| title | Stream Microsoft Entra logs to an event hub |
|---|---|
| description | Learn how to stream Microsoft Entra activity logs to an event hub for SIEM tool integration and analysis. |
| ms.topic | how-to |
| ms.date | 09/27/2024 |
| ms.reviewer | egreenberg |
| ms.custom | sfi-image-nochange |
Your Microsoft Entra tenant produces large amounts of data every second. Sign-in activity and logs of changes made in your tenant add up to so much data that it can be hard to analyze. Integrating with Security Information and Event Management (SIEM) tools can help you gain insights into your environment.
This article shows how you can stream your logs to an event hub, to integrate with one of several SIEM tools.
- An Azure subscription. If you don't have an Azure subscription, you can sign up for a free trial.
- An Azure event hub that is already set up. Learn how to create an event hub.
- Security Administrator access to create general diagnostic settings for the Microsoft Entra tenant.
- Attribute Log Administrator access to create diagnostic settings for custom security attribute logs.
[!INCLUDE diagnostic-settings-include]
-
Select the Stream to an event hub check box.
-
Select the Azure subscription, Event Hubs namespace, and optional event hub where you want to route the logs.
The subscription and Event Hubs namespace must both be associated with the Microsoft Entra tenant from where you're streaming the logs.
Once you have the Azure event hub ready, navigate to the SIEM tool you want to integrate with the activity logs. The process is finished in the SIEM tool.
We currently support Splunk, SumoLogic, and ArcSight. Select a tab to get started. Refer to the tool's documentation.
To use this feature, you need the Splunk Add-on for Microsoft Cloud Services.
-
Open your Splunk instance and select Data Summary.
-
Select the Sourcetypes tab, and then select mscs:azure:eventhub
Append body.records.category=AuditLogs to the search. The Microsoft Entra activity logs are shown in the following figure:
If you can't install an add-on in your Splunk instance (for example, if you're using a proxy or running on Splunk Cloud), you can forward these events to the Splunk HTTP Event Collector. To do so, use this Azure function, which is triggered by new messages in the event hub.
To use this feature, you need a SumoLogic single sign-on enabled subscription.
-
Configure your SumoLogic instance to collect logs for Microsoft Entra ID.
-
Install the Microsoft Entra SumoLogic app to use the preconfigured dashboards that provide real-time analysis of your environment.
To use this feature, you need a configured instance of ArcSight Syslog NG Daemon SmartConnector (SmartConnector) or ArcSight Load Balancer. If the events are sent to ArcSight Load Balancer, they're sent to the SmartConnector by the Load Balancer.
Download and open the configuration guide for ArcSight SmartConnector for Azure Monitor Event Hubs. This guide contains the steps you need to install and configure the ArcSight SmartConnector for Azure Monitor.
-
Complete the steps in the Prerequisites section of the ArcSight configuration guide. This section includes the following steps:
- Set user permissions in Azure to ensure there's a user with the owner role to deploy and configure the connector.
- Open ports on the server with Syslog NG Daemon SmartConnector so it's accessible from Azure.
- The deployment runs a PowerShell script, so you must enable PowerShell to run scripts on the machine where you want to deploy the connector.
-
Follow the steps in the Deploying the Connector section of the ArcSight configuration guide to deploy the connector. This section walks you through how to download and extract the connector, configure application properties and run the deployment script from the extracted folder.
-
Use the steps in the Verifying the Deployment in Azure to make sure the connector is set up and functions correctly. Verify the following prerequisites:
- The requisite Azure functions are created in your Azure subscription.
- The Microsoft Entra logs are streamed to the correct destination.
- The application settings from your deployment are persisted in the Application Settings in Azure Function Apps.
- A new resource group for ArcSight is created in Azure, with a Microsoft Entra application for the ArcSight connector and storage accounts containing the mapped files in CEF format.
-
Complete the post-deployment steps in the Post-Deployment Configurations of the ArcSight configuration guide. This section explains how to perform another configuration if you are on an App Service Plan to prevent the function apps from going idle after a timeout period, configure streaming of resource logs from the event hub, and update the SysLog NG Daemon SmartConnector keystore certificate to associate it with the newly created storage account.
-
The configuration guide also explains how to customize the connector properties in Azure, and how to upgrade and uninstall the connector. There's also a section on performance improvements, including upgrading to an Azure Consumption plan and configuring an ArcSight Load Balancer if the event load is greater than what a single Syslog NG Daemon SmartConnector can handle.
If your current SIEM isn't supported in Azure Monitor diagnostics yet, you can set up custom tooling by using the Event Hubs API. To learn more, see the Getting started receiving messages from an event hub.
IBM QRadar is another option for integrating with Microsoft Entra activity logs. The DSM and Azure Event Hubs Protocol are available for download at IBM support. For more information about integration with Azure, go to the IBM QRadar Security Intelligence Platform 7.3.0 site.
Some sign-in categories contain large amounts of log data, depending on your tenant’s configuration. In general, the non-interactive user sign-ins and service principal sign-ins can be 5 to 10 times larger than the interactive user sign-ins.