Edit

Tutorial: Configure a log analytics workspace

  • Article

In this tutorial, you learn how to:

  • Configure a Log Analytics workspace for your audit and sign-in logs
  • Run queries using the Kusto Query Language (KQL)
  • Create a custom workbook using the quickstart template
  • Add a query to an existing workbook template

Prerequisites

To analyze activity logs with Log Analytics, you need the following roles and requirements:

Familiarize yourself with these articles:

Configure Log Analytics

Tip

Steps in this article might vary slightly based on the portal you start from.

This procedure outlines how to configure a Log Analytics workspace for your audit and sign-in logs. To configure a Log Analytics workspace, you need to create the workspace and then configure diagnostic settings.

Create the workspace

  1. Sign in to the Azure portal as at least a Security Administrator and Log Analytics Contributor.

  2. Browse to Log Analytics workspaces.

  3. Select Create.

    Screenshot shows the Add button in the log analytics workspaces page.

  4. On the Create Log Analytics workspace page, perform the following steps:

    1. Select your subscription.

    2. Select a resource group.

    3. Give your workspace a name.

    4. Select your region.

    Create log analytics workspace

  5. Select Review + Create.

    Review and create

  6. Select Create and wait for the deployment. You might need to refresh the page to see the new workspace.

    Create

Configure diagnostic settings

To configure diagnostic settings, you need switch to the Microsoft Entra admin center to send your identity log information to your new workspace.

  1. Sign in to the Microsoft Entra admin center as at least a Security Administrator.

  2. Browse to Identity > Monitoring & health > Diagnostic settings.

  3. Select Add diagnostic setting.

    Add diagnostic setting

  4. On the Diagnostic setting page, perform the following steps:

    1. Under Category details, select AuditLogs and SigninLogs.

    2. Under Destination details, select Send to Log Analytics, and then select your new log analytics workspace.

    3. Select Save.

    Select diagnostics settings

Your logs can now be queried using the Kusto Query Language (KQL) in Log Analytics. You might need to wait around 15 minutes for the logs to populate.

Run queries in Log Analytics

This procedure shows how to run queries using the Kusto Query Language (KQL).

Run a query

  1. Sign in to the Microsoft Entra admin center as at least a Reports Reader.

  2. Browse to Identity > Monitoring & health > Log Analytics.

  3. In the Search textbox, type your query, and select Run.

KQL query examples

Take 10 random entries from the input data:

  • SigninLogs | take 10

Look at the sign-ins where the Conditional Access was a success:

  • SigninLogs | where ConditionalAccessStatus == "success" | project UserDisplayName, ConditionalAccessStatus

Count number of successes:

  • SigninLogs | where ConditionalAccessStatus == "success" | project UserDisplayName, ConditionalAccessStatus | count

Aggregate count of successful sign-ins by user by day:

  • SigninLogs | where ConditionalAccessStatus == "success" | summarize SuccessfulSign-ins = count() by UserDisplayName, bin(TimeGenerated, 1d)

View how many times a user does a certain operation in specific time period:

  • AuditLogs | where TimeGenerated > ago(30d) | where OperationName contains "Add member to role" | summarize count() by OperationName, Identity

Pivot the results on operation name:

  • AuditLogs | where TimeGenerated > ago(30d) | where OperationName contains "Add member to role" | project OperationName, Identity | evaluate pivot(OperationName)

Merge together Audit and Sign in Logs using an inner join:

  • AuditLogs |where OperationName contains "Add User" |extend UserPrincipalName = tostring(TargetResources[0].userPrincipalName) | |project TimeGenerated, UserPrincipalName |join kind = inner (SigninLogs) on UserPrincipalName |summarize arg_min(TimeGenerated, *) by UserPrincipalName |extend SigninDate = TimeGenerated

View number of signs ins by client app type:

  • SigninLogs | summarize count() by ClientAppUsed

Count the sign ins by day:

  • SigninLogs | summarize NumberOfEntries=count() by bin(TimeGenerated, 1d)

Take five random entries and project the columns you wish to see in the results:

  • SigninLogs | take 5 | project ClientAppUsed, Identity, ConditionalAccessStatus, Status, TimeGenerated

Take the top 5 in descending order and project the columns you wish to see:

  • SigninLogs | take 5 | project ClientAppUsed, Identity, ConditionalAccessStatus, Status, TimeGenerated

Create a new column by combining the values to two other columns:

  • SigninLogs | limit 10 | extend RiskUser = strcat(RiskDetail, "-", Identity) | project RiskUser, ClientAppUsed

Create a custom workbook

This procedure shows how to create a new workbook using the quickstart template.

  1. Sign in to the Microsoft Entra admin center as at least a Security Administrator.

  2. Browse to Identity > Monitoring & health > Workbooks.

  3. In the Quickstart section, select Empty.

    Quick start

  4. From the Add menu, select Add text.

    Add text

  5. In the textbox, enter # Client apps used in the past week and select Done Editing.

    Screenshot shows the text and the Done Editing button.

  6. Below the text window, open the Add menu and select Add query.

    Add query

  7. In the query textbox, enter: SigninLogs | where TimeGenerated > ago(7d) | project TimeGenerated, UserDisplayName, ClientAppUsed | summarize count() by ClientAppUsed

  8. Select Run Query.

    Screenshot shows the Run Query button.

  9. In the toolbar, from the Visualization menu select Pie chart.

    Pie chart

  10. Select Done Editing at the top of the page.

  11. Select the Save icon to save your workbook.

  12. In the dialog box that appears, enter a title, select a Resource group, and select Apply.

Add a query to a workbook template

This procedure shows how to add a query to an existing workbook template. The example is based on a query that shows the distribution of conditional access success to failures.

  1. Sign in to the Microsoft Entra admin center as at least a Reports Reader.

  2. Browse to Identity > Monitoring & health > Workbooks.

  3. In the Conditional Access section, select Conditional Access Insights and Reporting.

    Screenshot shows the Conditional Access Insights and Reporting option.

  4. In the toolbar, select Edit.

    Screenshot shows the Edit button.

  5. In the toolbar, select the three dots next to the Edit button, then Add, and then Add query.

    Add workbook query

  6. In the query textbox, enter: SigninLogs | where TimeGenerated > ago(20d) | where ConditionalAccessPolicies != "[]" | summarize dcount(UserDisplayName) by bin(TimeGenerated, 1d), ConditionalAccessStatus

  7. Select Run Query.

    Screenshot shows the Run Query button to run this query.

  8. From the Time Range menu, select Set in query.

  9. From the Visualization menu, select Bar chart.

  10. Open the Advanced Settings.

  11. In the Chart title field, enter Conditional Access status over the last 20 days and select Done Editing.

    Set chart title

Your Conditional Access success and failure chart displays a color-coded snapshot of your tenant.

Next step

Stream logs to an event hub