logs. The Azure AD Identity
Protection service analyzes events from AD users' behavior, detects risk
situations, and can respond by reporting only or even blocking users at
risk, according to policy configurations.

• Provisioning logs - Information about users and group synchronization to
and from external enterprise applications.


• Retrieves Azure Active Directory Provisioning logs. The Azure AD
Provisioning service syncs AD users and groups to and from external
enterprise applications. For example, you can configure the provisioning
service to replicate all existing AD users and groups to an external
Dropbox Business account or vice-versa.


The Provisioning Logs contain a lot of details about a inbound/outbound
sync activity, like:


• User or group details.
• Source and target systems (e.g., from Azure AD to Dropbox).
• Provisioning status.
• Provisioning steps (with details for each step).
• Audit logs – Information about changes to your tenant, such as users and
group management, or updates to your tenant's resources.
• Retrieves Azure Active Directory audit logs. The audit logs provide
traceability through logs for all changes done by various features within
Azure AD. Examples of audit logs include changes made to any resources
within Azure AD like adding or removing users, apps, groups, roles and
policies.

Azure Active Directory Integration Procedures


Create a Resource Group
A resource group is a logical collection of Azure resources. All resources are
deployed and managed in a resource group. To create a resource group:
1. Sign in to the Azure portal.
2. In the left navigation, select Resource groups, and then
select Create a resource.

image.png

3. For Subscription, select the name of the Azure subscription in which
you want to create the resource group. For CyTech (Azure Active
Directory)

image.png

4. Type a unique name for the resource group. The system
immediately checks to see if the name is available in the currently
selected Azure subscription.

image.png

5. Select a region for the resource group.
6. Select Review + Create.
7. Takes a few minutes to complete.

image.png

Create an Event Hubs Namespace

An Event Hubs namespace provides a unique scoping container, in which you create
one or more event hubs. To create a namespace in your resource group using the
portal, do the following actions:


  1. 1. In the Azure portal, and select Create a resource at the top left of
    the screen.
    2. Select All services in the left menu, and select star (*) next to Event
    Hubs in the Analytics category. Confirm that Event Hubs is added
    to FAVORITES in the left navigational menu.

    image.png


    3. Select Event Hubs under FAVORITES in the left navigational menu, and
    select Create on the toolbar.image.png

4. On the Create namespace page, take the following steps:
a. Select the subscription in which you want to create the
namespace.
b. Select the resource group you created in the previous step.
c. Enter a name for the namespace. The system immediately
checks to see if the name is available.

image.png


d. Select a location for the namespace.
e. Choose Basic for the pricing tier. To learn about differences
between tiers, see Quotas and limits, Event Hubs Premium, and Event
Hubs Dedicated articles.

image.png

f. Leave the throughput units (for standard tier) or processing
units (for premium tier) settings as it is. To learn about throughput units
or processing units: Event Hubs scalability.

image.png

g. Select Review + Create at the bottom of the page.
h. On the Review + Create page, review the settings, and select Create.
Wait for the deployment to complete.
5. On the Deployment page, select Go to resource to navigate to the page for
your namespace.

image.png


Create an Event Hub


1. To create an event hub within the namespace, do the following actions:
2. On the Overview page, select + Event hub on the command bar.

image.png

3. Type a name for your event hub, then select Review + create.

image.png

The partition count setting allows you to parallelize consumption across
many consumers. For more information, see Partitions.
The message retention setting specifies how long the Event Hubs service
keeps data. For more information, see Event retention.


4. On the Review + create page, select Create.
5. You can check the status of the event hub creation in alerts. After the event
hub is created, you see it in the list of event hubs.

image.png

Create a Storage Account


To create an Azure storage account with the Azure portal, follow these steps:
2. From the left portal menu, select Storage accounts to display a list
of your storage accounts. If the portal menu isn't visible, click the
menu button to toggle it on.

3. On the Storage accounts page, select Create.

image.png


4. The following image shows a standard configuration of the basic properties

image.png


5. The following image shows a standard configuration of the advanced
properties for a new storage account.

image.png

6. The following image shows a standard configuration of the networking
properties for a new storage account.

image.png


7. The following image shows a standard configuration of the data protection
properties for a new storage account.

image.png

8. The following image shows a standard configuration of the encryption
properties for a new storage account.

image.png


9. Review + Create Tab
When you navigate to the Review + create tab, Azure runs
validation on the storage account settings that you have chosen. If
validation passes, you can proceed to create the storage account.
If validation fails, then the portal indicates which settings need to be
modified.
The following image shows the Review tab data prior to the creation
of a new storage account.

image.png

image.png

These are the resources we need for the integration of Azure Active Directory
1. Azure Diagnostics Settings
Create an Diagnostics Configuration and select which log from
Azure will send to the event hub.
Goto Microsoft Entra ID > Monitoring > Diagnostic settings

image.png


2. Event Hub Credentials
3. Go to > EventHub Resources > Select Shared Access Policies

image.png

4. 

image.png

5. Please provide the CyTech the:
a. Event Hubs Name Not the Name Space:
b. Connection string-primary key:
6. Account Storage Credentials

image.png

7. Please provide the CytechCyTech the:
a. Storage Account Name:
b. Key 1 Key:

Back to top