Azure Monitor - workspace logs

H Raja 221 Reputation points
2021-10-28T20:50:13.373+00:00

I'm trying to find out if there is a way to retrieve PIM logs via Azure Monitor. I have a workspace setup, but can't find the way of running a kusto query language to bring back the log information. PIM blade audit/logs only hold for the past 30 days, so need to retrieve date for a longer period. Any help would be appreciated.

Azure Monitor
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
2,799 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,459 questions
0 comments
Accepted answer
  1. Stanislav Zhelyazkov 21,101 Reputation points MVP
    2021-10-29T13:34:02.853+00:00

    Hi,
    If you configure sending your Azure AD logs to Log Analytics this will start sending any newly generated logs to Log Analytics. Any logs prior the configuration will not be sent though. By default, the Log Analytics retention is 31 days so if you need have higher retention you need increase that number. Can be increased to 2 years. If you have not configured the integration yet and you want to view logs prior 30 days you will not be able to as these logs are long gone. Here you can see how to query the logs once they are in Log Analytics.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Stanislav Zhelyazkov 21,101 Reputation points MVP
    2021-10-30T06:24:56.087+00:00

    Hi,
    You can find more information here.
    In short if you filter the kusto query on LoggedByService column to value of PIM you will see the logs for it.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

  2. JamesTran-MSFT 36,366 Reputation points Microsoft Employee
    2021-11-02T18:00:33.827+00:00

    HRaja-6229
    Thank you for following up on this!

    Adding onto Stan's answer of "In short if you filter the Kusto query on LoggedByService column to value of PIM you will see the logs for it." You should be able to do this by going to:

    Azure Active Directory -> Log Analytics (under Monitoring)
    Note - Since I don't have PIM enabled for my tenant, you can try running the following query to get all the results containing PIM. 

    AuditLogs   
| where LoggedByService contains "PIM"  
#Once you get the output you can further query it by using the pipe symbol "|" followed by your filter i.e. 'where, contains, distinct, etc.', then the column name and value.

    For future reference, you can also start off a query by just using the table name AuditLogs then filtering by the columns within the output. For more info - Tutorial: Use Kusto queries
    145882-image.png

    Thank you again for your time and patience throughout this issue.

    0 comments