使用 Azure Monitor 日志分析 Azure AD 活动日志Analyze Azure AD activity logs with Azure Monitor logs

将 Azure AD 活动日志与 Azure Monitor 日志集成之后,可以使用 Azure Monitor 日志的强大功能来深入了解自己的环境。After you integrate Azure AD activity logs with Azure Monitor logs, you can use the power of Azure Monitor logs to gain insights into your environment. 此外,可以安装用于 Azure AD 活动日志的 Log Analytics 视图,访问有关环境中审核和登录事件的预建报表。You can also install the Log analytics views for Azure AD activity logs to get access to pre-built reports around audit and sign-in events in your environment.

本文介绍如何在 Log Analytics 工作区中分析 Azure AD 活动日志。In this article, you learn how to analyze the Azure AD activity logs in your Log Analytics workspace.

备注

本文最近已更新,从使用术语“Log Analytics”改为使用术语“Azure Monitor 日志”。This article was recently updated to use the term Azure Monitor logs instead of Log Analytics. 日志数据仍然存储在 Log Analytics 工作区中,并仍然由同一 Log Analytics 服务收集并分析。Log data is still stored in a Log Analytics workspace and is still collected and analyzed by the same Log Analytics service. 我们正在更新术语,以便更好地反映 Azure Monitor 中日志的角色。We are updating the terminology to better reflect the role of logs in Azure Monitor. 有关详细信息,请参阅 Azure Monitor 术语更改See Azure Monitor terminology changes for details.

先决条件Prerequisites

若要按照文中内容操作,需要:To follow along, you need:

  1. 登录 Azure 门户Sign in to the Azure portal.

  2. 选择“Azure Active Directory”,然后从“监视”部分选择“日志”以打开 Log Analytics 工作区。Select Azure Active Directory, and then select Logs from the Monitoring section to open your Log Analytics workspace. 随即工作区打开,并含有默认查询。The workspace will open with a default query.

    默认查询

查看 Azure AD 活动日志的架构View the schema for Azure AD activity logs

日志将推送到工作区中的“AuditLogs”和“SigninLogs”表。The logs are pushed to the AuditLogs and SigninLogs tables in the workspace. 查看这些表的架构:To view the schema for these tables:

  1. 在上一节中的默认查询视图中,选择“架构”并展开工作区。From the default query view in the previous section, select Schema and expand the workspace.

  2. 展开“日志管理”部分,然后展开“AuditLogs”或“SigninLogs”以查看日志架构 。Expand the Log Management section and then expand either AuditLogs or SigninLogs to view the log schema.

    Audit logs Signin logsAudit logs Signin logs

查询 Azure AD 活动日志Query the Azure AD activity logs

现在工作区中已有日志,可以对其运行查询。Now that you have the logs in your workspace, you can now run queries against them. 例如,若要获取最近一周使用最多的应用程序,将默认查询替换为以下查询并选择“运行”For example, to get the top applications used in the last week, replace the default query with the following and select Run

SigninLogs 
| where CreatedDateTime >= ago(7d)
| summarize signInCount = count() by AppDisplayName 
| sort by signInCount desc 

若要获取最近一周发生最多的审核事件,可使用以下查询:To get the top audit events over the last week, use the following query:

AuditLogs 
| where TimeGenerated >= ago(7d)
| summarize auditCount = count() by OperationName 
| sort by auditCount desc 

Azure AD 活动日志数据警报Alert on Azure AD activity log data

还可以针对查询设置警报。You can also set up alerts on your query. 例如,若要配置为当最近一周使用的应用程序超过 10 个时发出警报:For example, to configure an alert when more than 10 applications have been used in the last week:

  1. 在工作区中,选择“设置警报”以打开“创建规则”页面。From the workspace, select Set alert to open the Create rule page.

    设置警报

  2. 选择警报中创建的默认“警报条件”,将默认指标中的“阈值”更新为 10。Select the default alert criteria created in the alert and update the Threshold in the default metric to 10.

    警报条件

  3. 为警报输入名称和描述,然后选择严重级别。Enter a name and description for the alert, and choose the severity level. 示例中可将其设置为“信息性”。For our example, we could set it to Informational.

  4. 选择“操作组”,信号发生时将向其发出警报。Select the Action Group that will be alerted when the signal occurs. 可以选择通过电子邮件或短信来通知团队,或使用 webhook、Azure functions 或逻辑应用来自动执行此操作。You can choose to notify your team via email or text message, or you could automate the action using webhooks, Azure functions or logic apps. 详细了解如何在 Azure 门户中创建和管理警报组Learn more about creating and managing alert groups in the Azure portal.

  5. 配置警报后,选择“创建警报”来启用它。Once you have configured the alert, select Create alert to enable it.

安装并使用用于 Azure AD 活动日志的预建视图Install and use pre-built views for Azure AD activity logs

还可以下载用于 Azure AD 活动日志的预建日志分析视图。You can also download the pre-built log analytics views for Azure AD activity logs. 这些视图提供与涉及审核和登录事件的常见方案相关的多个报表。The views provide several reports related to common scenarios involving audit and sign-in events. 还可使用上一节中所述步骤,针对报表中提供的任何数据设置警报。You can also alert on any of the data provided in the reports, using the steps described in the previous section.

  • Azure AD 帐户预配事件:此视图显示与审核预配活动相关的报表,例如,预配的新用户数和预配失败情况、更新的用户数和更新失败情况以及取消预配的用户数和相应失败情况。Azure AD Account Provisioning Events: This view shows reports related to auditing provisioning activity, such as the number of new users provisioned and provisioning failures, number of users updated and update failures and the number of users de-provisioned and corresponding failures.
  • 登录事件:此视图显示与监视登录活动最相关的报表,例如,分别按应用程序、用户、设备统计的登录情况,以及随时间推移跟踪登录情况的摘要视图。Sign-ins Events: This view shows the most relevant reports related to monitoring sign-in activity, such as sign-ins by application, user, device, as well as a summary view tracking the number of sign-ins over time.
  • 用户执行“同意”相关情况:此视图显示与用户同意相关的报表,如由用户执行的“同意”操作、按执行“同意”操作的用户统计的登录情况,以及按所有基于同意操作的应用程序统计的登录情况。Users Performing Consent: This view shows reports related to user consent, such as the consent grants by user, sign-ins by users who granted consent as well as sign-ins by application for all consent-based applications.

了解如何安装和使用用于 Azure AD 活动日志的 Log Analytics 视图Learn how to install and use log analytics views for Azure AD activity logs.

后续步骤Next steps