diff --git a/docs/integrations/microsoft-azure/active-directory-azure.md b/docs/integrations/microsoft-azure/active-directory-azure.md index 3c2b1d7091..8b9632d20f 100644 --- a/docs/integrations/microsoft-azure/active-directory-azure.md +++ b/docs/integrations/microsoft-azure/active-directory-azure.md @@ -28,18 +28,18 @@ The Sumo Logic app for Azure Active Directory presents information about activit ## Collect logs for the Azure Active Directory app -To set up the logs collection in Sumo Logic, refer to [Azure Event Hubs Source for Logs](/docs/send-data/collect-from-other-data-sources/azure-monitoring/ms-azure-event-hubs-source/). - -When you configure the event hubs source, plan your source category to ease the querying process. A hierarchical approach allows you to make use of wildcards. For example: `Azure/AAD/Logs`. - -### Export Azure Active Directory logs to Event Hub - -In this task, you export logs for your Azure Active Directory app. For related information see [Send Logs to Azure Monitor](https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/howto-integrate-activity-logs-with-log-analytics#send-logs-to-azure-monitor) in the Azure help documentation. - -While exporting logs for an Azure Active Directory app, do the following: -* **Event hub namespace.** If you have chosen Method 1 (Azure Event Hubs Source) for collecting logs, select the **EventHubNamespace** created manually, or else if you have chosen Method 2 (Collect logs from Azure monitor using Azure functions), then select `SumoAzureLogsNamespace` namespace created by the ARM template. -* **Event hub name (optional).** If you have chosen Method 1 (Azure Event Hub Source) for collecting logs, select the event hub name, which you created manually, or if you have chosen Method 2 (Collect logs from Azure monitor using Azure functions), then select **insights-operational-logs**. -
diagnostic-setting +To set up the logs collection in Sumo Logic: +1. Follow the directions outlined in [Azure Event Hubs Source for Logs](/docs/send-data/collect-from-other-data-sources/azure-monitoring/ms-azure-event-hubs-source/) to create an Azure event hub with the proper credentials, and to configure the event hub source in Sumo Logic. +2. Follow the directions outlined in Microsoft Entra to [stream activity logs to an event hub](https://learn.microsoft.com/en-us/entra/identity/monitoring-health/howto-stream-logs-to-event-hub?tabs=SumoLogic). + 1. Sign in to the Microsoft Entra admin center as at least a Security Administrator. + 1. Browse to **Identity** > **Monitoring & health** > **Diagnostic settings**. You can also select **Export Settings** from either the **Audit Logs** or **Sign-ins** page. + 1. Select **+ Add diagnostic setting** to create a new integration or select **Edit setting** for an existing integration. + 1. Enter a **Diagnostic setting name**. If you're editing an existing integration, you can't change the name. + 1. Select the log categories that you want to stream ([Audit and Sign-in logs](https://docs.microsoft.com/en-us/azure/active-directory/reporting-azure-monitor-diagnostics-overview#supported-reports)). + 1. Select the **Stream to an event hub** check box. + 1. Select the Azure subscription, event hubs namespace, and event hub where you want to route the logs.
diagnostic-setting + +When you configure the event hubs source, define your source category to ease the querying process. A hierarchical approach allows you to make use of wildcards. For example: `Azure/AAD/Logs`. ## Install the Azure Active Directory app @@ -277,4 +277,4 @@ import AppUpdate from '../../reuse/apps/app-update.md'; import AppUninstall from '../../reuse/apps/app-uninstall.md'; - \ No newline at end of file + diff --git a/static/img/integrations/microsoft-azure/diagnostic-setting.png b/static/img/integrations/microsoft-azure/diagnostic-setting.png index 2b060fc906..87a41afacf 100644 Binary files a/static/img/integrations/microsoft-azure/diagnostic-setting.png and b/static/img/integrations/microsoft-azure/diagnostic-setting.png differ