Skip to main content

Azure Logs Integration

Introduction

This document shows information related to Azure Active Directory Integration.
The Azure Logs integration retrieves different types of log data from Azure.

Assumptions

The procedures described in Sectionthe 3Requirements section assumes that a Log Collector has already
been setup.

Requirements

Here are several requirements before using the integration since the logs will
be read from azure event hubs.
1.

  1. The logs have to be exported first to the event hub.
    • Create an event hub using Azure portal.
    More information can be found on: https://learn.microsoft.com/en-us/azure/event-hubs/event-hubscreate.
    2.hubscreate    .
  2. To export activity logs to event hubs users can follow the steps here.
    • Legacy collection methods
    More information can be found on: https://learn.microsoft.com/en-us/azure/azuremonitor/essentials/activity-log?tabs=powershell#legacy-collectionmethods
    3.
  3. To export audit and sign-in logs to event hubs users can follow the
    steps here.
    • Stream Azure Active Directory logs
     More information can be found on: https://learn.microsoft.com/en-us/azure/active-directory/reportsmonitoring/tutorial-azure-monitor-stream-logs-to-event-hub


Azure Active Directory Logs contain:

Sign-in logs – Information about sign-ins and how your users use your
resources.

  • Retrieves Azure Active Directory sign-in logs. The sign-ins report provides
    information about the usage of managed applications and user sign-in
    activities.


Identity Protection logs - Information about user risk status and the events
that change it.


  • Retrieves Azure AD Identity Protection logs. The Azure AD Identity
    Protection service analyzes events from AD users' behavior, detects risk
    situations, and can respond by reporting only or even blocking users at
    risk, according to policy configurations.

Provisioning logs - Information about users and group synchronization to
and from external enterprise applications.


  • Retrieves Azure Active Directory Provisioning logs. The Azure AD
    Provisioning service syncs AD users and groups to and from external
    enterprise applications. For example, you can configure the provisioning
    service to replicate all existing AD users and groups to an external
    Dropbox Business account or vice-versa.


The Provisioning Logs contain a lot of details about a inbound/outbound
sync activity, like:


  • User or group details.
  • Source and target systems (e.g., from Azure AD to Dropbox).
  • Provisioning status.
  • Provisioning steps (with details for each step).

Audit logs – Information about changes to your tenant, such as users and
group management, or updates to your tenant's resources.

  • Retrieves Azure Active Directory audit logs. The audit logs provide
    traceability through logs for all changes done by various features within
    Azure AD. Examples of audit logs include changes made to any resources
    within Azure AD like adding or removing users, apps, groups, roles and
    policies.

Azure Active Directory Integration Procedures


Create a Resource Group
A resource group is a logical collection of Azure resources. All resources are
deployed and managed in a resource group. To create a resource group:
1.

  1. Sign in to the Azure portal.
    2.
  2. In the left navigation, select ResourceResource groups,groups, and then
    select Create a resource.

    resource.image.png

    3. 3.

  3. For Subscription,Subscription, select the name of the Azure subscription in which
    you want to create the resource group. For CyTech (Azure Active
    Directory)

     

    Directoryimage.png

    4. 4.

  4. Type a unique name for the resource group.group. The system
    immediately checks to see if the name is available in the currently
    selected Azure subscription.

    image.png

    5. 5.

  5. Select a region for the resource group.
    6.
  6. Select Review + Create.
    7.Create    .
  7. Takes a few minutes to complete.

image.png

Create an Event Hubs Namespace

An Event Hubs namespace provides a unique scoping container, in which you create
one or more event hubs. To create a namespace in your resource group using the
portal, do the following actions:


  1. 1. In the Azure portal, and select Create a resource at the top left of
    the screen.
    2.
  2. Select All services in the left menu, and select star (*) next to Event
    Hubs in the Analytics category. Confirm that Event Hubs is added
    to FAVORITES in the left navigational menu.

    image.png


    3. 3.
  3. Select Event Hubs under FAVORITES in the left navigational menu, and
    select Create on the toolbar.image.png

4.

  • On the Create namespace page, take the following steps:
    a. Select the subscription in which you want to create the
    namespace.
    b. Select the resource group you created in the previous step.
    c. Enter a name for the namespace. The system immediately
     checks to see if the name is available.

    image.png                                                                        


    d. Select a location for the namespace.
    e. Choose Basic for the pricing tier.tier. To learn about differences
    between tiers, see Quotas and limits, Event Hubs Premium, and Event
    Hubs Dedicated articles.

    image.png

    f. Leave the throughput units (for standard tier) or processing
    units (for premium tier) settings as it is. To learn about throughput units
    or processing units: Event Hubs scalability.

     

    image.png                                  image.png

     

                                                                                                            g. Select Review + Create at the bottom of the page.
    h. On the Review + Create page, review the settings, and select Create.Create.
    Wait for the deployment to complete.
    5.

  • On the Deployment page, select Go to resource to navigate to the page for
    your namespace.

    • image.png


    Create an Event Hub


    1.

    1. To create an event hub within the namespace, do the following actions:
      2.
    2. On the Overview page, select + Event hub on the command bar.

      image.png

      3. 3.

    3. Type a name for your event hub, then select Review + create.

      create.image.png

       

                                                                            The partition count setting allows you to parallelize consumption across
      many consumers. For more information, see Partitions.
      The message retention setting specifies how long the Event Hubs service
      keeps data. For more information, see Event retention.


      4. 4.

    4. On the Review + create page, select Create.
      5.
    5. You can check the status of the event hub creation in alerts. After the event
      hub is created, you see it in the list of event hubs.

      image.png

    Create a Storage Account


    To create an Azure storage account with the Azure portal, follow these steps:
    2.

    1. From the left portal menu, select Storage accounts to display a list
      of your storage accounts. If the portal menu isn't visible, click the
      menu button to toggle it on.

      2. 3.

    2. On the Storage accounts page, select Create.

      Create.image.png


      3. 4.

    3. The following image shows a standard configuration of the basic properties

      image.png


      4. 5.

    4. The following image shows a standard configuration of the advanced
      properties for a new storage account.

                                               

      image.png

      5. 6.

    5. The following image shows a standard configuration of the networking
      properties for a new storage account.

                                 

      image.png


      6. 7.

    6. The following image shows a standard configuration of the data protection
      properties for a new storage account.

      image.png

      7. 8.

    7. The following image shows a standard configuration of the encryption
      properties for a new storage account.

                                 

      image.png


      8. 9.

    8. Review + Create Tab
      When you navigate to the Review + create tab, Azure runs
      validation on the storage account settings that you have chosen. If
      validation passes, you can proceed to create the storage account.
      If validation fails, then the portal indicates which settings need to be
      modified.

    The following image shows the Review tab data prior to the creation
    of a new storage account.

    image.png

    image.png

    These

    are
    Resources the resources we needneeded for the integration of Azure Active Directory
    1.Directory:
    1. Azure Diagnostics Settings
      Create ana Diagnostics Configuration and select which log from
      Azure will send to the event hub.
      GotoNavigate to Microsoft Entra ID > Monitoring > Diagnostic settings

      image.png


      2. 2.

    2. Event Hub Credentials
      3.
    3. Go to > EventHub Resources > Select Shared Access Policies

      image.png

      4. 

      image.png

      4. 5.

    4. Please provide the CyTech the:
      a. Event Hubs Name Not the Name Space:
      b. Connection string-primary key:
      6.
    5. Account Storage Credentials

      image.png

      6. 7.

    6. Please provide the CyTech the:
      a. Storage Account Name:
      b. Key 1 Key:

    If you need further assistance, kindly contact our support at info@cytechint.com for prompt assistance and guidance.

    Back to top