# Azure Activity Logs Ingests Azure control plane logs from the Monitor API to track admin activity across services. **Sync Type: Incremental** ## Requirements Before setting up the Microsoft Azure Activity Logs input, you need to: 1. Have a Microsoft Account with an active Azure Subscription 2. Create a Application with API Data.Read access to the Log Analytics API 3. Reader permissions granted to the application from the Logs Analytics Workspace ## Details The Microsoft Azure Activity Logs input allows you to collect and ingest activity logs from the Azure monitor API. Fetches logs from t-24h on the first sync. Subsequent syncs are incremental and fetch data from the last successful sync time to the current time. ## Configuration ### Settings | Setting | Type | Required | Description | |---------|------|----------|-------------| | Tenant ID | string | true | The tenant ID of the Azure AD application | | Subscription ID | string | false | The subscription ID of the Azure subscription | | Resource Group Name | string | false | The name of the resource group | | Resource URI | string | false | The URI of the resource | | Resource Provider | string | false | The provider of the resource | | Correlation ID | string | false | The correlation ID of the log | | API Rate Limit | object | No | Optional limit on the connector's outbound request rate to the source API. Leave blank to use the connector's default behavior. See [API Rate Limiting](../../../guides/rate-limiting) for the field format, limits, and how to choose a value. | ### Secrets | Setting | Type | Required | Description | |---------|------|----------|-------------| | Client ID | string | true | The client ID of the Azure AD application | | Client Secret | string | true | The client secret of the Azure AD application | ## Setting up API Access 1. Registering a new application 1. Open the [App Registration](https://portal.azure.com/#view/Microsoft_AAD_RegisteredApps/ApplicationsListBlade) page in the Azure portal. 2. Select New Registration 3. Add a name to the new registration 4. Click Register 5. Save the applications `Application (client) ID` and `Directory (tenant) ID` 6. Select Certificates and Secrets 7. Click link next to Client credentials 8. In "Client secrets" click "New client secret" 9. Add a name and expiration to the new secret 10. Save the client secret value 2. Give application access to Log Analytics API 1. Click "API Permissions" on left sidebar 2. Click "Add Permission" 3. Click "Logs Analytics API" 4. Select "Delegated permissions" 5. Select "Data.Read" 3. Grant access to your Log Analytics Workspace 1. Navigate to the [Log Analytics Workspace](https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/Microsoft.OperationalInsights%2Fworkspaces) 2. Select the workspace 3. Click "Access control (IAM)" on the left menu 4. Select "Add Role Assignment" from the "+ Add" menu 5. Select the `Reader` role and click Next 6. Click "Select members" 7. Search for the new application name and click Select 8. Click "Review + assign" 9. Confirm by clicking "Review + assign" ## Custom Schema Handling If the source data doesn't align with any of the [OpenSecurityControlFramework (OSCF) schemas](https://schema.ocsf.io/), you can create a custom transformation using our JQ transform pipeline. For example: ```jq { metadata: { schema_version: "1.0.0", custom_framework: "my_framework" }, controls: .[] } ``` For more information on JQ and how to write your own JQ transformations see the JQ docs [here](https://jqlang.github.io/jq/). If you believe this data source should be included in the standard OSCF schema set, please reach out to our team at [support@monad.com](mailto:support@monad.com). We're always looking to expand our coverage of security control frameworks based on community needs. ## Related Articles - [Setting up an application](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/api/register-app-for-token?tabs=portal) - [Access to Log Analytics API](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/api/access-api?tabs=rest) ## Sample Record ```json { "authorization": { "action": "Microsoft.Authorization/roleAssignments/write", "scope": "/subscriptions/bec9cf1e-a992-a3bd-ba83-6bbc1bfc1f4e/resourceGroups/rg-1/providers/Microsoft.OperationalInsights/workspaces/sentinel-instance-1/providers/Microsoft.Authorization/roleAssignments/b1210ae4-f564-fdd3-3509-ee63ea1150a8" }, "caller": "Jane Miller@John Jones.onmicrosoft.com", "category": { "localizedValue": "Administrative", "value": "Administrative" }, "channels": "Operation", "claims": { "aio": "encrypted_string", "appid": "e0dcc48c-f84a-ea15-ebe6-a9b0f69b742d", "appidacr": "2", "aud": "https://management.core.windows.net/", "exp": "1754956002", "groups": "d6b1ab40-bfe5-826e-3cc8-a770fad1ae81", "http://schemas.microsoft.com/claims/authnclassreference": "1", "http://schemas.microsoft.com/claims/authnmethodsreferences": "pwd,mfa", "http://schemas.microsoft.com/identity/claims/objectidentifier": "b2e8d780-9f54-ca2f-a476-048f797e1ece", "http://schemas.microsoft.com/identity/claims/scope": "user_impersonation", "http://schemas.microsoft.com/identity/claims/tenantid": "5f322800-2156-7c5e-70a4-2e8ce27bb61c", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name": "Alice Jones@Jane Smith.onmicrosoft.com", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier": "2101b224-e1cc-e07b-a0ed-fa969afeb09e", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn": "John Brown@Sarah Brown.onmicrosoft.com", "iat": "1754956002", "idtyp": "user", "ipaddr": "216.47.39.252", "iss": "https://sts.windows.net/4986ac72-f4fc-6c6f-1a29-738e12cf3c0d/", "name": "Sarah Brown Alice Smith", "nbf": "1754956002", "puid": "10052309D12D9F55", "rh": "1.AbcAaQZDwElhB0W1Rf0pQUj4J0AIf3kAutdPukPawfj2MBP8AJe3AA.", "uti": "0o-TAO3iK0QA9TzFvdoPDD", "ver": "1.0", "wids": "ac9d5d26-ce8a-32c0-630a-250b29bd264c", "xms_idrel": "2 1", "xms_tcdt": "1754956002" }, "correlationId": "ca5c286a-bdf1-bf58-3743-c976b41ca5c3", "description": "", "eventDataId": "7b380b0e-3094-2b59-a204-2b4c14a95939", "eventName": { "localizedValue": "End request", "value": "EndRequest" }, "eventTimestamp": "2025-08-11T23:46:42Z", "httpRequest": { "clientIpAddress": "41.90.252.147", "clientRequestId": "01295030-7c2f-8d18-3cf5-d919da7ffa1f", "method": "PUT", "uri": "https://management.azure.com/subscriptions/344c7d17-24cc-85bf-6a96-472c5933441f/resourceGroups/rg-1/providers/Microsoft.OperationalInsights/workspaces/sentinel-instance-1/providers/Microsoft.Authorization/roleAssignments/a6fb5156-ed8f-6b59-1a44-1144e4a5c9ed?api-version=2020-04-01-preview" }, "id": "/subscriptions/773a4fd5-e1e3-ae57-2869-ac35209886a0/resourceGroups/rg-1/providers/Microsoft.OperationalInsights/workspaces/sentinel-instance-1/providers/Microsoft.Authorization/roleAssignments/fe547545-d3d7-7905-da3d-3b4e46bb3d0b/events/e3faade4-da04-f2c0-18fb-a319b84768b9/ticks/814875", "level": "Warning", "operationId": "3faaa369-b71e-a137-d442-09db3fe4df71", "operationName": { "localizedValue": "Create role assignment", "value": "Microsoft.Authorization/roleAssignments/write" }, "properties": { "entity": "/subscriptions/6c0b977c-af82-279a-01d2-78da141788df/resourceGroups/rg-1/providers/Microsoft.OperationalInsights/workspaces/sentinel-instance-1/providers/Microsoft.Authorization/roleAssignments/ae850720-a0c6-23b3-3286-374afa6e9a3d", "eventCategory": "Administrative", "hierarchy": "39357439-ae38-2971-6949-1a5de42bf1cb", "message": "Microsoft.Authorization/roleAssignments/write", "serviceRequestId": null, "statusCode": "Created" }, "resourceGroupName": "rg-1", "resourceId": "/subscriptions/a9e9dfd3-a42d-9050-05ab-6280586884fb/resourceGroups/rg-1/providers/Microsoft.OperationalInsights/workspaces/sentinel-instance-1/providers/Microsoft.Authorization/roleAssignments/b3724d39-7186-2a0c-86d6-a5bdcd6ec63b", "resourceProviderName": { "localizedValue": "Microsoft.Authorization", "value": "Microsoft.Authorization" }, "resourceType": { "localizedValue": "Microsoft.Authorization/roleAssignments", "value": "Microsoft.Authorization/roleAssignments" }, "status": { "localizedValue": "Succeeded", "value": "Succeeded" }, "subStatus": { "localizedValue": "Created (HTTP Status Code: 201)", "value": "Created" }, "submissionTimestamp": "2025-08-11T23:46:42Z", "subscriptionId": "2c2e3acb-bede-4ae6-5aff-e611260581ca", "tenantId": "bd93ef17-26ff-1ec9-7f13-37492cc4b6a4" } ```