News

Azure Monitor Now Displays Azure Active Directory Activity Logs Info

• By Kurt Mackie
• 04/23/2019

The Activity Logs feature of Azure Active Directory is now integrated with Azure Monitor, according to a Microsoft announcement on Tuesday.

The ability to access those logs in Azure Monitor is now at the "general availability" stage, meaning that it's deemed ready for commercial use by Microsoft. The capability was at the preview stage back in July. The integration opens up avenues for IT pros to discover what's happening within computing environments, particularly with regard to tasks performed (via audit logs) and end user sign-in activities (via sign-in logs).

Such information can be useful when investigating a security breach or sign-in failures, suggested Mark Morowczynski, a principal program manager at Microsoft, in a March Microsoft Q&A blog post on the topic:

You'll need this stuff for your day-to-day troubleshooting but more importantly for compliance, investigating a security event, data changes affecting dynamic group memberships. And when you want to see the rubber really hit the road, you'll need this for due diligence if you must disclose a compromise. Being able to show that only a handful accounts were accessed versus the entire population will be a huge, huge deal. You can thank me later.

The integration of Azure AD Activity Logs with Azure Monitor makes it easier to visualize the log data in a graphical display. However, there's also an API that can be used with security information and event management (SIEM) solutions. Supported SIEM solutions include Sumologic, ArcSight and Splunk, which all integrate with Azure Monitor to show Azure AD Activity Logs information. The logs get routed to an Azure event hub and IT pros then integrate the event hub with the SIEM solution.

IBM QRadar integration was mentioned during the preview stage. However, it wasn't described as a supported SIEM option in Microsoft's Tuesday announcement.

Microsoft provides prebuilt report templates called "Workbooks" that can display information about things like user sign-in successes and failures, legacy authentication use and conditional access use. The templates can be modified, or IT pros can create their own reports. Using the Workbooks requires having Azure AD Premium P1 or P2 licensing in place.

Reports from Azure AD Activity Logs can be viewed by "Global Admins, Security Admins, Security Readers and Reports Readers," according to Morowczynski. He further noted that the reports that can be viewed will depend on whether an organization has Azure AD P1 or P2 licensing. He explained that "P2 will have the most detailed information about all underlying risk events and enables you to configure security policies that automatically respond to configured risk levels." The reports can be graphically enhanced using the Azure AD Content Pack, he added.

Microsoft had described integrating its Azure AD Activity Logs into an Azure Log Analytics service back in October, but apparently there aren't two separate products despite that description. For instance, a Microsoft Q&A suggested that the Azure Monitor integration is the same product.

"The new Logs experience in Azure Monitor is exactly the same as the [Azure] Log Analytics queries that many customers have already been using," the Q&A explained.