![]() But also note that with exported Azure AD log data available in a Log Anayltics workspace, the built-in workbooks in the Azure AD portal will also light up. Using the Log Analytics blade within the Azure AD portal grants quick and easy access to log data, and allows you to play around with queries. Not the most interesting query, but the point is just to show that it works. The results should show all successfull Azure portal sign-ins logged the last 24 hours. | where AppDisplayName has "Azure Portal" In the query box, input the following KQL and click Run: SigninLogs Go to the Log Analytics blade within the Azure AD portal, you will need Reader role on the Log Analytics workspace to query the data. Query log analytics from the Azure AD portal Integrate Azure AD logs with Azure Monitor logs.If the Azure AD tenant isn’t currently exporting logs to a Log Analytics workspace, see Microsoft’s documentation on how to get started: Verify Azure AD diagnostic settings for log exportĬheck if the Azure AD tenant is already exporting logs by visiting the Diagnostic settings blade in the Azure AD portal, any attached Log Analytics workspace will be displayed. Query log analytics from the Azure AD portal.Verify Azure AD diagnostic settings for log export.To learn more about KQL I highly recommend KQL for Microsoft Sentinel by Matt Zorich ( and Must Learn KQL by Rod Trent ( let’s get set up for running KQL queries in Powershell. ![]() You never know when you need to figure out when something happened and who or what actually did it, so having the logs available is key both for security and compliance. ![]() If the logs aren’t exported, there is no way to retrieve them back once they are deleted. Since logs in Azure AD are usually deleted after 7-30 days depending on tenant licensing, it’s important to export these logs to a Log Analytics workspace for safekeeping. When was a user added to or removed from a specific Azure AD security group.How often is a user elevating into an Azure AD administrative role in PIM. ![]() But you can also use it to retrieve simpler log entries like: KQL is what Microsoft Sentinel uses under the hood for discovering threats, detections and anomalies in larger data sets. KQL, short for Kusto Query Language, is really great for quering data sets like Sign-in Logs and Audit Logs in Azure AD. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |