How to: Integrate Azure Active Directory logs with Splunk using Azure Monitor
In this article, you learn how to integrate Azure Active Directory (Azure AD) logs with Splunk by using Azure Monitor. You first route the logs to an Azure event hub, and then you integrate the event hub with Splunk.
To use this feature, you need:
An Azure event hub that contains Azure AD activity logs. Learn how to stream your activity logs to an event hub.
Integrate Azure Active Directory logs
Open your Splunk instance, and select Data Summary.
Select the Sourcetypes tab, and then select mscs:azure:eventhub
Append body.records.category=AuditLogs to the search. The Azure AD activity logs are shown in the following figure:
If you cannot install an add-on in your Splunk instance (for example, if you're using a proxy or running on Splunk Cloud), you can forward these events to the Splunk HTTP Event Collector. To do so, use this Azure function, which is triggered by new messages in the event hub.
Submit and view feedback for