教程:配置 Log Analytics 向导Tutorial: Configure the log analytics wizard

在本教程中,你将了解如何执行以下操作:In this tutorial, you learn how to:

  • 为审核和登录日志配置 Log Analytics 工作区Configure a log analytics workspace for your audit and sign-in logs
  • 使用 Kusto 查询语言 (KQL) 运行查询Run queries using the Kusto Query Language (KQL)
  • 在使用特定帐户时创建发送警报的警报规则Create an alert rule that sends alerts when a specific account is used
  • 使用快速启动模板创建自定义工作簿Create a custom workbook using the quickstart template
  • 将查询添加到现有工作簿模板Add a query to an existing workbook template

先决条件Prerequisites

  • 至少包含一个 P1 许可管理员的 Azure 订阅。如果没有 Azure 订阅,可以注册试用版An Azure subscription with at least one P1 licensed admin. If you don't have an Azure subscription, you can sign up for a trial.

  • Azure AD 租户。An Azure AD tenant.

  • 一个是 Azure AD 租户的全局管理员或安全管理员的用户。 A user who's a global administrator or security administrator for the Azure AD tenant.

通过以下文章熟悉相关知识:Familiarize yourself with these articles:

配置工作区Configure a workspace

此过程概述了如何为审核和登录日志配置 Log Analytics 工作区。This procedure outlines how to configure a log analytics workspace for your audit and sign-in logs. 配置 Log Analytics 工作区包括两个主要步骤:Configuring a log analytics workspace consists of two main steps:

  1. 创建 Log Analytics 工作区Creating a log analytics workspace
  2. 设置诊断设置Setting diagnostic settings

配置工作区:To configure a workspace:

  1. 以全局管理员身份登录到 Azure 门户Sign in to the Azure portal as a global administrator.

  2. 搜索 Log Analytics 工作区。Search for log analytics workspaces.

    搜索资源服务和文档

  3. 在“Log Analytics 工作区”页上,单击“添加”。On the log analytics workspaces page, click Add.

    屏幕截图显示了“Log Analytics 工作区”页中的“添加”按钮。

  4. 在“创建 Log Analytics 工作区”页上,执行以下步骤:On the Create Log Analytics workspace page, perform the following steps:

    创建 Log Analytics 工作区

    1. 选择订阅。Select your subscription.

    2. 选一个择资源组。Select a resource group.

    3. 在“名称”文本框中,键入名称(例如:MytestWorkspace1)。In the Name textbox, type a name (e.g.: MytestWorkspace1).

    4. 选择你的区域。Select your region.

  5. 单击“查看 + 创建”。Click Review + Create.

    查看 + 创建

  6. 单击“创建”并等待部署成功。Click Create and wait for the deployment to be succeeded. 可能需要刷新页面才能看到新的工作区。You may need to refresh the page to see the new workspace.

    创建

  7. 搜索“Azure Active Directory”。Search for Azure Active Directory.

    屏幕截图显示 Azure 搜索中的 Azure Active Directory。

  8. 在“监视”部分,单击“诊断设置” 。In Monitoring section, click Diagnostic setting.

    屏幕截图显示从“监视”中选择的“诊断”设置。

  9. 在“诊断设置”页上,单击“添加诊断设置” 。On the Diagnostic settings page, click Add diagnostic setting.

    添加诊断设置

  10. 在“诊断设置”页上,执行以下步骤:On the Diagnostic setting page, perform the following steps:

    选择诊断设置

    1. 在“类别详细信息”下,选择“AuditLogs”和“SigninLogs” 。Under Category details, select AuditLogs and SigninLogs.

    2. 在“目标详细信息”下,选择“发送到 Log Analytics”,然后选择新的 Log Analytics 工作区 。Under Destination details, select Send to Log Analytics, and then select your new log analytics workspace.

    3. 单击“ 保存”。Click Save.

运行查询Run queries

此过程显示了如何使用 Kusto 查询语言 (KQL) 运行查询。This procedure shows how to run queries using the Kusto Query Language (KQL).

运行查询:To run a query:

  1. 以全局管理员身份登录到 Azure 门户Sign in to the Azure portal as a global administrator.

  2. 搜索“Azure Active Directory”。Search for Azure Active Directory.

    屏幕截图显示 Azure 搜索中的 Azure Active Directory。

  3. 在“监视”部分,单击“日志” 。In the Monitoring section, click Logs.

  4. 在“日志”页上,单击“入门” 。On the Logs page, click Get Started.

  5. 在“搜索”文本框中,键入查询。In the *Search textbox, type your query.

  6. 单击 “运行”Click Run.

KQL 查询示例KQL query examples

从输入数据中随机选取 10 个条目:Take 10 random entries from the input data:

SigninLogs | take 10

查看条件访问成功的登录Look at the sign-ins where the Conditional Access was a success

SigninLogs | where ConditionalAccessStatus == "success" | project UserDisplayName, ConditionalAccessStatus

计算已有多少次成功Count how many successes there have been

SigninLogs | where ConditionalAccessStatus == "success" | project UserDisplayName, ConditionalAccessStatus | count

用户按天累计的成功登录次数:Aggregate count of successful sign-ins by user by day:

SigninLogs | where ConditionalAccessStatus == "success" | summarize SuccessfulSign-ins = count() by UserDisplayName, bin(TimeGenerated, 1d)

查看用户在特定时间段内执行特定操作的次数:View how many times a user does a certain operation in specific time period:

AuditLogs | where TimeGenerated > ago(30d) | where OperationName contains "Add member to role" | summarize count() by OperationName, Identity

根据操作名称透视结果Pivot the results on operation name

AuditLogs | where TimeGenerated > ago(30d) | where OperationName contains "Add member to role" | project OperationName, Identity | evaluate pivot(OperationName)

使用内部联接合并审核和登录日志:Merge together Audit and Sign in Logs using an inner join:

AuditLogs |where OperationName contains "Add User" |extend UserPrincipalName = tostring(TargetResources[0].userPrincipalName) | |project TimeGenerated , UserPrincipalName |join kind = inner (SigninLogs) on UserPrincipalName |summarize arg_min(TimeGenerated, *) by UserPrincipalName |extend SigninDate = TimeGenerated

按客户端应用类型查看登录数:View number of signs ins by client app type:

SigninLogs | summarize count() by ClientAppUsed

按天对登录进行计数:Count the sign ins by day:

SigninLogs | summarize NumberOfEntries=count() by bin(TimeGenerated, 1d)

随机选取 5 个条目,并在结果中投射出你希望看到的列:Take 5 random entries and project the columns you wish to see in the results:

SigninLogs | take 5 | project ClientAppUsed, Identity, ConditionalAccessStatus, Status, TimeGenerated

选取以降序排列的前 5 个条目,并投射出你希望看到的列Take the top 5 in descending order and project the columns you wish to see

SigninLogs | take 5 | project ClientAppUsed, Identity, ConditionalAccessStatus, Status, TimeGenerated

通过将这些值合并到其他两列来创建新的列:Create a new column by combining the values to two other columns:

SigninLogs | limit 10 | extend RiskUser = strcat(RiskDetail, "-", Identity) | project RiskUser, ClientAppUsed

创建警报规则Create an alert rule

此过程显示了如何在使用 breakglass 帐户时发送警报。This procedure shows how to send alerts when the breakglass account is used.

创建警报规则:To create an alert rule:

  1. 以全局管理员身份登录到 Azure 门户Sign in to the Azure portal as a global administrator.

  2. 搜索“Azure Active Directory”。Search for Azure Active Directory.

    屏幕截图显示 Azure 搜索中的 Azure Active Directory。

  3. 在“监视”部分,单击“日志” 。In the Monitoring section, click Logs.

  4. 在“日志”页上,单击“入门” 。On the Logs page, click Get Started.

  5. 在“搜索”文本框中,键入:SigninLogs |where UserDisplayName contains "BreakGlass" | project UserDisplayNameIn the Search textbox, type: SigninLogs |where UserDisplayName contains "BreakGlass" | project UserDisplayName

  6. 单击 “运行”Click Run.

  7. 在工具栏中,单击“新建警报规则”。In the toolbar, click New alert rule.

    新建警报规则

  8. 在“创建警报规则”页上,验证作用域是否正确。On the Create alert rule page, verify that the scope is correct.

  9. 在“条件”下,单击:“每当平均自定义日志搜索大于 个计数时”Under Condition, click: Whenever the average custom log search is greater than count

    默认条件

  10. 在“配置信号逻辑”页上的“警报逻辑”部分中,执行以下步骤 :On the Configure signal logic page, in the Alert logic section, perform the following steps:

    警报逻辑

    1. 对于“依据”,选择“结果数” 。As Based on, select Number of results.

    2. 对于“运算符”,选择“大于” 。As Operator, select Greater than.

    3. 对于“阈值”,选择“0” 。As Threshold value, select 0.

  11. 在“配置信号逻辑”页上的“计算依据”部分中,执行以下步骤 :On the Configure signal logic page, in the Evaluated based on section, perform the following steps:

    计算基于

    1. 对于“时段(分钟)”,选择“5” 。As Period (in minutes), select 5.

    2. 对于“频率(分钟)”,选择“5” 。As Frequency (in minutes), select 5.

    3. 单击“Done”(完成) 。Click Done.

  12. 在“操作组”下,单击“选择操作组” 。Under Action group, click Select action group.

    操作组

  13. 在“选择要附加到此警报规则的操作组”上,单击“创建操作组” 。On the Select an action group to attach to this alert rule, click Create action group.

    创建操作组

  14. 在“创建操作组”页上,执行以下步骤:On the Create action group page, perform the following steps:

    实例详细信息

    1. 在“操作组名称”文本框中,键入“我的操作组” 。In the Action group name textbox, type My action group.

    2. 在“显示名称”文本框中,键入“我的操作” 。In the Display name textbox, type My action.

    3. 单击“查看 + 创建”。Click Review + create.

    4. 单击“创建”。Click Create.

  15. 在“自定义操作”下,执行以下步骤:Under Customize action, perform the following steps:

    自定义操作

    1. 选择“电子邮件主题”。Select Email subject.

    2. 在“主题行”文本框中,键入:Breakglass account has been usedIn the Subject line textbox, type: Breakglass account has been used

  16. 在“警报规则详细信息”下,执行以下步骤:Under Alert rule details, perform the following steps:

    警报规则详细信息

    1. 在“警报规则名称”文本框中,键入:Breakglass accountIn the Alert rule name textbox, type: Breakglass account

    2. 在“说明”文本框中,键入:Your emergency access account has been usedIn the Description textbox, type: Your emergency access account has been used

  17. 单击“创建警报规则”。Click Create alert rule.

创建自定义工作簿Create a custom workbook

此过程显示了如何使用快速启动模板创建新的工作簿。This procedure shows how to create a new workbook using the quickstart template.

  1. 以全局管理员身份登录到 Azure 门户Sign in to the Azure portal as a global administrator.

  2. 搜索“Azure Active Directory”。Search for Azure Active Directory.

    屏幕截图显示 Azure 搜索中的 Azure Active Directory。

  3. 在“监视”部分,单击“工作簿” 。In the Monitoring section, click Workbooks.

    屏幕截图显示了“Azure 门户”菜单中选中“工作簿”的“监视”部分。

  4. 在“快速入门”部分中,单击“空” 。In the Quickstart section, click Empty.

    快速入门

  5. 单击“添加”。Click Add.

    添加工作簿

  6. 单击“添加文本”。Click Add text.

    添加文本

  7. 在文本框中,键入:# Client apps used in the past week,然后单击“完成编辑”。In the textbox, type: # Client apps used in the past week, and then click Done Editing.

    工作簿文本

  8. 在新的工作簿中,单击“添加”,然后单击“添加查询” 。In the new workbook, click Add, and then click Add query.

    添加查询

  9. 在查询文本框中,键入:SigninLogs | where TimeGenerated > ago(7d) | project TimeGenerated, UserDisplayName, ClientAppUsed | summarize count() by ClientAppUsedIn the query textbox, type: SigninLogs | where TimeGenerated > ago(7d) | project TimeGenerated, UserDisplayName, ClientAppUsed | summarize count() by ClientAppUsed

  10. 单击 “运行查询”Click Run Query.

    屏幕截图显示“运行查询”按钮。

  11. 在工具栏中的“可视化效果”下,单击“饼图” 。In the toolbar, under Visualization, click Pie chart.

    饼图

  12. 单击“完成编辑”。Click Done Editing.

    完成编辑

将查询添加到工作簿模板Add a query to a workbook template

此过程显示了如何将查询添加到现有工作簿模板。This procedure shows how to add a query to an existing workbook template. 该示例基于一个查询,该查询显示条件访问成功与失败的分布情况。The example is based on a query that shows the distribution of conditional access success to failures.

  1. 以全局管理员身份登录到 Azure 门户Sign in to the Azure portal as a global administrator.

  2. 搜索“Azure Active Directory”。Search for Azure Active Directory.

    屏幕截图显示 Azure 搜索中的 Azure Active Directory。

  3. 在“监视”部分,单击“工作簿” 。In the Monitoring section, click Workbooks.

    屏幕截图显示了菜单中选中“工作簿”的“监视”部分。

  4. 在“条件访问”部分中,单击“条件访问见解和报表” 。In the conditional access section, click Conditional Access Insights and Reporting.

    屏幕截图显示“条件访问见解”和“报表”选项。

  5. 在工具栏中,单击“编辑”。In the toolbar, click Edit.

    屏幕截图显示“编辑”按钮。

  6. 在工具栏中,单击三个点,然后单击“添加”,再单击“添加查询” 。In the toolbar, click the three dots, then Add, and then Add query.

    添加工作簿查询

  7. 在查询文本框中,键入:SigninLogs | where TimeGenerated > ago(20d) | where ConditionalAccessPolicies != "[]" | summarize dcount(UserDisplayName) by bin(TimeGenerated, 1d), ConditionalAccessStatusIn the query textbox, type: SigninLogs | where TimeGenerated > ago(20d) | where ConditionalAccessPolicies != "[]" | summarize dcount(UserDisplayName) by bin(TimeGenerated, 1d), ConditionalAccessStatus

  8. 单击 “运行查询”Click Run Query.

    屏幕截图显示用于运行该查询的“运行查询”按钮。

  9. 单击“时间范围”,然后选择“在查询中设置” 。Click Time Range, and then select Set in query.

  10. 单击“可视化效果”,然后选择“条形图” 。Click Visualization, and then select Bar chart.

  11. 单击“高级设置”,键入 Conditional Access status over the last 20 days 作为图表标题,然后单击“完成编辑” 。Click Advanced Settings, as chart title, type Conditional Access status over the last 20 days, and then click Done Editing.

    设置图表标题

后续步骤Next steps

继续学习下一篇文章,了解如何使用 Azure 门户管理设备标识。Advance to the next article to learn how to manage device identities by using the Azure portal.