Home
%3CLINGO-SUB%20id%3D%22lingo-sub-792669%22%20slang%3D%22en-US%22%3EAzure%20Sentinel%3A%20Collecting%20logs%20from%20Microsoft%20Services%20and%20Applications%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-792669%22%20slang%3D%22en-US%22%3E%3CDIV%3E%0A%3CP%3E%3CSPAN%3EAzure%20Sentinel%20supports%20collecting%20telemetry%20from%20a%20wide%20array%20of%20Microsoft%20sources.%20Some%20of%20them%20are%20listed%20in%20the%20%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fconnect-data-sources%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3ESentinel's%20connector%20page%3C%2FA%3E%3CSPAN%3Eand%20%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fconnect-data-sources%23data-connection-methods%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Edocumentation%3C%2FA%3E%3CSPAN%3E.%20However%2C%20Sentinel%20can%20collect%20logs%20from%20most%20Azure%20services%2C%20even%20when%20not%20listed%20above.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3ETo%20log%20a%20service%20to%20Sentinel%2C%20pick%20the%20service%20(1)%2C%20select%20%22Activity%20log%22%20from%20the%20menu%20(2)%2C%20and%20then%20click%20the%20%22Logs%22%20button%20(3).%20Note%20that%20in%20this%20screen%2C%20before%20pressing%20%22Logs%22%20you%20can%20review%20the%20information%20that%20will%20be%20sent%20to%20Sentinel.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3C%2FDIV%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F125969iADEB9E1E72AC8E6B%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%222019-08-07%2012_04_38-Clipboard.png%22%20title%3D%222019-08-07%2012_04_38-Clipboard.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CDIV%3E%0A%3CP%3E%3CSPAN%3EOn%20the%20next%20screen%2C%20click%20%22Add%22%2C%20then%20%22Select%20workspace%22%20and%20select%20the%20Sentinel%20workspace.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EIn%20some%20cases%2C%20the%20service%20provides%20diagnostic%20telemetry%20but%20not%20audit%20logs.%20The%20diagnostic%20telemetry%20is%20usually%20geared%20towards%20operations%20rather%20than%20security%20monitoring%20but%20in%20most%20cases%20will%20be%20useful%20also%20for%20security%20monitoring.%20In%20such%20cases%20use%20%22Diagnostic%20settings%22%20instead%20of%20%22Activity%20log%22%20and%20select%20%22Add%20diagnostic%20setting%22.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EYou%20can%20find%20detailed%20further%20instructions%20for%20some%20services%20here.%20Note%20that%20some%20of%20them%20do%20not%20use%20the%20method%20outlined%20above%3A%3C%2FSPAN%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Farchitecture%2Freference-architectures%2Fapp-service-web-app%2Fapp-monitoring%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3EApp%20Services%20and%20Web%20Application%20monitoring%3C%2FA%3E%20-%20goes%20beyond%20how%20to%20connect%20instructions%20and%20provides%20a%20reference%20architecture%20that%20can%20be%20extended%20from%20operational%20to%20security%20monitoring%20using%20Sentinel.%3C%2FLI%3E%0A%3CLI%3EAzure%20Activity%20-%20you%20can%20collect%20Azure%20Activity%20using%20the%20%3CA%20href%3D%22https%3A%2F%2Fmicrosoft.sharepoint.com%2F%3Ap%3A%2Fr%2Fteams%2FCXESecurityPartnerNDAchannel%2FShared%2520Documents%2FGeneral%2FEnablement%2FAzure%2520Arc%2FAzure%2520Arc%2520overview.pptx%3Fd%3Dw90de79a9c6964fc7a4b35a3f90f8e0bb%26amp%3Bcsf%3D1%26amp%3Be%3Dqt4Hdg%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ebuilt-in%20connector%3C%2FA%3E%2C%20however%20it%20is%20recommended%20to%20connect%20through%20the%20subscription%20diagnostic%20settings%20in%20a%20similar%20manner%20the%20one%20described%20above.%20This%20will%20ensure%20lower%20latency%20and%20broader%20collection.%3C%2FLI%3E%0A%3CLI%3EAzure%20B2C%20-%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FAzure-Sentinel%2FAzure-Sentinel-Azure-B2C%2Fm-p%2F645077%23M311%22%20target%3D%22_blank%22%20rel%3D%22noopener%22%3Eincluded%20as%20part%20of%20AAD%20events%3C%2FA%3E.%20Note%20that%20B2C%2C%20which%20is%20not%20part%20of%20a%20subscription%2C%20has%20to%20be%20linked%20to%20a%20subscription%20in%20the%20tenant%20in%20which%20Sentinel%20exists.%3C%2FLI%3E%0A%3CLI%3EAzure%20B2B%20-%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fb2b%2Fauditing-and-reporting%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Eincluded%20as%20part%20of%20AAD%20events%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3EApplication%20Insights%3A%20use%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Flog-query%2Fcross-workspace-query%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Equeries%20across%20workspaces%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fvirtual-network%2Fmanage-ddos-protection%23configure-ddos-attack-mitigation-reports%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3EAzure%20DDOS%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Farchitecture%2Fdatabricks-monitoring%2Fapplication-logs%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3EAzure%20Databricks%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Ffirewall%2Ftutorial-diagnostics%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3EAzure%20Firewall%3C%2FA%3E%2C%20plus%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Ffirewall%2Flog-analytics-samples%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Esample%20queries%3C%2FA%3E%26nbsp%3Band%20a%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2FAzure-Sentinel%2Fblob%2Fmaster%2FDashboards%2FAzure_Firewall.json%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3ESentinel%20dashboard%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Ffrontdoor%2Ffront-door-diagnostics%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3EAzure%20Front%20Door%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Finsights%2Fazure-key-vault%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3EAzure%20Key%20Vault%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fwww.serverlessnotes.com%2Fdocs%2Fazure-logic-apps-insights-using-log-analytics%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EAzure%20Logic%20Apps%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3EAzure%20NSG%3A%3CUL%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fnetwork-watcher%2Ftraffic-analytics%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3EFlow%20logs%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fvirtual-network%2Fvirtual-network-nsg-manage-log%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3ERule%20activation%3C%2FA%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsql-database%2Fsql-database-auditing%23subheading-2%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3EAzure%20SQL%20Audit%20log%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsite-recovery%2Fmonitor-log-analytics%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3EAzure%20Site%20Recovery%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fazure.microsoft.com%2Fes-es%2Fblog%2Fquery-azure-storage-analytics-logs-in-azure-log-analytics%2F%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3EAzure%20Storage%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3EDesktop%20Analytics%20-%20Just%20use%20your%20Sentinel%20workspace%20when%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsccm%2Fdesktop-analytics%2Ftutorial-windows10%23set-up-desktop-analytics%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Econfiguring%20Desktop%20Analytics%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fintune%2Freview-logs-using-azure-monitor%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3EIntune%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3EMicrosoft%20Cloud%20App%20Security%3CUL%3E%0A%3CLI%3EAlerts%20and%20discovery%20logs%20are%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fconnect-cloud-app-security%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Esupported%20out%20of%20the%20box%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3EUse%20CEF%20for%20activity%20log%20as%20described%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FAzure-Sentinel%2FIngest-Box-com-activity-events-via-Microsoft-Cloud-App-Security%2Fba-p%2F1072849%22%20target%3D%22_self%22%3Ehere%3C%2FA%3E.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%3EOffice%20365%20DLP%20alerts%3A%20supported%20as%20part%20of%20the%20built-in%20Office%20365%20connect.%20See%20details%20here.%26nbsp%3B%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fplatform%2Fcollect-sccm%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3ESCCM%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsql%2Frelational-databases%2Fsecurity%2Fauditing%2Fwrite-sql-server-audit-events-to-the-security-log%3Fview%3Dsql-server-ver15%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3ESQL%20Server%3C%2FA%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-792669%22%20slang%3D%22en-US%22%3E%3CP%3EEver%20wondered%20how%20to%20connect%20Azure%20Estate%2C%20Azure%20PaaS%20services%20or%20even%20Intune%20telemetry%20to%20Azure%20Sentinel%3F%20Learn%20how%20to%20do%20it%20here.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-792669%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EConnectors%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Microsoft

Azure Sentinel supports collecting telemetry from a wide array of Microsoft sources. Some of them are listed in the Sentinel's connector page and documentation. However, Sentinel can collect logs from most Azure services, even when not listed above. 

 

To log a service to Sentinel, pick the service (1), select "Activity log" from the menu (2), and then click the "Logs" button (3). Note that in this screen, before pressing "Logs" you can review the information that will be sent to Sentinel.

 

2019-08-07 12_04_38-Clipboard.png

 

On the next screen, click "Add", then "Select workspace" and select the Sentinel workspace.

 

In some cases, the service provides diagnostic telemetry but not audit logs. The diagnostic telemetry is usually geared towards operations rather than security monitoring but in most cases will be useful also for security monitoring. In such cases use "Diagnostic settings" instead of "Activity log" and select "Add diagnostic setting".

 

You can find detailed further instructions for some services here. Note that some of them do not use the method outlined above: