Home
%3CLINGO-SUB%20id%3D%22lingo-sub-792669%22%20slang%3D%22en-US%22%3EAzure%20Sentinel%3A%20Collecting%20logs%20from%20Microsoft%20Services%20and%20Applications%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-792669%22%20slang%3D%22en-US%22%3E%3CDIV%3E%0A%3CP%3E%3CSPAN%3EAzure%20Sentinel%20supports%20collecting%20telemetry%20from%20a%20wide%20array%20of%20Microsoft%20sources.%20Some%20of%20them%20are%20listed%20in%20the%20%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fconnect-data-sources%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3ESentinel's%20connector%20page%3C%2FA%3E%3CSPAN%3Eand%20%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fconnect-data-sources%23data-connection-methods%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Edocumentation%3C%2FA%3E%3CSPAN%3E.%20However%2C%20Sentinel%20can%20collect%20logs%20from%20most%20Azure%20services%2C%20even%20when%20not%20listed%20above.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3ETo%20log%20a%20service%20to%20Sentinel%2C%20pick%20the%20service%20(1)%2C%20select%20%22Activity%20log%22%20from%20the%20menu%20(2)%2C%20and%20then%20click%20the%20%22Logs%22%20button%20(3).%20Note%20that%20in%20this%20screen%2C%20before%20pressing%20%22Logs%22%20you%20can%20review%20the%20information%20that%20will%20be%20sent%20to%20Sentinel.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3C%2FDIV%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F125969iADEB9E1E72AC8E6B%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%222019-08-07%2012_04_38-Clipboard.png%22%20title%3D%222019-08-07%2012_04_38-Clipboard.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CDIV%3E%0A%3CP%3E%3CSPAN%3EOn%20the%20next%20screen%2C%20click%20%22Add%22%2C%20then%20%22Select%20workspace%22%20and%20select%20the%20Sentinel%20workspace.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EIn%20some%20cases%2C%20the%20service%20provides%20diagnostic%20telemetry%20but%20not%20audit%20logs.%20The%20diagnostic%20telemetry%20is%20usually%20geared%20towards%20operations%20rather%20than%20security%20monitoring%20but%20in%20most%20cases%20will%20be%20useful%20also%20for%20security%20monitoring.%20In%20such%20cases%20use%20%22Diagnostic%20settings%22%20instead%20of%20%22Activity%20log%22%20and%20select%20%22Add%20diagnostic%20setting%22.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EYou%20can%20find%20detailed%20further%20instructions%20for%20some%20services%20here.%20Note%20that%20some%20of%20them%20do%20not%20use%20the%20method%20outlined%20above%3A%3C%2FSPAN%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EAzure%20B2C%20-%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FAzure-Sentinel%2FAzure-Sentinel-Azure-B2C%2Fm-p%2F645077%23M311%22%20target%3D%22_blank%22%20rel%3D%22noopener%22%3Eincluded%20as%20part%20of%20AAD%20events%3C%2FA%3E.%20Note%20that%20B2C%2C%20which%20is%20not%20part%20of%20a%20subscription%2C%20has%20to%20be%20linked%20to%20a%20subscription%20in%20the%20tenant%20in%20which%20Sentinel%20exists.%3C%2FLI%3E%0A%3CLI%3EAzure%20B2B%20-%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fb2b%2Fauditing-and-reporting%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Eincluded%20as%20part%20of%20AAD%20events%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3EApplication%20Insights%3A%20use%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Flog-query%2Fcross-workspace-query%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Equeries%20across%20workspaces%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fvirtual-network%2Fmanage-ddos-protection%23configure-ddos-attack-mitigation-reports%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3EAzure%20DDOS%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Farchitecture%2Fdatabricks-monitoring%2Fapplication-logs%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3EAzure%20Databricks%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Ffirewall%2Ftutorial-diagnostics%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3EAzure%20Firewall%3C%2FA%3E%2C%20plus%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Ffirewall%2Flog-analytics-samples%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Esample%20queries%3C%2FA%3E%26nbsp%3Band%20a%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2FAzure-Sentinel%2Fblob%2Fmaster%2FDashboards%2FAzure_Firewall.json%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3ESentinel%20dashboard%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Ffrontdoor%2Ffront-door-diagnostics%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3EAzure%20Front%20Door%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Finsights%2Fazure-key-vault%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3EAzure%20Key%20Vault%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fwww.serverlessnotes.com%2Fdocs%2Fazure-logic-apps-insights-using-log-analytics%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EAzure%20Logic%20Apps%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3EAzure%20NGS%3A%3CUL%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fnetwork-watcher%2Ftraffic-analytics%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3EFlow%20logs%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fvirtual-network%2Fvirtual-network-nsg-manage-log%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3ERule%20activation%3C%2FA%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fnam06.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%3A%2F%2Fblogs.msdn.microsoft.com%2Fsqlsecurity%2F2018%2F09%2F13%2Fsql-audit-logs-in-azure-log-analytics-and-azure-event-hubs%2F%26amp%3Bdata%3D02%257c01%257cOfer.Shezaf%2540microsoft.com%257c8fdf1a07dbaa4e4be0fe08d717d1bced%257c72f988bf86f141af91ab2d7cd011db47%257c1%257c0%257c637004061896086244%26amp%3Bsdata%3DiaM5g3oq3ApHGUOrJCsXJBtzXvJmJZYiYZnaGa9Dbgs%253D%26amp%3Breserved%3D0%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EAzure%20SQL%20Audit%20log%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsite-recovery%2Fmonitor-log-analytics%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3EAzure%20Site%20Recovery%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fazure.microsoft.com%2Fes-es%2Fblog%2Fquery-azure-storage-analytics-logs-in-azure-log-analytics%2F%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3EAzure%20Storage%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3EDesktop%20Analytics%20-%20Just%20use%20your%20Sentinel%20workspace%20when%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsccm%2Fdesktop-analytics%2Ftutorial-windows10%23set-up-desktop-analytics%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Econfiguring%20Desktop%20Analytics%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fintune%2Freview-logs-using-azure-monitor%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3EIntune%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fplatform%2Fcollect-sccm%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3ESCCM%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsql%2Frelational-databases%2Fsecurity%2Fauditing%2Fwrite-sql-server-audit-events-to-the-security-log%3Fview%3Dsql-server-ver15%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3ESQL%20Server%3C%2FA%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-792669%22%20slang%3D%22en-US%22%3E%3CP%3EEver%20wondered%20how%20to%20connect%20Azure%20Estate%2C%20Azure%20PaaS%20services%20or%20even%20Intune%20telemetry%20to%20Azure%20Sentinel%3F%20Learn%20how%20to%20do%20it%20here.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-792669%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EConnectors%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Microsoft

Azure Sentinel supports collecting telemetry from a wide array of Microsoft sources. Some of them are listed in the Sentinel's connector page and documentation. However, Sentinel can collect logs from most Azure services, even when not listed above. 

 

To log a service to Sentinel, pick the service (1), select "Activity log" from the menu (2), and then click the "Logs" button (3). Note that in this screen, before pressing "Logs" you can review the information that will be sent to Sentinel.

 

2019-08-07 12_04_38-Clipboard.png

 

On the next screen, click "Add", then "Select workspace" and select the Sentinel workspace.

 

In some cases, the service provides diagnostic telemetry but not audit logs. The diagnostic telemetry is usually geared towards operations rather than security monitoring but in most cases will be useful also for security monitoring. In such cases use "Diagnostic settings" instead of "Activity log" and select "Add diagnostic setting".

 

You can find detailed further instructions for some services here. Note that some of them do not use the method outlined above: