安装和使用用于 Azure Active Directory 的日志分析视图Install and use the log analytics views for Azure Active Directory

Azure Active Directory 日志分析视图可以帮助你分析和搜索 Azure AD 租户中的 Azure AD 活动日志。The Azure Active Directory log analytics views helps you analyze and search the Azure AD activity logs in your Azure AD tenant. Azure AD 活动日志包括:Azure AD activity logs include:

必备条件Prerequisites

若要使用日志分析视图,需要执行以下操作:To use the log analytics views, you need:

安装日志分析视图Install the log analytics views

  1. 导航到 Log Analytics 工作区。Navigate to your Log Analytics workspace. 若要执行此操作,首先导航到 。To do this, first navigate to the Azure portal and select All services . 在文本框中键入“Log Analytics”,然后选择“Log Analytics 工作区” 。Type Log Analytics in the text box, and select Log Analytics workspaces . 选择要将活动日志路由到的工作区,作为必备项的一部分。Select the workspace you routed the activity logs to, as part of the prerequisites.
  2. 选择“视图设计器”,选择“导入”,然后选择“选择文件”,从本地计算机中导入视图 。Select View Designer , select Import and then select Choose File to import the views from your local computer.
  3. 选择从必备项中下载的视图,然后选择“保存”,以保存导入 。Select the views you downloaded from the prerequisites and select Save to save the import. 对“Azure AD 帐户预配事件”视图和“登录事件”视图 执行此操作。Do this for the Azure AD Account Provisioning Events view and the Sign-ins Events view.

使用视图Use the views

  1. 导航到 Log Analytics 工作区。Navigate to your Log Analytics workspace. 若要执行此操作,首先导航到 。To do this, first navigate to the Azure portal and select All services . 在文本框中键入“Log Analytics”,然后选择“Log Analytics 工作区” 。Type Log Analytics in the text box, and select Log Analytics workspaces . 选择要将活动日志路由到的工作区,作为必备项的一部分。Select the workspace you routed the activity logs to, as part of the prerequisites.

  2. 位于工作区中时,选择“工作区摘要” 。Once you're in the workspace, select Workspace Summary . 应该会看到以下三个视图:You should see the following three views:

    • Azure AD 帐户预配事件 :此视图显示与审核预配活动相关的报表,例如,预配的新用户数和预配失败情况、更新的用户数和更新失败情况以及取消预配的用户数和相应失败情况。Azure AD Account Provisioning Events : This view shows reports related to auditing provisioning activity, such as the number of new users provisioned and provisioning failures, number of users updated and update failures and the number of users de-provisioned and corresponding failures.
    • 登录事件 :此视图显示与监视登录活动最相关的报表,例如,分别按应用程序、用户、设备统计的登录情况,以及随时间推移跟踪登录情况的摘要视图。Sign-ins Events : This view shows the most relevant reports related to monitoring sign-in activity, such as sign-ins by application, user, device, as well as a summary view tracking the number of sign-ins over time.
  3. 选择其中一个视图,跳转到各个报表。Select either of these views to jump in to the individual reports. 此外,还可以设置有关任何报表参数的警报。You can also set alerts on any of the report parameters. 例如,针对每次登录错误设置警报。For example, let's set an alert for every time there's a sign-in error. 若要执行此操作,首先选择“登录事件”视图,选择“随着时间推移发生的登录错误”报表,然后选择“分析”,打开详细信息页面,其中包含报表中的实际查询 。To do this, first select the Sign-ins Events view, select Sign-in errors over time report and then select Analytics to open the details page, with the actual query behind the report.

    屏幕截图显示了“分析详细信息”页,其中包含报表查询。

  4. 选择“设置警报”,然后选择“警报条件”部分下的“每当自定义日志搜索为逻辑未定义”<> 。Select Set Alert , and then select Whenever the Custom log search is <logic undefined> under the Alert criteria section. 由于我们希望在每当发生登录错误时发出警报,因此将默认警报逻辑的阈值设置为 1 并选择“完成” 。Since we want to alert whenever there's a sign-in error, set the Threshold of the default alert logic to 1 and then select Done .

    配置信号逻辑

  5. 为警报输入名称和描述,然后将严重性设置为“警告” 。Enter a name and description for the alert and set the severity to Warning .

    创建规则

  6. 选择要发出警报的操作组。Select the action group to alert. 一般情况下,这可能是你想要通过电子邮件或短信通知的团队,也可以是使用 webhook、runbook、函数、逻辑应用或外部 ITSM 解决方案的自动执行的任务。In general, this can be either a team you want to notify via email or text message, or it can be an automated task using webhooks, runbooks, functions, logic apps or external ITSM solutions. 了解如何在 Azure 门户中创建和管理操作组Learn how to create and manage action groups in the Azure portal.

  7. 选择“创建警报规则”可以创建警报 。Select Create alert rule to create the alert. 现在,每当出现登录错误时都会发出警报。Now you will be alerted every time there's a sign-in error.

后续步骤Next steps