How to: Integrate Azure Active Directory logs with Splunk using Azure Monitor

In this article, you learn how to integrate Azure Active Directory (Azure AD) logs with Splunk by using Azure Monitor. You first route the logs to an Azure event hub, and then you integrate the event hub with Splunk.


To use this feature, you need:

Integrate Azure Active Directory logs

  1. Open your Splunk instance, and select Data Summary.

    The "Data Summary" button

  2. Select the Sourcetypes tab, and then select mscs:azure:eventhub

    The Data Summary Sourcetypes tab

Append body.records.category=AuditLogs to the search. The Azure AD activity logs are shown in the following figure:

Activity logs


If you cannot install an add-on in your Splunk instance (for example, if you're using a proxy or running on Splunk Cloud), you can forward these events to the Splunk HTTP Event Collector. To do so, use this Azure function, which is triggered by new messages in the event hub.

Next steps