%3CLINGO-SUB%20id%3D%22lingo-sub-1387445%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%3A%20Collecting%20logs%20from%20Microsoft%20Services%20and%20Applications%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1387445%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F293879%22%20target%3D%22_blank%22%3E%40Ofer_Shezaf%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20the%20post%2C%20quite%20informative.%26nbsp%3B%3C%2FP%3E%3CP%3ECould%20you%20please%20guide%20us%20how%20we%20can%20integrate%20Office365%20Threat%20protection%20and%20Information%20governance%20alerts%20with%20Sentinel%3F%3C%2FP%3E%3CP%3EAlso%2C%20it%20would%20be%20really%20good%20if%20playbook%20integration%20can%20be%20made%20available%20with%20Azure%20services%20analytic%20rules%20e.g.%20ASC%2C%20ATP%20Defender%2C%20MCAS%20and%20Identiy%20protection%20etc.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMany%20thanks%20in%20advance%2C%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1388950%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%3A%20Collecting%20logs%20from%20Microsoft%20Services%20and%20Applications%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1388950%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F345598%22%20target%3D%22_blank%22%3E%40jvaidya%3C%2FA%3E%26nbsp%3B%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EPrivate%20preview%20for%20Office%20365%20ATP%20alerts%20ingestion%20is%20starting%20very%20soon.%20%3CSPAN%3EJoin%20our%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Faka.ms%2FSecurityPrP%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%20data-interception%3D%22on%22%20data-cke-saved-href%3D%22%2Fteams%2FAzureSentinelProductInfo%2FSitePages%2FAzure-Sentinel-General-FAQ.aspx%23my-customer-or-i-want-to-join-a-private-preview%22%3EPrivate%20Previews%3C%2FA%3E%3CSPAN%3E%26nbsp%3Bprogram%20to%20get%20details.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EAs%20to%20playbooks%3A%20what%20is%20the%20workflow%20you%20look%20for%3F%20what%20should%20those%20playbooks%20do%3F%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E~%20Ofer%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1389031%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%3A%20Collecting%20logs%20from%20Microsoft%20Services%20and%20Applications%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1389031%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F293879%22%20target%3D%22_blank%22%3E%40Ofer_Shezaf%3C%2FA%3E%26nbsp%3B%2C%20thanks%20for%20the%20info...%3C%2FP%3E%3CP%3EAnd%20we%20are%20also%20looking%20for%20office%20365%20alert%20ingestion%20with%20sentinel%2C%20is%20there%20any%20update%20on%20that%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPS%3A%20I%20have%20tried%20ingesting%20office%20365%20alerts%20from%20management%20API%20using%20logic%20apps%20with%20reference%20to%20a%20blog%20in%20tech%20community%2C%20however%20the%20details%20of%20the%20alerts%20are%20majorly%20Missing....%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1398734%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%3A%20Collecting%20logs%20from%20Microsoft%20Services%20and%20Applications%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1398734%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F293879%22%20target%3D%22_blank%22%3E%40Ofer_Shezaf%3C%2FA%3E%26nbsp%3B%20Thanks%20for%20the%20reply.%20Glad%20to%20know%20private%20preview%20for%20Office365%20alerts%20is%20starting%20soon%2C%20will%20get%20myself%20registered%20for%20the%20private%20preview.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ee.g.%20Out%20of%20the%20box%20rules%20(Rules%20template)%20for%20these%20services%20can%20create%20incidents%20based%20on%20all%20alerts%20generated%20but%20these%20rules%20do%20not%20allow%20any%20integration%20of%20playbooks.%20Obviously%2C%20other%20option%26nbsp%3B%20which%20we%20are%20following%20is%20to%20create%20the%20scheduled%20query%20rules%20for%20these%20services%20alerts%20as%20well%20but%20as%20useful%20Entities%20information%20(IP%2C%20URL%2C%20Account%20Name%20etc.)%20are%20usually%20in%20description%20or%20other%20fields%20of%20alert%20mapping%20with%20Entities%20becomes%20bit%20challenging.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1401753%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%3A%20Collecting%20logs%20from%20Microsoft%20Services%20and%20Applications%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1401753%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F345598%22%20target%3D%22_blank%22%3E%40jvaidya%3C%2FA%3E%26nbsp%3B%3A%20incident%20triggers%2C%20which%20will%20allow%20triggering%20playbooks%20for%20incidents%20of%20all%20types%20are%20expected%20to%20be%20in%20preview%20in%20a%20few%20weeks.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1455008%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%3A%20Collecting%20logs%20from%20Microsoft%20Services%20and%20Applications%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1455008%22%20slang%3D%22en-US%22%3E%3CP%3EGreat%20post%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F293879%22%20target%3D%22_blank%22%3E%40Ofer_Shezaf%3C%2FA%3E%26nbsp%3B%20%26nbsp%3BHave%20shared%20on%20my%20LinkedIn%20Network.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1617266%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%3A%20Collecting%20logs%20from%20Microsoft%20Services%20and%20Applications%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1617266%22%20slang%3D%22en-US%22%3E%3CP%3ECan%20i%20Ingest%20logs%20from%20Azure%20Front%20Door%20into%20Sentinel%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-792669%22%20slang%3D%22en-US%22%3EAzure%20Sentinel%3A%20Collecting%20logs%20from%20Microsoft%20Services%20and%20Applications%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-792669%22%20slang%3D%22en-US%22%3E%3CDIV%3E%0A%3CP%3E%3CEM%3EThis%20is%20part%20of%20a%20series%20of%20blogs%20on%20connectors.%20You%20might%20find%20what%20you%20are%20looking%20for%20also%20here%3A%3C%2FEM%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CEM%3E%3CA%20class%3D%22_e75a791d-denali-editor-page-rtfLink%22%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FAzure-Sentinel%2FThe-Syslog-and-CEF-source-configuration-grand-list%2Fba-p%2F803891%22%20target%3D%22_blank%22%20rel%3D%22noopener%22%3ESyslog%2C%20CEF%2C%20Logstash%20and%20other%203rd%20party%20connectors%20grand%20list%3C%2FA%3E%3C%2FEM%3E%3C%2FLI%3E%0A%3CLI%3E%3CEM%3E%3CA%20class%3D%22_e75a791d-denali-editor-page-rtfLink%22%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FAzure-Sentinel%2FAzure-Sentinel-Agent-Collecting-telemetry-from-on-prem-and-IaaS%2Fba-p%2F811760%22%20target%3D%22_blank%22%20rel%3D%22noopener%22%3EAzure%20Sentinel%20Agent%3A%20Collecting%20telemetry%20from%20on-prem%20and%20IaaS%20server%3C%2FA%3E%3C%2FEM%3E%3C%2FLI%3E%0A%3CLI%3E%3CEM%3E%3CA%20id%3D%22link_10%22%20class%3D%22page-link%20lia-link-navigation%20lia-custom-event%22%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fazure-sentinel-creating-custom-connectors%2Fba-p%2F864060%22%20target%3D%22_blank%22%20rel%3D%22noopener%22%3ECreating%20Custom%20Connectors%3C%2FA%3E%3C%2FEM%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3EIn%20this%20blog%20post%3A%3C%2FSPAN%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EThe%20Azure%20Monitor%20collection%20framework%3C%2FLI%3E%0A%3CLI%3EHow%20to%20connect%20Azure%20resources%20to%20Azure%20Sentinel%3C%2FLI%3E%0A%3CLI%3EUnderstanding%20the%20Azure%20monitor%20schema%3C%2FLI%3E%0A%3CLI%3E%3CSTRONG%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3ECollecting%20from%20specific%20Microsoft%20and%20Azure%20sources%26nbsp%3B%3C%2FSPAN%3E%3C%2FSTRONG%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3EAzure%20Sentinel%20supports%20collecting%20telemetry%20from%20a%20wide%20array%20of%20Microsoft%20sources.%20Some%20of%20them%20are%20listed%20in%20the%26nbsp%3B%3C%2FSPAN%3E%3CA%20class%3D%22_e75a791d-denali-editor-page-rtfLink%22%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fconnect-data-sources%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3ESentinel's%20connector%20page%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3E%26nbsp%3Band%26nbsp%3B%3C%2FSPAN%3E%3CA%20class%3D%22_e75a791d-denali-editor-page-rtfLink%22%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fconnect-data-sources%23data-connection-methods%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3Edocumentation%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3E.%20However%2C%20Sentinel%20can%20collect%20logs%20from%20most%20Azure%20services%20and%20other%20Microsoft%20products%2C%20even%20when%20not%20listed%20above.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--1300100715%22%20id%3D%22toc-hId-1796104160%22%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3EThe%20Azure%20Monitor%20collection%20framework%3C%2FSPAN%3E%3C%2FH2%3E%0A%3CP%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3EAzure%20Monitor%2C%20and%20its%20Log%20Analytics%20module%2C%20is%20the%20underlying%20log%20management%20platform%20powering%20Azure%20Sentinel.%20As%20such%2C%20any%20source%20that%20sends%20logs%20to%20Azure%20Monitor%20or%20Log%20Analytics%20supports%20inherently%20Azure%20Sentinel.%20Most%20Azure%20and%20Microsoft%20solutions%20support%20sending%20telemetry%20to%20Azure%20monitor.%20You%20can%20read%20more%20about%20Azure%20Monitor%20collection%20here%3A%20%22%3C%2FSPAN%3E%3CA%20class%3D%22_e75a791d-denali-editor-page-rtfLink%22%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fplatform%2Fresource-logs-collect-workspace%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3ECollect%20Azure%20platform%20logs%20in%20Log%20Analytics%20workspace%20in%20Azure%20Monitor%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3E.%22%3C%2FSPAN%3E%26nbsp%3B%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-1187412118%22%20id%3D%22toc-hId--756052801%22%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3EHow%20can%20I%20collect%20from%20a%20supported%20Azure%20source%3F%3C%2FSPAN%3E%3C%2FH2%3E%0A%3CP%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3EThe%20following%20provides%20a%20guide%20as%20to%20how%20to%20connect%20each%20resource%20using%20the%20portal%20to%20Log%20Analytics%2FAzure%20Sentinel.%20The%20actual%20portal%20flow%20may%20differ%20from%20resource%20to%20resource.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3ETo%20log%20a%20service%20to%20Sentinel%2C%20pick%20the%20service%20(1)%2C%20select%20%22Activity%20Log%22%20from%20the%20menu%20(2)%2C%20and%20then%20click%20the%20%22Logs%22%20button%20(3).%20Note%20that%20on%20this%20screen%2C%20before%20pressing%20%22Logs%2C%22%20you%20can%20review%20the%20information%20that%20will%20be%20sent%20to%20Sentinel.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3C%2FDIV%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%222019-08-07%2012_04_38-Clipboard.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F125969iADEB9E1E72AC8E6B%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%222019-08-07%2012_04_38-Clipboard.png%22%20alt%3D%222019-08-07%2012_04_38-Clipboard.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CDIV%3E%0A%3CP%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3EOn%20the%20next%20screen%2C%20click%20%22Add%2C%22%20then%20%22Select%20workspace%2C%22%20and%20select%20the%20Sentinel%20workspace.%20In%20some%20cases%2C%20the%20service%20provides%20diagnostic%20telemetry%20but%20not%20audit%20logs.%20In%20such%20cases%2C%20use%20%22Diagnostic%20settings%22%20instead%20of%20%22Activity%20Log%22%20and%20select%20%22Add%20diagnostic%20setting.%22%20Some%20sources%20do%20not%20use%20the%20method%20outlined%20above%2C%20and%20the%20instructions%20below%20would%20help%2C%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--620042345%22%20id%3D%22toc-hId-986757534%22%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3EUnderstanding%20and%20using%20the%20events%3C%2FSPAN%3E%3C%2FH2%3E%0A%3CP%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3EYou%20can%20read%20more%20about%20the%20structure%20of%20the%20events%20received%20by%20Azure%20Monitor%26nbsp%3B%3C%2FSPAN%3E%3CA%20class%3D%22_e75a791d-denali-editor-page-rtfLink%22%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Flog-query%2Flogs-structure%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3Ehere%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3E.%20The%20telemetry%20may%20be%20stored%20in%20the%20AzureDiagnostics%20table%20or%20in%20a%20dedicated%20table%20depending%20on%20the%26nbsp%3B%3C%2FSPAN%3E%3CA%20class%3D%22_e75a791d-denali-editor-page-rtfLink%22%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fplatform%2Fresource-logs-collect-workspace%23resource-log-collection-mode%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3Emode%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3E%26nbsp%3Bused%20by%20the%20source.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3EEach%20event%20will%20include%20several%20standard%20fields%20such%20as%20time%2C%20Resource%20Id%2C%20and%20Tenant%20ID%20as%20described%26nbsp%3B%3C%2FSPAN%3E%3CA%20class%3D%22_e75a791d-denali-editor-page-rtfLink%22%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fplatform%2Fresource-logs-schema%23top-level-common-schema%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3Ehere%2C%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3E%26nbsp%3Bas%20well%20as%26nbsp%3B%3C%2FSPAN%3E%3CA%20class%3D%22_e75a791d-denali-editor-page-rtfLink%22%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fplatform%2Fresource-logs-schema%23service-specific-schemas%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3Eper%20resource%20fields%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3E.%20Several%20standard%20fields%20available%20in%20each%20Log%20Analytics%20table%20and%20not%20just%20Azure%20resource%20tables%20such%20as%20TimeGenerated%2C%20Type%2C%20and%20billing%20information%20are%20listed%26nbsp%3B%3C%2FSPAN%3E%3CA%20class%3D%22_e75a791d-denali-editor-page-rtfLink%22%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Flog-query%2Flogs-structure%23standard-properties%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3Ehere%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3E.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3EAlso%2C%20you%20can%20find%20a%20full%20reference%20-%20still%20under%20construction%20-%20to%20the%20Azure%20Monitor%20table%20schema%20for%20all%20sources%2C%20not%20just%20Azure%20ones%2C%26nbsp%3B%3C%2FSPAN%3E%3CA%20class%3D%22_e75a791d-denali-editor-page-rtfLink%22%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Freference%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3Ehere%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3E.%20The%20Azure%20Monitor%20GitHub%20contains%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fmicrosoft%2FAzureMonitorCommunity%2Ftree%2Fmaster%2FAzure%2520Services%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Equeries%20and%20workbooks%3C%2FA%3E%20for%20many%20Azure%20services%20that%20can%20provide%20a%20starting%20point%20for%20understanding%20the%20logs%20sent%20by%20them.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-1867470488%22%20id%3D%22toc-hId--1565399427%22%3E%3CSPAN%3EThe%20Big%20List%3C%2FSPAN%3E%3C%2FH2%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId--1736935334%22%20id%3D%22toc-hId--19102597%22%3E%3CSPAN%3EAzure%20Services%3C%2FSPAN%3E%3C%2FH3%3E%0A%3CUL%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Farchitecture%2Freference-architectures%2Fapp-service-web-app%2Fapp-monitoring%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3EApp%20Services%20and%20Web%20Application%20monitoring%3C%2FA%3E%20-%20goes%20beyond%20how%20to%20connect%20instructions%20and%20provides%20a%20reference%20architecture%20that%20can%20be%20extended%20from%20operational%20to%20security%20monitoring%20using%20Sentinel.%3C%2FLI%3E%0A%3CLI%3EAzure%20Activity%20-%20you%20can%20collect%20Azure%20Activity%20using%20the%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fconnect-azure-activity%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ebuilt-in%20connector%3C%2FA%3E%2C%20however%20it%20is%20recommended%20to%20connect%20through%20the%20subscription%20diagnostic%20settings%20in%20a%20similar%20manner%20the%20one%20described%20above.%20This%20will%20ensure%20lower%20latency%20and%20broader%20collection.%20You%20can%20find%20the%20Azure%20Activity%20schema%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fplatform%2Factivity-log-schema%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehere%3C%2FA%3E.%3C%2FLI%3E%0A%3CLI%3EAzure%20AD%20Domain%20Services%3A%3CUL%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory-domain-services%2Fsecurity-audit-events%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3ESend%20audit%20to%20Sentinel%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory-domain-services%2Fuse-azure-monitor-workbooks%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3EUse%20Workbooks%20to%20analyze%3C%2FA%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%3EAzure%20B2C%20-%20collect%20B2C%20logs%20from%20your%20B2C%20tenant%20to%20your%20primary%20tenant%20AAD%20logs%20as%20described%20%3CA%20style%3D%22font-family%3A%20inherit%3B%20background-color%3A%20%23ffffff%3B%22%20href%3D%22https%3A%2F%2Fnam06.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fdocs.microsoft.com%252Fen-us%252Fazure%252Factive-directory-b2c%252Fazure-monitor%26amp%3Bdata%3D02%257C01%257COfer.Shezaf%2540microsoft.com%257C5336e81cdfeb4b657ac808d815c6f928%257C72f988bf86f141af91ab2d7cd011db47%257C1%257C0%257C637283291785222659%26amp%3Bsdata%3DktixiEB9wYXx%252F%252BIh0bCSsdylzkQszxaLPUiTGFO4Gyc%253D%26amp%3Breserved%3D0%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehere%3C%2FA%3E%3CSPAN%20style%3D%22font-family%3A%20inherit%3B%22%3E.%20Note%20that%20this%20uses%20Azure%20Lighthouse%20to%20send%20diagnostics%20across%20tenant%20boundaries%20and%20they%20will%20show%20in%20the%20same%20tables%20in%20Sentinel%2C%20however%20the%20local%20AAD%20connector%20will%20not%20show%20as%20connected%20(unless%20also%20connected).%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3EAzure%20B2B%20-%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fb2b%2Fauditing-and-reporting%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Eincluded%20as%20part%20of%20AAD%20events%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3EApplication%20Insights%3A%3CUL%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fapp%2Fcreate-workspace-resource%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3ESend%20to%20a%20sentinel%20workspace%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3EUse%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Flog-query%2Fcross-workspace-query%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Equeries%20across%20workspaces%3C%2FA%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%3EAzure%20Data%20Lake%20Storage%20Gen1%3A%3CUL%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fdata-lake-store%2Fdata-lake-store-diagnostic-logs%23enable-diagnostic-logging-for-your-data-lake-storage-gen1-account%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3EEnable%20diagnostics%20logging%3C%2FA%3E%2C%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Farchive%2Fblogs%2Fazuredatalake%2Fstruggling-to-get-insights-for-your-azure-data-lake-store-azure-log-analytics-can-help%23create-your-first-log-analytics-query-for-an-azure-data-lake-store-account%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3EQuery%20examples%3C%2FA%3E%2C%26nbsp%3B%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%3EAzure%20DDOS%3CUL%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fconnect-azure-ddos-protection%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3EBuilt-in%20connector%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fvirtual-network%2Fmanage-ddos-protection%23configure-ddos-attack-mitigation-reports%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EDiagnostics%20instructions%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2FAzure-Network-Security%2Ftree%2Fmaster%2FAzure%2520DDoS%2520Protection%2FEnable%2520Diagnostic%2520Logging%2FPowershell%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3EEnable%20collection%20using%20PowerShell%3C%2FA%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Farchitecture%2Fdatabricks-monitoring%2Fapplication-logs%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3EAzure%20Databricks%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Ffirewall%2Ftutorial-diagnostics%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3EAzure%20Firewall%3A%3C%2FA%3E%3CUL%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fconnect-azure-firewall%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3EBuilt%20in%20connector%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Ffirewall%2Flog-analytics-samples%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3ESample%20queries%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2FAzure-Network-Security%2Ftree%2Fmaster%2FAzure%2520Firewall%2FAzure%2520Monitor%2520Workbook%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3EWorkbook%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2FAzure-Sentinel%2Fblob%2Fmaster%2FDashboards%2FAzure_Firewall.json%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3EDashboard%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2FAzure-Network-Security%2Ftree%2Fmaster%2FAzure%2520Firewall%2FEnable%2520Diagnostic%2520Logging%2FPowershell%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3EEnable%20collection%20using%20PowerShell%3C%2FA%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Ffrontdoor%2Ffront-door-diagnostics%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3EAzure%20Front%20Door%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3EAzure%20Key%20Vault%20(AKV)%3CUL%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Finsights%2Fazure-key-vault%23enable-key-vault-diagnostics-in-the-portal%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3EEnable%20AKV%20diagnostics%20using%20the%20portal%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Finsights%2Fazure-key-vault%23enable-key-vault-diagnostics-using-powershell%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3EEnable%20AKV%20diagnostics%20using%20PowerShell%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Finsights%2Fazure-key-vault%23azure-monitor-log-records%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3EAKV%20log%20schema%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2FAzure-Sentinel%2Ftree%2Fmaster%2FDetections%2FAzureDiagnostics%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3EAKV%20detection%20rules%3C%2FA%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%3EAzure%20Kubernetes%20Service%20(AKS)%3A%3CUL%3E%0A%3CLI%3EBlog%20post%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fmonitoring-azure-kubernetes-service-aks-with-azure-sentinel%2Fba-p%2F1583204%22%20target%3D%22_self%22%3EMonitoring%20Azure%20Kubernetes%20Service%20(AKS)%20with%20Azure%20Sentinel%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3EDocumentation%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Finsights%2Fcontainer-insights-onboard%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3EEnable%20Azure%20Monitor%20for%20containers%3C%2FA%3E%20(AKS)%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fwww.serverlessnotes.com%2Fdocs%2Fazure-logic-apps-insights-using-log-analytics%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EAzure%20Logic%20Apps%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3EAzure%20Management%20groups%20activity%20logs%3A%3CUL%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Frest%2Fapi%2Fmonitor%2Fmanagementgroupdiagnosticsettings%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3EUse%20the%20API%20to%20turn%20on%20diagnostics%20settings%3C%2FA%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%3EAzure%20NSG%3A%3CUL%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fnetwork-watcher%2Ftraffic-analytics%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3EFlow%20logs%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fvirtual-network%2Fvirtual-network-nsg-manage-log%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3ERule%20activation%3C%2FA%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%3EAzure%20Security%20Center%20(ASC)%3CUL%3E%0A%3CLI%3EAzure%20Sentinel%20has%20a%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fconnect-azure-security-center%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ebuilt-in%20connector%20for%20getting%20ASC%20alerts%3C%2FA%3E.%20You%20may%20also%20want%20to%20review%20ASC%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsecurity-center%2Falerts-reference%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ealert%20list%3C%2FA%3E%26nbsp%3Band%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsecurity-center%2Falerts-schemas%3Ftabs%3Dschema-sentinel%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ealert%20schema%3C%2FA%3E.%3C%2FLI%3E%0A%3CLI%3EUse%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsecurity-center%2Fcontinuous-export%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3EASC's%20continous%20export%20feature%3C%2FA%3E%20to%20get%20ASC's%20recommendations%20to%20Sentinel.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsql-database%2Fsql-database-auditing%23subheading-2%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3EAzure%20SQL%20Audit%20log%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsite-recovery%2Fmonitor-log-analytics%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3EAzure%20Site%20Recovery%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3EAzure%20Storage%3CUL%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fstorage%2Fcommon%2Fmonitor-storage%3Ftoc%3D%252Fazure%252Fstorage%252Fblobs%252Ftoc.json%26amp%3Btabs%3Dazure-powershell%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3ESetting%20up%20diagnostics%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2FAzure-Sentinel%2Ftree%2Fmaster%2FDataConnectors%2FAzureStorage%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3ECustom%20collection%20using%20an%20Azure%20function%3C%2FA%3E%26nbsp%3Band%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fcreating-digital-tripwires-with-custom-threat-intelligence-feeds%2Fba-p%2F1320981%22%20target%3D%22_self%22%3EHunting%20use%20cases%3C%2FA%3E%26nbsp%3B(based%20on%20the%20custom%20collection)%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%3EAzure%20WAF%3A%3CUL%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fconnect-microsoft-waf%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3EBuilt%20in%20connector%3C%2FA%3E%2C%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2FAzure-Network-Security%2Ftree%2Fmaster%2FAzure%2520WAF%2FAzure%2520Monitor%2520Workbook%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3EWorkbook%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2FAzure-Network-Security%2Ftree%2Fmaster%2FAzure%2520WAF%2FEnable%2520Diagnostic%2520Logging%2FPowershell%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3EEnable%20collection%20using%20PowerShell%3C%2FA%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fcosmos-db%2Fcosmosdb-monitor-resource-logs%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3ECosmos%20DB%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3ELog%20Analytics%20-%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Flog-query%2Fquery-audit%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ecollect%20query%20auditing%20and%20other%20metrics%3C%2FA%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId-750577499%22%20id%3D%22toc-hId-1723707738%22%3EModern%20Workplace%2C%20servers%20and%20workstations%3C%2FH3%3E%0A%3CUL%3E%0A%3CLI%3EDesktop%20Analytics%20-%20Just%20use%20your%20Sentinel%20workspace%20when%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsccm%2Fdesktop-analytics%2Ftutorial-windows10%23set-up-desktop-analytics%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Econfiguring%20Desktop%20Analytics%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3EIntune%3CUL%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fintune%2Freview-logs-using-azure-monitor%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3EConnect%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fsecure-working-from-home-deep-insights-at-enrolled-mem-assets%2Fba-p%2F1424255%22%20target%3D%22_self%22%3EUse%20cases%3C%2FA%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fplatform%2Fcollect-sccm%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3ESCCM%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3EWindows%20Virtual%20Desktop%3A%3CUL%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fvirtual-desktop%2Fdiagnostics-log-analytics%23push-diagnostics-data-to-your-workspace%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3ESetup%20diagnostics%20using%20the%20portal%3C%2FA%3E%26nbsp%3Band%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fvirtual-desktop%2Fdiagnostics-log-analytics%23example-queries%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Esampels%20queries%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fvirtual-desktop%2Fdiagnostics-log-analytics%23push-diagnostics-data-to-your-workspace%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3ESetup%20diagnostics%20using%20PowerShell%3C%2FA%3E%26nbsp%3Band%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fvirtual-desktop%2Fdiagnostics-log-analytics%23example-queries%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3ESample%20queries%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fvirtual-desktop%2Fdiagnostics-role-service%23common-error-scenarios%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3ECommon%20error%20codes%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3EBlog%20post%20covering%20connecting%20and%20using%3A%26nbsp%3B%3CA%20id%3D%22link_7%22%20class%3D%22page-link%20lia-link-navigation%20lia-custom-event%22%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fmonitoring-windows-virtual-desktop-environments-fall-2019%2Fba-p%2F1356632%22%20target%3D%22_blank%22%20rel%3D%22noopener%22%3EMonitoring%20Windows%20Virtual%20Desktop%20environments%3C%2FA%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3EFor%20additional%20collection%20capabilities%20from%20servers%20and%20workstations%2C%20read%20about%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FAzure-Sentinel%2FAzure-Sentinel-Agent-Collecting-telemetry-from-on-prem-and-IaaS%2Fba-p%2F811760%22%20target%3D%22_self%22%3Ecollecting%20using%20the%20Log%20Analytics%20agent%3C%2FA%3E.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId--1056876964%22%20id%3D%22toc-hId--828449223%22%3EOffice%20and%20Power%20Apps%3C%2FH3%3E%0A%3CUL%3E%0A%3CLI%3EOffice%20365%26nbsp%3BSharePoint%2C%20OneDrive%20and%20Exchange%20using%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fconnect-office-365%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ethe%20built%20in%20connector%3C%2FA%3E%3CUL%3E%0A%3CLI%3EThe%20connector%20collects%20data%20in%20the%20SharePoint%20and%20Exchange%20schemas%20(and%20related%20Common%20schema)%20of%20the%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Foffice%2Foffice-365-management-api%2Foffice-365-management-activity-api-schema%23office-365-management-api-schemas%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3EOffice%20Management%20Activity%20API%3C%2FA%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%3EOther%20Office%20365%20workloads%20including%20PowerBI%2C%20Tammer%2C%20Sway%2C%20Forms%20and%20others%3A%3CUL%3E%0A%3CLI%3EUse%20Either%20a%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2FAzure-Sentinel%2Ftree%2Fmaster%2FPlaybooks%2FGet-O365Data%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3ELogic%20App%3C%2FA%3E%20or%20an%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2FAzure-Sentinel%2Ftree%2Fmaster%2FDataConnectors%2FO365%2520Data%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3EAzure%20function%3C%2FA%3E%20custom%20connector%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%3EMicrosoft%20Cloud%20App%20Security%3CUL%3E%0A%3CLI%3EAlerts%20and%20discovery%20logs%20are%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fconnect-cloud-app-security%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Esupported%20out%20of%20the%20box%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3EUse%20CEF%20for%20activity%20log%20as%20described%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FAzure-Sentinel%2FIngest-Box-com-activity-events-via-Microsoft-Cloud-App-Security%2Fba-p%2F1072849%22%20target%3D%22_self%22%3Ehere%3C%2FA%3E.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%3EOffice%20365%20DLP%20alerts%3A%3CUL%3E%0A%3CLI%3Esupported%20as%20part%20of%20the%20built-in%20Office%20365%20connect.%20See%20details%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FAzure-Sentinel%2FIngest-Office-365-DLP-Events-into-Azure-Sentinel%2Fba-p%2F1031820%22%20target%3D%22_self%22%3Ehere%3C%2FA%3E.%26nbsp%3B%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%3ETeams%3A%3CUL%3E%0A%3CLI%3ECollect%20Teams%20management%20activity%20using%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fprotecting-your-teams-with-azure-sentinel%2Fba-p%2F1265761%22%20target%3D%22_self%22%3ELogic%20Apps%3C%2FA%3E%20or%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2FAzure-Sentinel%2Ftree%2Fmaster%2FDataConnectors%2FO365%2520Data%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3EAzure%20Functions%3C%2FA%3E%26nbsp%3B%3C%2FLI%3E%0A%3CLI%3ECollect%20Teams%20call%20logs%20using%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fsecure-your-calls-monitoring-microsoft-teams-callrecords%2Fba-p%2F1574600%22%20target%3D%22_self%22%3ELogic%20Apps%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fprotecting-your-teams-with-azure-sentinel%2Fba-p%2F1265761%22%20target%3D%22_self%22%3EHunting%20use%20cases%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fmedium.com%2F%40ko.sharon%2Fgraph-visualization-of-external-ms-teams-collaborations-in-azure-sentinel-32c98e5a0a15%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EGraph%20Visualization%20of%20External%20MS%20Teams%20Collaborations%3C%2FA%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3C%2FUL%3E%3CBR%20%2F%3E%3CH3%20id%3D%22toc-hId-1430635869%22%20id%3D%22toc-hId-914361112%22%3EDevevelopment%20tools%3C%2FH3%3E%0A%3CUL%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fdevops%2Forganizations%2Faudit%2Fauditing-streaming%3Ftoc%3D%252Fazure%252Fdevops%252Fsecurity-access-billing%252Ftoc.json%26amp%3Bbc%3D%252Fazure%252Fdevops%252Fsecurity-access-billing%252Fbreadcrumb%252Ftoc.json%26amp%3Bview%3Dazure-devops%23set-up-an-azure-monitor-log-stream%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3EAzure%20DevOps%3C%2FA%3E%26nbsp%3B(The%20telemtry%20is%20stored%20in%26nbsp%3BAzureDevOpsAuditing)%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fprotecting-your-github-assets-with-azure-sentinel%2Fba-p%2F1457721%22%20target%3D%22_self%22%3EGitHub%3A%26nbsp%3BLogic%20Apps%20based%20collector%2C%20detection%20and%20hunting%20queries%3C%2FA%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId--376818594%22%20id%3D%22toc-hId--1637795849%22%3EOn-prem%20an%20IaaS%20using%20the%20Microsoft%20Log%20Analytics%20agent%3C%2FH3%3E%0A%3CP%3EFor%20more%20information%20on%20using%20the%20agent%20and%20this%20sources%2C%20refer%20to%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fazure-sentinel-agent-collecting-from-servers-and-workstations-on%2Fba-p%2F811760%22%20target%3D%22_self%22%3EAzure%20Sentinel%20Agent%3A%20Collecting%20from%20servers%20and%20workstations%2C%20on-prem%20and%20in%20the%20cloud.%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EActive%20Directory%20(using%20Security%20Events%20below)%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fplatform%2Fdata-sources-iis-logs%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EIIS%3C%2FA%3E%26nbsp%3Blogs%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fconnect-dns%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EMicrosoft%20DNS%20servers%3C%2FA%3E%26nbsp%3B(built-in%20connector)%3C%2FLI%3E%0A%3CLI%3E%3CA%20style%3D%22font-family%3A%20inherit%3B%20background-color%3A%20%23ffffff%3B%22%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fconnect-windows-firewall%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EWindows%20Firewall%3C%2FA%3E%3CSPAN%20style%3D%22font-family%3A%20inherit%3B%22%3E%26nbsp%3B(built-in%20connector)%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fconnect-windows-security-events%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EWindows%20Security%20Events%3C%2FA%3E%26nbsp%3B(built-in%20connector)%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Flearn%2Fquick-collect-windows-computer%23collect-event-and-performance-data%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3EOther%20Windows%20Events%3C%2FA%3E%2C%20including%20%3CA%20href%3D%22https%3A%2F%2Fmedium.com%2F%2540olafhartong%2Fusing-sysmon-in-azure-sentinel-883eb6ffc431%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3ESysmon%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsql%2Frelational-databases%2Fsecurity%2Fauditing%2Fwrite-sql-server-audit-events-to-the-security-log%3Fview%3Dsql-server-ver15%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3ESQL%20Server%3C%2FA%3E%26nbsp%3B(Using%20Windows%20Events%20above)%26nbsp%3B%3CUL%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fmonitoring-sql-server-with-azure-sentinel%2Fba-p%2F1502960%22%20target%3D%22_self%22%3EParser%2C%20detection%20rules%20and%20hunting%20queries%3C%2FA%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Finsights%2Fvminsights-overview%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EVM%20Insights%3C%2FA%3E%3A%20network%20connections%2C%20open%20ports%2C%20processes%2C%20and%20general%20computer%20information%20(%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Finsights%2Fvminsights-log-search%23map-records%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3ESchema%3C%2FA%3E%2C%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Finsights%2Fvminsights-log-search%23sample-map-queries%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3ESample%20queries%3C%2FA%3E)%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Finsights%2Fwire-data%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EWire%20Data%3A%3C%2FA%3E%26nbsp%3BsFlow-like%20data%20collected%20by%20the%20agent%20(being%20replaced%20by%20VM%20Insights%20above)%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CSPAN%3EThe%20Windows%20firewall%20writes%20logs%20to%20files%20which%20are%20collected%20and%20sent%26nbsp%3B%20by%20the%20agent%20when%20files%20are%20rotated.%20This%20leads%20to%20additional%20collections%20latency%2C%20which%20can%20be%20controlled%20by%20changing%20the%20log%20file%20size%20as%20described%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fwindows-firewall%2Fconfigure-the-windows-firewall-log%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehere%3C%2FA%3E%3CSPAN%3E.%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-792669%22%20slang%3D%22en-US%22%3E%3CP%3EEver%20wondered%20how%20to%20connect%20Azure%20Estate%2C%20Azure%20PaaS%20services%20or%20even%20Intune%20telemetry%20to%20Azure%20Sentinel%3F%20Learn%20how%20to%20do%20it%20here.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-792669%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EConnectors%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Microsoft

This is part of a series of blogs on connectors. You might find what you are looking for also here:

 

In this blog post:

  • The Azure Monitor collection framework
  • How to connect Azure resources to Azure Sentinel
  • Understanding the Azure monitor schema
  • Collecting from specific Microsoft and Azure sources 

 

Azure Sentinel supports collecting telemetry from a wide array of Microsoft sources. Some of them are listed in the Sentinel's connector page and documentation. However, Sentinel can collect logs from most Azure services and other Microsoft products, even when not listed above. 

 

The Azure Monitor collection framework

 

Azure Monitor, and its Log Analytics module, is the underlying log management platform powering Azure Sentinel. As such, any source that sends logs to Azure Monitor or Log Analytics supports inherently Azure Sentinel. Most Azure and Microsoft solutions support sending telemetry to Azure monitor. You can read more about Azure Monitor collection here: "Collect Azure platform logs in Log Analytics workspace in Azure Monitor."  

 

How can I collect from a supported Azure source?

 

The following provides a guide as to how to connect each resource using the portal to Log Analytics/Azure Sentinel. The actual portal flow may differ from resource to resource. 

 

To log a service to Sentinel, pick the service (1), select "Activity Log" from the menu (2), and then click the "Logs" button (3). Note that on this screen, before pressing "Logs," you can review the information that will be sent to Sentinel.

 

2019-08-07 12_04_38-Clipboard.png

 

On the next screen, click "Add," then "Select workspace," and select the Sentinel workspace. In some cases, the service provides diagnostic telemetry but not audit logs. In such cases, use "Diagnostic settings" instead of "Activity Log" and select "Add diagnostic setting." Some sources do not use the method outlined above, and the instructions below would help,

 

Understanding and using the events

 

You can read more about the structure of the events received by Azure Monitor here. The telemetry may be stored in the AzureDiagnostics table or in a dedicated table depending on the mode used by the source.

 

Each event will include several standard fields such as time, Resource Id, and Tenant ID as described here, as well as per resource fields. Several standard fields available in each Log Analytics table and not just Azure resource tables such as TimeGenerated, Type, and billing information are listed here.

 

Also, you can find a full reference - still under construction - to the Azure Monitor table schema for all sources, not just Azure ones, here. The Azure Monitor GitHub contains queries and workbooks for many Azure services that can provide a starting point for understanding the logs sent by them.

 

The Big List

 

Azure Services

 

Modern Workplace, servers and workstations

For additional collection capabilities from servers and workstations, read about collecting using the Log Analytics agent

 

Office and Power Apps


Devevelopment tools

 

On-prem an IaaS using the Microsoft Log Analytics agent

For more information on using the agent and this sources, refer to Azure Sentinel Agent: Collecting from servers and workstations, on-prem and in the cloud.

 

The Windows firewall writes logs to files which are collected and sent  by the agent when files are rotated. This leads to additional collections latency, which can be controlled by changing the log file size as described here.

7 Comments
New Contributor

@Ofer_Shezaf 

 

Thanks for the post, quite informative. 

Could you please guide us how we can integrate Office365 Threat protection and Information governance alerts with Sentinel?

Also, it would be really good if playbook integration can be made available with Azure services analytic rules e.g. ASC, ATP Defender, MCAS and Identiy protection etc. 

 

Many thanks in advance,

Microsoft

@jvaidya :

 

Private preview for Office 365 ATP alerts ingestion is starting very soon. Join our Private Previews program to get details.

 

As to playbooks: what is the workflow you look for? what should those playbooks do?

 

~ Ofer

New Contributor

@Ofer_Shezaf , thanks for the info...

And we are also looking for office 365 alert ingestion with sentinel, is there any update on that,

 

PS: I have tried ingesting office 365 alerts from management API using logic apps with reference to a blog in tech community, however the details of the alerts are majorly Missing.... 

New Contributor

@Ofer_Shezaf  Thanks for the reply. Glad to know private preview for Office365 alerts is starting soon, will get myself registered for the private preview.

 

e.g. Out of the box rules (Rules template) for these services can create incidents based on all alerts generated but these rules do not allow any integration of playbooks. Obviously, other option  which we are following is to create the scheduled query rules for these services alerts as well but as useful Entities information (IP, URL, Account Name etc.) are usually in description or other fields of alert mapping with Entities becomes bit challenging.

Microsoft

@jvaidya : incident triggers, which will allow triggering playbooks for incidents of all types are expected to be in preview in a few weeks.

Occasional Contributor

Great post @Ofer_Shezaf   Have shared on my LinkedIn Network.

Senior Member

Can i Ingest logs from Azure Front Door into Sentinel