Ingests Azure control plane logs from the Monitor API to track admin activity across services.
Sync Type: Incremental
Requirements
Before setting up the Microsoft Azure Activity Logs input, you need to:
Have a Microsoft Account with an active Azure Subscription
Create a Application with API Data.Read access to the Log Analytics API
Reader permissions granted to the application from the Logs Analytics Workspace
Details
The Microsoft Azure Activity Logs input allows you to collect and ingest activity logs from the Azure monitor API. Fetches logs from t-24h on the first sync. Subsequent syncs are incremental and fetch data from the last successful sync time to the current time.
Configuration
Settings
Setting
Type
Required
Description
Tenant ID
string
true
The tenant ID of the Azure AD application
Subscription ID
string
false
The subscription ID of the Azure subscription
Resource Group Name
string
false
The name of the resource group
Resource URI
string
false
The URI of the resource
Resource Provider
string
false
The provider of the resource
Correlation ID
string
false
The correlation ID of the log
API Rate Limit
object
No
Optional limit on the connector's outbound request rate to the source API. Leave blank to use the connector's default behavior. See API Rate Limiting for the field format, limits, and how to choose a value.
Select "Add Role Assignment" from the "+ Add" menu
Select the Reader role and click Next
Click "Select members"
Search for the new application name and click Select
Click "Review + assign"
Confirm by clicking "Review + assign"
Custom Schema Handling
If the source data doesn't align with any of the OpenSecurityControlFramework (OSCF) schemas, you can create a custom transformation using our JQ transform pipeline. For example:
For more information on JQ and how to write your own JQ transformations see the JQ docs here.
If you believe this data source should be included in the standard OSCF schema set, please reach out to our team at support@monad.com. We're always looking to expand our coverage of security control frameworks based on community needs.