You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
* Update active-directory-azure.md
cleaned up and removed references to old collection methods no longer supported
* Update docs/integrations/microsoft-azure/active-directory-azure.md
* Updates from review
* Cropped out empty space from MS Diagnostic image for readability
---------
Co-authored-by: Kim (Sumo Logic) <[email protected]>
Co-authored-by: John Pipkin <[email protected]>
Co-authored-by: Kim Pohas <[email protected]>
Copy file name to clipboardExpand all lines: docs/integrations/microsoft-azure/active-directory-azure.md
+13-13Lines changed: 13 additions & 13 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -28,18 +28,18 @@ The Sumo Logic app for Azure Active Directory presents information about activit
28
28
29
29
## Collect logs for the Azure Active Directory app
30
30
31
-
To set up the logs collection in Sumo Logic, refer to [Azure Event Hubs Source for Logs](/docs/send-data/collect-from-other-data-sources/azure-monitoring/ms-azure-event-hubs-source/).
32
-
33
-
When you configure the event hubs source, plan your source category to ease the querying process. A hierarchical approach allows you to make use of wildcards. For example: `Azure/AAD/Logs`.
34
-
35
-
### Export Azure Active Directory logs to Event Hub
36
-
37
-
In this task, you export logs for your Azure Active Directory app. For related information see [Send Logs to Azure Monitor](https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/howto-integrate-activity-logs-with-log-analytics#send-logs-to-azure-monitor) in the Azure help documentation.
38
-
39
-
While exporting logs for an Azure Active Directory app, do the following:
40
-
***Event hub namespace.** If you have chosen Method 1 (Azure Event Hubs Source) for collecting logs, select the **EventHubNamespace** created manually, or else if you have chosen Method 2 (Collect logs from Azure monitor using Azure functions), then select `SumoAzureLogsNamespace<UniqueSuffix>` namespace created by the ARM template.
41
-
***Event hub name (optional).** If you have chosen Method 1 (Azure Event Hub Source) for collecting logs, select the event hub name, which you created manually, or if you have chosen Method 2 (Collect logs from Azure monitor using Azure functions), then select **insights-operational-logs**.
1. Follow the directions outlined in [Azure Event Hubs Source for Logs](/docs/send-data/collect-from-other-data-sources/azure-monitoring/ms-azure-event-hubs-source/) to create an Azure event hub with the proper credentials, and to configure the event hub source in Sumo Logic.
33
+
2. Follow the directions outlined in Microsoft Entra to [stream activity logs to an event hub](https://learn.microsoft.com/en-us/entra/identity/monitoring-health/howto-stream-logs-to-event-hub?tabs=SumoLogic).
34
+
1. Sign in to the Microsoft Entra admin center as at least a Security Administrator.
35
+
1. Browse to **Identity** > **Monitoring & health** > **Diagnostic settings**. You can also select **Export Settings** from either the **Audit Logs** or **Sign-ins** page.
36
+
1. Select **+ Add diagnostic setting** to create a new integration or select **Edit setting** for an existing integration.
37
+
1. Enter a **Diagnostic setting name**. If you're editing an existing integration, you can't change the name.
38
+
1. Select the log categories that you want to stream ([Audit and Sign-in logs](https://docs.microsoft.com/en-us/azure/active-directory/reporting-azure-monitor-diagnostics-overview#supported-reports)).
39
+
1. Select the **Stream to an event hub** check box.
40
+
1. Select the Azure subscription, event hubs namespace, and event hub where you want to route the logs.<br/><img src={useBaseUrl('img/integrations/microsoft-azure/diagnostic-setting.png')} style={{border: '1px solid gray'}} alt="diagnostic-setting" width="800"/>
41
+
42
+
When you configure the event hubs source, define your source category to ease the querying process. A hierarchical approach allows you to make use of wildcards. For example: `Azure/AAD/Logs`.
43
43
44
44
## Install the Azure Active Directory app
45
45
@@ -277,4 +277,4 @@ import AppUpdate from '../../reuse/apps/app-update.md';
277
277
278
278
import AppUninstall from '../../reuse/apps/app-uninstall.md';
0 commit comments