Ingest Unified Audit Log into Log Analytics

Ano Acco 191 Reputation points
2023-03-30T14:18:18.92+00:00

I have 2 Tenants. I would like to send all of the Unified Audit Log from M365 Tenant A to log analytics for storage, alerts, etc in Tenant B.

How can I ingest it?

I do NOT mean only Azure Log-Ins which I can send by adding a Diagnostics Settings in Azure Portal. I mean all of the workloads available in Unified Audit Log.

I found https://practical365.com/use-office-365-audit-data-with-microsoft-sentinel/ which seems to tackle what I want, but it looks like the Data Connector works only within the same tenant. Can I customize it?

If not, what other ways are there? Should I write maybe an Azure Function reading from the Unified Audit Log and inputting into Log Analytics Workspace? It seems weird...

Microsoft 365
Microsoft 365
Formerly Office 365, is a line of subscription services offered by Microsoft which adds to and includes the Microsoft Office product line.
3,934 questions
Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
999 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Givary-MSFT 28,571 Reputation points Microsoft Employee
    2023-04-03T09:03:13.2366667+00:00

    @Ano Acco Thank you for reaching out to us, researched on your ask where you want to send all of the Unified Audit Log from M365 Tenant A to log analytics for storage, alerts, etc in Tenant B.

    Similar requirement has been discussed over here - https://techcommunity.microsoft.com/t5/microsoft-sentinel/sending-logs-from-one-tenant-to-a-different-tenant-sentinel/m-p/2185531 where recommended approach is to use Azure functions.

    However will also check with my team on the same and keep you posted once i have the response.

    Let me know if you have any further questions, feel free to post back.